So, the question is: is there a way to constrain which cipher suites are offered in the SDP answer generated by RTPEngine?
I think you're looking for the `SDES-offerer_pref:...` option. It doesn't let you ignore or reject specific cipher suites, but it lets you prefer certain ones over others. If you tell it to prefer the AES suites then you should get the desired result.
Cheers
I should say that I am also sending these flags: SDES-only-AES_CM_128_HMAC_SHA1_80 SDES-only-AES_CM_128_HMAC_SHA1_32 SDES-only-F8_128_HMAC_SHA1_80 However, nothing that you said, or the documentation, leads me to believe SDES-only-X and SDES-offerer_pref:[...] are mutually exclusive. Are they?
No they're not, and in fact this combination is explicitly covered by one of the test cases (although in an SRTP <> SRTP scenario).
In fact, one gets the impression that, in mr11.5.1.9 at least, SDES-only options have no influence on the answer if the bridging destination is of the RTP/AVP profile, while SDES-no options do.
`SDES-only-...` and `SDES-no-...` are meant to influence cipher suites being *offered to* an SRTP endpoint (whether coming from a plain RTP or SRTP offer). They're not meant to influence what suites are being accepted from one. So you shouldn't expect any particular behaviour here, and in fact you probably should omit these options altogether when making an offer to a plain RTP endpoint.
Cheers
I'm thinking the best way to handle this might be to adulterate the SDP offer fed into RTPEngine, using the `read_sdp_pv` feature of the Kamailio NG control module. We can strip out the undesirable ciphers that aren't "actually" supported, and hopefully that will put the matter to bed. However, if you can think of any simpler solutions, I would appreciate any advice.
SDES-offerer_pref is supposed to handle this, but clearly there's something missing. None of the test cases actually cover the SRTP<>RTP scenario, so it's very likely that there's a code path that simply doesn't take that option into account. I'll see if I can find the culprit.
Cheers
Latest master contains a fix for this (commits db7315b3...d0fd696 in particular). Feel free to test it if you can. I think it's eligible for a backport as well.
Also see if perhaps https://groups.google.com/g/rtpengine/c/rA3yCIQIEn8/m/kbVIZCKJAAAJ is relevant to your troubles with Linphone.
Cheers