[asterisk-dev] Request for testing SIP TCP/TLS
James Golovich
james at gnuinter.net
Mon Dec 10 13:08:09 CST 2007
I've continued on the previous work done on the SIP TCP/TLS branch and
it's ready for some additional testing.
The branch is located at
http://svn.digium.com/view/asterisk/team/group/sip-tcptls/
Even if you can't test the TLS code, testing the UDP code with this
branch would be useful to make sure nothing has been broken. As well as
testing out the HTTP and Manager interfaces using SSL (since the same
general SSL server code has been used and slightly modified)
I've just added a doc file to the branch as doc/siptls.txt with some
basic information about setting TLS up and what config options are
available. This is also included here at the end of the email.
James Golovich <james at gnuinter.net>
Asterisk SIP/TLS Transport
==========================
When using TLS the client will typically check the validity of the
certificate chain. So that means you either need a certificate that is
signed by one of the larger CAs, or if you use a self signed certificate
you must install a copy of your CA on the client.
So far this code has been test with:
Polycom Soundpoint IP Phones (TLS and TCP)
Polycom phones require that the host (ip or hostname) that is
configured match the 'common name' in the certificate
Minisip Softphone (TLS and TCP)
Cisco IOS Gateways (TCP only)
sip.conf options
----------------
tlsenable=[yes|no]
Enable TLS server, default is no
tlsbindaddr=<ip address>
Specify IP address to bind TLS server to, default is 0.0.0.0
tlscertfile=</path/to/certificate>
The server's certificate file. Should include the key and
certificate. This is mandatory if your going to run a TLS server.
tlscafile=</path/to/certificate>
If the server your connecting to uses a self signed certificate
you should have their certificate installed here so the code can
verify the authenticity of their certificate.
tlscadir=</path/to/ca/dir>
A directory full of CA certificates. The files must be named with
the CA subject name hash value.
(see man SSL_CTX_load_verify_locations for more info)
tlsdontverifyserver=[yes|no]
If set to yes, don't verify the servers certificate when acting as
a client. If you don't have the server's CA certificate you can
set this and it will connect without requiring tlscafile to be set.
Default is no.
tlscipher=<SSL cipher string>
A string specifying which SSL ciphers to use or not use
Sample config
-------------
Here are the relevant bits of config for setting up TLS between 2
asterisk servers. With server_a registering to server_b
On server_a:
[general]
tlsenable=yes
tlscertfgile=/etc/asterisk/asterisk.pem
tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both
certifica
tes
register => tls://100:test@192.168.0.100:5061
[101]
type=friend
context=internal
host=192.168.0.100 ; The host should be either IP or hostname and should
; match the 'common name' field in the servers
certificate
secret=test
dtmfmode=rfc2833
disallow=all
allow=ulaw
transport=tls
port=5061
On server_b:
[general]
tlsenable=yes
tlscertfgile=/etc/asterisk/asterisk.pem
[100]
type=friend
context=internal
host=dynamic
secret=test
dtmfmode=rfc2833
disallow=all
allow=ulaw
;You can specify transport= and port=5061 for TLS, but its not necessary in
;the server configuration, any type of SIP transport will work
;transport=tls
;port=5061
More information about the asterisk-dev
mailing list