Skip to content

Latest commit

 

History

History
162 lines (116 loc) · 4.69 KB

tls_srtp_summary.md

File metadata and controls

162 lines (116 loc) · 4.69 KB

TLS and SRTP Implementation Technical Summary

Overview

This technical document summarizes the TLS (Transport Layer Security) and SRTP (Secure Real-Time Transport Protocol) implementation in the SIPREC server.

TLS Implementation

Core Components

The TLS implementation for SIP signaling security consists of:

  1. X.509 certificate management and validation
  2. TLS server configuration with minimum TLS 1.2
  3. Secure listening endpoint on dedicated TLS port
  4. Network protocol handling for TLS connections

Implementation Details

The server implements TLS using the following approach:

// Set up TLS configuration
tlsConfig := &tls.Config{
    MinVersion: tls.VersionTLS12,
    Certificates: []tls.Certificate{cert},
}

// Start TLS server
if err := sipHandler.Server.ListenAndServeTLS(
    ctx,
    "tls", // Network type for TLS
    tlsAddress,
    tlsConfig,
); err != nil {
    logger.WithError(err).Error("Failed to start SIP server on TLS")
    return
}

Key aspects of the implementation:

  1. Separate Goroutines: Each listener type (UDP, TCP, TLS) runs in its own goroutine
  2. Context-Based Shutdown: All listeners share a context for graceful shutdown
  3. Error Propagation: Errors are captured and properly logged
  4. Connection Verification: TLS port binding is verified during startup

Graceful Shutdown

The TLS implementation includes a robust shutdown process:

// Cancel the context to signal all listeners to shut down
rootCancel()

// Shutdown with timeout
sipShutdownCtx, sipShutdownCancel := context.WithTimeout(context.Background(), 10*time.Second)
defer sipShutdownCancel()

if err := sipHandler.Shutdown(sipShutdownCtx); err != nil {
    logger.WithError(err).Error("Error shutting down SIP server")
} else {
    logger.Info("SIP server shut down successfully")
}

SRTP Implementation

Core Components

The SRTP implementation for media encryption consists of:

  1. SRTP key generation and management
  2. SDP security descriptions for key exchange (RFC 4568)
  3. Crypto attribute generation in SDP responses
  4. Media packet encryption/decryption

Key Structures

// SRTPKeyInfo holds SRTP key information for SDP crypto attributes
type SRTPKeyInfo struct {
    MasterKey    []byte // Master key for SRTP (16 bytes for AES-128)
    MasterSalt   []byte // Master salt for SRTP (14 bytes recommended)
    Profile      string // SRTP crypto profile (e.g., AES_CM_128_HMAC_SHA1_80)
    KeyLifetime  int    // Key lifetime in packets (optional)
}

SDP Integration

SRTP is negotiated through SDP extensions following RFC 4568:

m=audio 19688 RTP/SAVP 0 8
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:|2^2147483647

The implementation adds crypto attributes to media descriptions:

// Add SRTP information if enabled
if config.EnableSRTP {
    options.SRTPKeyInfo = &SRTPKeyInfo{
        Profile:      "AES_CM_128_HMAC_SHA1_80",
        KeyLifetime:  2147483647, // 2^31 per RFC 3711
        MasterKey:    generateRandomKey(16), // 128-bit key
        MasterSalt:   generateRandomKey(14), // 112-bit salt
    }
}

Testing Framework

TLS Testing

TLS functionality is tested using:

  1. A standalone test server/client that verifies TLS handshakes
  2. OpenSSL client tests for certificate validation
  3. Integration tests for SIP over TLS message exchange

SRTP Testing

SRTP functionality is tested using:

  1. SDP generation tests that verify crypto attributes
  2. Mock SIP clients that validate SRTP negotiation
  3. Media packet encryption/decryption tests

SIPREC XML Testing

SIPREC XML functionality is tested using:

  1. A mock INVITE client that sends SIPREC XML content in a multipart MIME message
  2. XML parsing and validation according to RFC 7865/7866
  3. Verification of SIPREC session attributes including participants, streams, and associations

Performance Considerations

For optimal TLS and SRTP performance:

  1. Connection Pooling: Re-use TLS connections when possible
  2. Connection Timeouts: Implement proper timeouts for TLS handshakes
  3. Certificate Caching: Cache certificate validation results
  4. SRTP Session Reuse: Avoid frequent key renegotiation

Future Enhancements

Planned improvements include:

  1. Mutual TLS Authentication: Add client certificate validation
  2. DTLS-SRTP Support: Implement DTLS for key exchange
  3. Key Rotation: Implement automatic key rotation for long sessions
  4. TLS 1.3 Support: Upgrade to TLS 1.3 when library support is available

References

  • RFC 3261 - SIP: Session Initiation Protocol
  • RFC 3711 - The Secure Real-time Transport Protocol (SRTP)
  • RFC 4568 - Session Description Protocol (SDP) Security Descriptions
  • RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2