Encrypted calls with Zoiper 5 and Freeswitch 1.6

VoIP, Linux
Encrypted calls with Zoiper 5 and Freeswitch 1.6

Zoiper 5 and Freeswitch 1.6 don't allow encrypted calls to work out of the box due to a bug in Freeswitch with some of the newer RTP/SDES encryption suites.

After much time spent with the Zoiper support team (who are awesome by the way!), they suggested changing the cipher preference order in Freeswitch to disable some of the new suites that Freeswitch does not support fully.

From Zoiper Support team:

Basically the current Zoiper for Android and the legacy products for desktop like Zoiper 3 are still using the old library which offers the proper RFC naming but not the FS one. This causes the FS to ignore the 256 and 192 bit offers because it doesn’t recognize them due to FS naming and falls back to 128 bit since it’s the only one that it accepts. Essentially the 192 and 256 bit encryption never worked before because they don’t match the names.

In the new library we offer the FS naming and the issue is fixed, but then the FS has another issue and sends the wrong packet size for 192 and 256.

There is a workaround you can use until and if this issue is fixed by FS. You may try to rearrange the priority on your FS (put 128 on top instead of 256). Or you can simply keep using older version of Zoiper with 128 bit.

Changing RTP/SDES cipher suites in Freeswitch

In order to change the cipher suites in Freeswitch, you need to add the following variable to your dialplans, such that the outbound leg to your handsets has this set:

<action application="export" data="nolocal:rtp_secure_media=optional:AES_CM_128_HMAC_SHA1_80"/>

Then for outbound calls from your users, you should modify their directory entry so that the same variable is set on the leg from their handset to your server. E.g.

<variable name="rtp_secure_media" value="optional:AES_CM_128_HMAC_SHA1_80"/>

This will allow Freeswitch and Zoiper 5 to work together with encrypted media.