<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">Tonight I finally got Asterisk 13 working with chan_pjsip and SIP+TLS and RTP+DTLS. It’s 12:45am so I won’t spend a lot of time on this now, but I wanted to share the notes I took while setting this up as I feel the documentation is pretty lacking in this area.</div><div class=""><br class=""></div><div class=""><br class=""></div><b class="">media_encryption is not well documented in pjsip.conf</b><div class="">* In my case, it needed to be set to “dtls”, but I think that some endpoints may need “srtp"</div><div class="">* my first-guess setting of “yes” results in a cryptic/unhelpful error on the console, and the syntax error caused the entire endpoint to be un-useable</div><div class="">* dtls vs.srtp is not mentioned at all (as far asI could find) in either the Asterisk Wiki nor the configs/sample/pjsip.conf</div><div class="">* The default is “no” - I had thought that SRTP and DTLS were not mutually exclusive - are they? If not, can we set a default that permits them to be used if requested by the endpoint?</div><div class=""><div class=""><br class=""></div><div class=""><b class="">Configuring certificates</b></div><div class="">There is no mention of the fact that endpoints need DTLS certificates configured at all on endpoints in the Asterisk Wiki.</div><div class="">The Asterisk Wiki covers setting up TLS on the transport, and that mostly worked on the first go *except* that the config key is erroneously referenced as “privkey_file” (missing an underscore). I made a comment on the Wiki so someone can correct this, but it appears to have been included in sample config files for some time, so the bad info is out there: <a href="https://duckduckgo.com/?q=asterisk+"privkey_file"" class="">https://duckduckgo.com/?q=asterisk+%22privkey_file%22</a></div><div class="">Also, it might be worth mentioning that TLS runs over TCP, not UDP, as I had that wrong in my firewall on the first attempt.</div><div class=""><br class=""></div><div class="">Setting certificates has to be done at least twice (transport + endpoint)</div><div class="">* There is no automatic setting of the DTLS CA/Cert/Privkey from the SIP+TLS configuration for the transport. I know this would potentially be difficult if multiple transports were set with different TLS keys, but still…this is non-obvious.</div><div class="">* Can we somehow default the endpoint’s CA/Cert/Privkey to that of the transport? If not, can we somehow associate the endpoint with the transport so it doesn’t have to be configured twice?</div><div class=""><br class=""></div><div class="">The pjsip configuration keys are subtly different for SIP+TLS on the transport vs. RTP+DTLS on the endpoint. Examples:</div><div class=""><br class=""></div><div class=""><div class="">cert_file =X ; transport</div><div class="">dtls_cert_file = X ; endpoint</div><div class="">; dtls_ prefix, weird but ok - srtp doesn’t appear to have a corresponding setting, so do we even need the prefix?</div><div class=""><br class=""></div><div class="">priv_key_file = X ; transport</div><div class="">dtls_private_key = X ; endpoint</div><div class="">; priv_key_file vs. private_key?</div><div class=""><br class=""></div><div class=""><div class="">ca_list_file =X ; transport</div><div class="">dtls_ca_file = X ; endpoint</div></div><div class="">; _list or not?</div><div class=""><br class=""></div><div class="">I’m not familiar with Sorcery. I know that Asterisk 13 is out meaning these config settings are set in stone for the next couple of years. But could we create aliases that were more consistent, just to preserve some peoples’ hair?</div><div class=""><br class=""></div><div class="">But the good news is: it does work! :)</div><div class=""><br class=""></div><div class="">/BAK/</div><div class=""><div class="">
<div style="color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class=""><span class="Apple-style-span" style="border-collapse: separate; border-spacing: 0px;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class=""><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class=""><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class=""><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; border-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; " class=""><div class=""><div class="">-- </div><div class="">Ben Klang</div><div class="">Principal/Technology Strategist, Mojo Lingo</div><div class=""><a href="mailto:bklang@mojolingo.com" class="">bklang@mojolingo.com</a></div><div class="">+1.404.475.4841</div><div class=""><br class=""></div><div class="">Mojo Lingo -- <i class="">Voice applications that work like magic</i></div><div class=""><a href="http://mojolingo.com/" class="">http://mojolingo.com</a></div></div><div class="">Twitter: @MojoLingo</div></div></span></div></span></div></span></div></span></div>
</div>
<br class=""></div></div></div></body></html>