Compile Asterisk with CFLAGS='-DENABLE_SRTP_AES_256'
When sending an SIP INVITE Asterisk only offers the AES_CM_128_HMAC_SHA1_80 SDES SRTP crypto. Some VoIP clients does not accept this weak crypt anymore, eg Zoiper. And yet, Asterisk support many more ciphers including AES_256_CM_HMAC_SHA1_80. When accepting INVITEs Asterisk happily accepts the 256 cipers. To have Asterisk offering a list of cipers it needs to be complied with any combination of:
ENABLE_SRTP_AES_256 ENABLE_SRTP_AES_GCM ENABLE_SRTP_AES_192
The comment in the source code lines 1111 reads:
/* This array creates the following list: * a=crypto:1 AES_CM_128_HMAC_SHA1_ ... * a=crypto:2 AEAD_AES_128_GCM ... * a=crypto:3 AES_256_CM_HMAC_SHA1_ ... * a=crypto:4 AEAD_AES_256_GCM ... * a=crypto:5 AES_192_CM_HMAC_SHA1_ ... * something like 'AEAD_AES_192_GCM' is not specified by the RFCs * * If you want to prefer another crypto suite or you want to * exclude a suite, change this array and recompile Asterisk. * This list cannot be changed from rtp.conf because you should * know what you are doing. Especially AES-192 and AES-GCM are * broken in many VoIP clients, see * https://github.com/cisco/libsrtp/pull/170 * https://github.com/cisco/libsrtp/pull/184 * Furthermore, AES-GCM uses a shorter crypto-suite string which * causes Nokia phones based on Symbian/S60 to reject the whole * INVITE with status 500, even if a matching suite was offered. * AES-256 might just waste your processor cycles, especially if * your TLS transport is not secured with equivalent grade, see * https://security.stackexchange.com/q/61361 * Therefore, AES-128 was preferred here. * * If you want to enable one of those defines, please, go for * CFLAGS='-DENABLE_SRTP_AES_GCM' ./configure && sudo make install */