[asterisk-dev] SRTP, Sdescriptions, and TLS

Mohammad Halawah mhalawah at gmail.com
Tue Nov 6 10:57:59 CST 2007 

On 11/6/07, Mikael Magnusson <mikma264 at gmail.com> wrote:
> Mohammad Halawah wrote:
> > Hello everyone,
> >
> ...
> > I know that Asterisk has a patch to enable SRTP with Sdecriptions as
> > mentioned in http://bugs.digium.com/view.php?id=5413
> >
> > I know also that there is a working patch for TLS as Russel mentioned
> > (9th July 2007) in
> > http://lists.digium.com/pipermail/asterisk-dev/2007-July/028454.html
> > which is made for revision 88524 as can be seen in
> > http://svn.digium.com/svn/asterisk/team/bbryant/sip-tcptls.
> >
> > Additionally, in this link http://bugs.digium.com/view.php?id=4903 , I
> > found two patches dated after 9th July.
> >
> > I think that I can use asterisk on this link
> > http://svn.digium.com/svn/asterisk/team/bbryant/sip-tcptls/ and patch
> > it with the SRTP patch "ast_srtp_r81432_mikey_r3412.patch" located
> > here http://bugs.digium.com/view.php?id=5413 . Does that make sense?
> >
>  > I would appreciate someone help me finding the right combination of
>  > trunk/revision/patch. Thanks in advance.
>  >
>
Hi Mikael,

> I haven't tried to apply the SRTP patch on the sip-tcptls branch, you
> may need to deal with conflicts since both touch chan_sip.

Actually I am expecting some troubles, but I wanted to start with the
best available combination to    avoid unnecessary work.

> An alternative approach is to use a SIP proxy to translate between TLS
> and UDP, for example openser or yxa. Of course you need to secure the
> link between Asterisk and the proxy, maybe by running both on the same host.

I am aware of this solution but (as you can tell) it introduces more
complexity to the system. but thanks for the hint...

> I would like to add that the SRTP patch besides sdescriptions also
> supports MIKEY (Multimedia KEYing), which doesn't require a secure
> transport such as TLS or S/MIME.

The problem is that Snom phones doesn't support neither ZRTP nor MIKEY.
Can you tell me which patch should I use with sip-tcp/tls trunk?

I think if we can get Sdescriptions patch with TLS to work, then SRTP
w/ Sdesc puzzle is solved.


> Regards,
> Mikael


Best regards,
Mohammad

More information about the asterisk-dev mailing list