[asterisk-users] SIP over SSL TCP or SRTP?

Olle E. Johansson oej at edvina.net
Thu Jun 28 02:10:18 CDT 2012 

22 jun 2012 kl. 21:59 skrev Bruce B:

> Thanks. Want to secure everything and anything possible. 
> 
> 1- Can both  SIP over TLS  and SRTP work in conjunction to each other?
Yes. As Kevin said, SIP over TLS only secures the signalling. And it secures it hop-by-hop so every server in the middle
can access the content. The signalling should be hidden from other Wifi users, even if it's not hidden all the way between
caller and callee. In the signalling you specify how to exchange the actual media. To have secure signalling with TLS
doesn't necessarily mean that them media (audio/video/text) is secured. The media is secured with Secure RTP or SRTP,
which means that every audio packet is encrypted.

> 2- Is SIP over TLS a package or added on module that can be installed from Digium Asterisk repository?
It's part of the current Asterisk SIP stack, but still marked as experimental as it has a number of known issues that needs to be fixed
in order to put this in production use in larger sites and networks. You will have to test it to make sure it works for you.

"Experimental" status means that the configuration options may change in a coming release without being backwards
compatible. The TLS part has been experimental in many releases without anyone putting any funding towards
fixing it. I guess serious use of TLS is done not with Asterisk but with a SIP proxy like Kamailio or OpenSIPS in
front of Asterisk.

> 3- SRTP takes care of the RTP and makes it secure so that MITM type sniffing is not possible?
Yes, provided that the media encryption key exchange is secured. Today, the key exchange is done in SIP messaging,
which is why you also want SIP over TLS.

Regards,
/Olle
> 
> Regards,
> 
> 
> 
> On Fri, Jun 22, 2012 at 2:39 PM, Kevin P. Fleming <kpfleming at digium.com> wrote:
> On 06/22/2012 12:56 PM, Bruce B wrote:
> 
> Which one of these ensures that SIP packets are sent and received in a
> secure format so that users using public wifi don't allow MITM type of
> attacks or others can't read the plaintext SIP packet info. VPN is not
> an option. Looking for 2nd most secure to VPN.
> 
> SIP over TLS (what used to be called SSL) is what secures the SIP signaling. SRTP is for securing media streams.
> 
> -- 
> Kevin P. Fleming
> Digium, Inc. | Director of Software Technologies
> Jabber: kfleming at digium.com | SIP: kpfleming at digium.com | Skype: kpfleming
> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
> Check us out at www.digium.com & www.asterisk.org
> 
> 
> 
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>              http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>  http://lists.digium.com/mailman/listinfo/asterisk-users
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list