[asterisk-dev] Notes from setting up SIP+TLS/RTP+DTLS

Ben Klang bklang at mojolingo.com
Sun Nov 9 17:57:16 CST 2014


Oh and one more thing regarding the default of no media encryption by default:

> Il giorno Nov 10, 2014, alle ore 12:54 AM, Ben Klang <bklang at mojolingo.com> ha scritto:
> 
> Tonight I finally got Asterisk 13 working with chan_pjsip and SIP+TLS and RTP+DTLS.  It’s 12:45am so I won’t spend a lot of time on this now, but I wanted to share the notes I took while setting this up as I feel the documentation is pretty lacking in this area.
> 
> 
> media_encryption is not well documented in pjsip.conf
> * In my case, it needed to be set to “dtls”, but I think that some endpoints may need “srtp"
> * my first-guess setting of “yes” results in a cryptic/unhelpful error on the console, and the syntax error caused the entire endpoint to be un-useable
> * dtls vs.srtp is not mentioned at all (as far asI could find) in either the Asterisk Wiki nor the configs/sample/pjsip.conf
> * The default is “no” - I had thought that SRTP and DTLS were not mutually exclusive - are they? If not, can we set a default that permits them to be used if requested by the endpoint?

The default of “no” causes a “488 Not Acceptable Here” response, but nothing in the pjsip (pjsip set log on) or Asterisk debug logs (core set debug 5) says why it was refused. I went down a road of disabling codecs to no avail.  A note that encryption was requested but not configured would have helped.

> 
> Configuring certificates
> There is no mention of the fact that endpoints need DTLS certificates configured at all on endpoints in the Asterisk Wiki.
> The Asterisk Wiki covers setting up TLS on the transport, and that mostly worked on the first go *except* that the config key is erroneously referenced as “privkey_file” (missing an underscore).  I made a comment on the Wiki so someone can correct this, but it appears to have been included in sample config files for some time, so the bad info is out there: https://duckduckgo.com/?q=asterisk+%22privkey_file%22 <https://duckduckgo.com/?q=asterisk+%22privkey_file%22>
> Also, it might be worth mentioning that TLS runs over TCP, not UDP, as I had that wrong in my firewall on the first attempt.
> 
> Setting certificates has to be done at least twice (transport + endpoint)
> * There is no automatic setting of the DTLS CA/Cert/Privkey from the SIP+TLS configuration for the transport. I know this would potentially be difficult if multiple transports were set with different TLS keys, but still…this is non-obvious.
> * Can we somehow default the endpoint’s CA/Cert/Privkey to that of the transport? If not, can we somehow associate the endpoint with the transport so it doesn’t have to be configured twice?
> 
> The pjsip configuration keys are subtly different for SIP+TLS on the transport vs. RTP+DTLS on the endpoint. Examples:
> 
> cert_file =X ; transport
> dtls_cert_file = X ; endpoint
> ; dtls_ prefix, weird but ok - srtp doesn’t appear to have a corresponding setting, so do we even need the prefix?
> 
> priv_key_file = X ; transport
> dtls_private_key = X ; endpoint
> ; priv_key_file vs. private_key?
> 
> ca_list_file =X ; transport
> dtls_ca_file = X ; endpoint
> ; _list or not?
> 
> I’m not familiar with Sorcery.  I know that Asterisk 13 is out meaning these config settings are set in stone for the next couple of years. But could we create aliases that were more consistent, just to preserve some peoples’ hair?
> 
> But the good news is: it does work! :)
> 
> /BAK/
> --
> Ben Klang
> Principal/Technology Strategist, Mojo Lingo
> bklang at mojolingo.com <mailto:bklang at mojolingo.com>
> +1.404.475.4841
> 
> Mojo Lingo -- Voice applications that work like magic
> http://mojolingo.com <http://mojolingo.com/>
> Twitter: @MojoLingo
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20141110/e146be53/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20141110/e146be53/attachment-0001.pgp>


More information about the asterisk-dev mailing list