From 1542f8f549aadb3cde1992c1c314c18751f5a52e Mon Sep 17 00:00:00 2001
From: Denys Pozniak <denys.pozniak@gmail.com>
Date: Fri, 6 Feb 2026 14:42:48 +0100
Subject: [PATCH] MT#55283 Add no-tls-id flag to disable a=tls-id SDP attribute
 generation

Closes #2064

Change-Id: I9f133777ab8c6078e182f20c702fe77be9c5ec8d
---
 daemon/call.c               | 9 +++++++--
 daemon/call_interfaces.c    | 4 ++++
 daemon/sdp.c                | 2 +-
 docs/ng_control_protocol.md | 7 +++++++
 include/call_interfaces.h   | 1 +
 5 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/daemon/call.c b/daemon/call.c
index c23d22bd9..7b1add585 100644
--- a/daemon/call.c
+++ b/daemon/call.c
@@ -2206,8 +2206,13 @@ static void __dtls_logic(const sdp_ng_flags *flags,
 		__dtls_restart(other_media);
 	}
 	else if (ice_is_restart(other_media->ice_agent, sp) && !other_media->tls_id.len && !sp->tls_id.len) {
-		ilogs(crypto, LOG_INFO, "ICE restart without TLS-ID, restarting DTLS");
-		__dtls_restart(other_media);
+		// Skip DTLS restart if no-tls-id flag is active (user opted out of TLS-ID handling)
+		if (!flags->no_tls_id) {
+			ilogs(crypto, LOG_INFO, "ICE restart without TLS-ID, restarting DTLS");
+			__dtls_restart(other_media);
+		} else {
+			ilogs(crypto, LOG_INFO, "ICE restart without TLS-ID detected, but no-tls-id flag is active - skipping DTLS restart");
+		}
 	}
 
 	other_media->tls_id = call_str_cpy(&sp->tls_id);
diff --git a/daemon/call_interfaces.c b/daemon/call_interfaces.c
index 814bec103..58553a856 100644
--- a/daemon/call_interfaces.c
+++ b/daemon/call_interfaces.c
@@ -1255,6 +1255,10 @@ void call_ng_flags_flags(str *s, unsigned int idx, helper_arg arg) {
 		case CSH_LOOKUP("no RTCP attribute"):
 			out->no_rtcp_attr = true;
 			break;
+		case CSH_LOOKUP("no-tls-id"):
+		case CSH_LOOKUP("no tls id"):
+			out->no_tls_id = true;
+			break;
 		case CSH_LOOKUP("no-jitter-buffer"):
 		case CSH_LOOKUP("no jitter buffer"):
 			out->disable_jb = true;
diff --git a/daemon/sdp.c b/daemon/sdp.c
index ffe1fa2dc..f61db7900 100644
--- a/daemon/sdp.c
+++ b/daemon/sdp.c
@@ -2594,7 +2594,7 @@ static void insert_dtls(GString *s, struct call_media *media, struct dtls_connec
 
 	insert_fingerprint(s, media, flags, hf, fp);
 
-	if (dtls)
+	if (dtls && !flags->no_tls_id)
 		insert_tls_id(s, media, flags, dtls);
 }
 
diff --git a/docs/ng_control_protocol.md b/docs/ng_control_protocol.md
index d49466816..5ea15c9ce 100644
--- a/docs/ng_control_protocol.md
+++ b/docs/ng_control_protocol.md
@@ -1161,6 +1161,13 @@ Spaces in each string may be replaced by hyphens.
 
 	Omit the `a=rtcp` line from the outgoing SDP.
 
+* `no-tls-id` or `no tls id`
+
+	Disables generation of the `a=tls-id` SDP attribute in outgoing SDP and prevents
+	automatic DTLS restart when an ICE restart occurs without a TLS-ID present. This flag
+	is useful in scenarios where TLS-ID handling should be completely bypassed, such as when
+	interoperating with endpoints that don't support or expect the `a=tls-id` attribute.
+
 * `original sendrecv`
 
 	With this flag present, *rtpengine* will leave the media direction attributes
diff --git a/include/call_interfaces.h b/include/call_interfaces.h
index f0827267c..b295e4420 100644
--- a/include/call_interfaces.h
+++ b/include/call_interfaces.h
@@ -219,6 +219,7 @@ RTPE_NG_FLAGS_STR_CASE_HT_PARAMS
 		     rtcp_mirror:1,
 		     trickle_ice:1,
 	             no_rtcp_attr:1,
+	             no_tls_id:1,
 	             full_rtcp_attr:1,
 	             generate_rtcp:1,
 	             generate_rtcp_off:1,