[Asterisk-Dev] Re: SRTP with keymanagement, SIP over TCP

Fri Dec 9 18:57:43 MST 2005

At 6:32 AM -0600 12/8/05, Rich Adamson wrote:
>
>>  >    - ensure that you are testing against inexpensive equipment (Sipura
>>  > is an SRTP device which is cheap...)
>>
>>  Did Sipura ever release enough information for folks to make their own
>>  "mini-certificates"?  P.17 - P.19 of 841AdminGuide1105.pdf has some
>>  good hints, but I haven't been able to make enough sense of it to
>>  generate one from openssl.
>
>I have not worked with the 841, but have done some research involving the
>spa3000 and its use of certificates for updating config's remotely, etc.
>Since Sipura products seem to share a large amount of source code, etc,
>between various products, I'd guess the certificate mechanism for the
>841 is the same as the spa products.
>
>If you have access to their support web site, there were some documents
>that explain how to generate a certificate. However, once the certificate
>is generated (which I did on a FC3 stock box), one needed to send the
>certificate to Sipura for signing. When I asked where to send it, I was
>told to contact sales. I have not done that yet, but apparently there
>must be a charge to have that done since the support folks were referring
>me to sales. (It also could be part of their merging of products and support
>into the Cisco/Linksys group; really don't know for sure.)
>
>The Sipura support seems to have dropped somewhat after the announced
>Cisco purchase/merger.
>

I'd hope that somehow the Sipuras could be used as an encrypted media 
endpoint.  There was previous use of the Sipuras (with Asterisk, I 
suppose?) by Voicepulse in an encrypted stream format, but I don't 
know if that ever saw use outside of their firm.  It would seem that 
generation of certificates would be required for that process, even 
if they were self-signed.

Now that we're getting closer to having Asterisk support this 
natively, it would be good (required?) to have some method of 
building these certs.  It may not be possible to use SRTP without 
TLS, though, and I don't have the time right now to hunt that down.

I've cc:'ed Marcelo Rodriguez on this, who runs Voxilla.  At one 
point, I recall that they were issuing mini-certs to Sipura users - 
perhaps their methods and/or code would translate to something this 
effort could use?  I don't know if this same mechanism could be used 
for "signing" an Asterisk server cert.  Sorry, I'm not too 
up-to-speed on this stuff yet, so I might be mixing apples and 
oranges.  Maybe this is much easier than I think it is....

http://voxilla.com/modules.php?op=modload&name=News&file=article&sid=63

JT