SEMS no longer negotiating SRTP

PaulH · October 23, 2025, 5:03am

Working on my upgrade from Yeti 10 → 13 and had to redesign my SEMS config

The problem is that the new SEMS config no longer allows my test softphone to negotiate SRTP - if I set it as “Optional SRTP” SEMS refuses the call with “No suitable media/500/Invalid media transport”
The item in the logs is “got offer transport type RTP/AVP while expected RTP/SAVP”

Is this expteced behaviour or have I misconfigured something?

Old sems.conf

    interface public {
        ip4 {
            rtp {
                address = x.x.x.x
                low-port = 16383
                high-port = 32767
                dscp = 46
                use-raw-sockets = off
                srtp {
                     enable_srtp=yes
                     sdes {
                         #profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                         profiles = { AES_CM_128_HMAC_SHA1_80 }
                     }
                     dtls {
                         client {
                             protocols =  { DTLSv1, DTLSv1.2 }
                             certificate = /etc/sems/ssl/crt.pem
                             certificate_key = /etc/sems/ssl/key.pem
                             profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                             verify_certificate_chain = false
                             verify_certificate_cn = false
                         }
                         server {
                             protocols =  { DTLSv1, DTLSv1.2 }
                             certificate = /etc/sems/ssl/crt.pem
                             certificate_key = /etc/sems/ssl/key.pem
                             profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                             ciphers = {ChaCha20Poly1305, AES-256/GCM, AES-128/GCM, AES-256/CCM, AES-128/CCM, AES-256, AES-128}
                             macs = {AEAD, SHA-256, SHA-384, SHA-1}
                             verify_client_certificate = false
                             verify_client_certificate = false
                         }
                     }
                }
            }
        }
    }

New sems.conf

interface "public" {
        srtp {
          enable_srtp=yes
             sdes {
                  #profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
		  profiles = { AES_CM_128_HMAC_SHA1_80 }
                     }
		     dtls {
                         client {
                             protocols =  { DTLSv1, DTLSv1.2 }
                             certificate = /etc/sems/ssl/crt.pem
                             certificate_key = /etc/sems/ssl/key.pem
                             profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                             verify_certificate_chain = false
                             verify_certificate_cn = false
                         }
                         server {
                             protocols =  { DTLSv1, DTLSv1.2 }
                             certificate = /etc/sems/ssl/crt.pem
                             certificate_key = /etc/sems/ssl/key.pem
                             profiles = { AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32, AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 }
                             ciphers = {ChaCha20Poly1305, AES-256/GCM, AES-128/GCM, AES-256/CCM, AES-128/CCM, AES-256, AES-128}
                             macs = {AEAD, SHA-256, SHA-384, SHA-1}
                             verify_client_certificate = false
                             verify_client_certificate = false
                         }
                     }
                }
            ip4 {
		rtp {
                    address = x.x.x.x
                    low-port = 16384
                    high-port = 32767
                    dscp = 46
                    use-raw-sockets = off
		}
            }
        }

PaulH · October 23, 2025, 5:21am

Turns out I might be a very silly person - the gateway I was testing against had Media Encryption enabled. Probably the only one in our whole system.

Turned that off, was able to make test calls.

furmur · October 23, 2025, 8:54pm

kinda cryptic what “Optional SRTP” means. maybe something like DTLS-SRTP with failover to the plain RTP on failed negotiation.
anyway, glad that you sorted this out.
as for silliness degrees, FIY: libsems1 >= 1.173.0 has fix for the really silly bug which prevented success DTLS negotiation for google chrome’s webrtc.

PaulH · October 23, 2025, 10:01pm

@furmur
“Optional SRTP” in the droplist of the softphone I was using for testing - MicroSIP. What it actually does would be up to the developer, but I’d suggest you are correct.

My test system is running libsems1 v1.162.1 0- but I can see much newer versions in GitHub. I’m guessing newer versions will be released with Yeti 1,14?

dmitry.s · October 24, 2025, 8:56am

Yep. New versions designated for 1.14 branch.