[asterisk-dev] Notes from setting up SIP+TLS/RTP+DTLS

Sun Nov 9 17:54:36 CST 2014

Tonight I finally got Asterisk 13 working with chan_pjsip and SIP+TLS and RTP+DTLS.  It’s 12:45am so I won’t spend a lot of time on this now, but I wanted to share the notes I took while setting this up as I feel the documentation is pretty lacking in this area.

media_encryption is not well documented in pjsip.conf
* In my case, it needed to be set to “dtls”, but I think that some endpoints may need “srtp"
* my first-guess setting of “yes” results in a cryptic/unhelpful error on the console, and the syntax error caused the entire endpoint to be un-useable
* dtls vs.srtp is not mentioned at all (as far asI could find) in either the Asterisk Wiki nor the configs/sample/pjsip.conf
* The default is “no” - I had thought that SRTP and DTLS were not mutually exclusive - are they? If not, can we set a default that permits them to be used if requested by the endpoint?

Configuring certificates
There is no mention of the fact that endpoints need DTLS certificates configured at all on endpoints in the Asterisk Wiki.
The Asterisk Wiki covers setting up TLS on the transport, and that mostly worked on the first go *except* that the config key is erroneously referenced as “privkey_file” (missing an underscore).  I made a comment on the Wiki so someone can correct this, but it appears to have been included in sample config files for some time, so the bad info is out there: https://duckduckgo.com/?q=asterisk+%22privkey_file%22 <https://duckduckgo.com/?q=asterisk+%22privkey_file%22>
Also, it might be worth mentioning that TLS runs over TCP, not UDP, as I had that wrong in my firewall on the first attempt.

Setting certificates has to be done at least twice (transport + endpoint)
* There is no automatic setting of the DTLS CA/Cert/Privkey from the SIP+TLS configuration for the transport. I know this would potentially be difficult if multiple transports were set with different TLS keys, but still…this is non-obvious.
* Can we somehow default the endpoint’s CA/Cert/Privkey to that of the transport? If not, can we somehow associate the endpoint with the transport so it doesn’t have to be configured twice?

The pjsip configuration keys are subtly different for SIP+TLS on the transport vs. RTP+DTLS on the endpoint. Examples:

cert_file =X ; transport
dtls_cert_file = X ; endpoint
; dtls_ prefix, weird but ok - srtp doesn’t appear to have a corresponding setting, so do we even need the prefix?

priv_key_file = X ; transport
dtls_private_key = X ; endpoint
; priv_key_file vs. private_key?

ca_list_file =X ; transport
dtls_ca_file = X ; endpoint
; _list or not?

I’m not familiar with Sorcery.  I know that Asterisk 13 is out meaning these config settings are set in stone for the next couple of years. But could we create aliases that were more consistent, just to preserve some peoples’ hair?

But the good news is: it does work! :)

/BAK/
--
Ben Klang
Principal/Technology Strategist, Mojo Lingo
bklang at mojolingo.com <mailto:bklang at mojolingo.com>
+1.404.475.4841

Mojo Lingo -- Voice applications that work like magic
http://mojolingo.com <http://mojolingo.com/>
Twitter: @MojoLingo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20141110/08950972/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20141110/08950972/attachment.pgp>