[asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
James B. Byrne
byrnejb at harte-lyne.ca
Tue Mar 3 11:16:07 CST 2015
I am having a very difficult time attempting to get TLS and SRTP
working with Asterisk and anything else. At the moment I am trying to
get TLS functioning with our Snom870 desk-sets. And I am not having
Since this is an extraordinarily (to me) Byzantine environemnt I am
going to ask if any of you have gotten this set-up (Asterisk11 with
Snom870s using TLS) to work and if so could you provide the details?
I have this in Asterisk sip.conf (loaded through FreePBXs
And I have this for the test device context:
mailbox=41712 at device
callerid=James B Byrne <41712>
If I change the transport setting to TLS then I get this reported:
[2015-03-03 11:10:08] ERROR: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused
I cannot seem to configure the Snom870 to listen for TCP on 5060.
There is a setting for that on the phone but it seems to have no
effect (it always returns to NO following a reboot). The Snom website
says that the option is not available in FW8.5 and later. It does not
inform one of whether that the phone listens by default or not on
FW8.5+, only that the option has no effect.
It also does not say, as far as I can find, whether Snom870s listen
for TCP at all or on what port. One may infer that since these
devices purport to support TLS that the answer is yes and that TCP5061
is a likely candidate. But they do not seem to come right out and say
In a section devoted to the Snom370, which is a model that we do not
employ, there is reference to DNS SRV RRs. The inference drawn from
the examples given is that these will control what ports the Snom will
listen on for which services.
We have such records in our DNS zone. They look like this:
;# Configure sip/sips service records (VOIP)
;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT
300 IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.harte-lyne.ca.
300 IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.harte-lyne.ca.
300 IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.harte-lyne.ca.
;HOST TTL CLASS TYPE ORDER PREF PORT TARGET
_sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca.
_sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.
_sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.
However, our phones are configured to use SIP accounts having the form
account at ipv4-addr. I doubt greatly that the Snom870s will perform a
reverse DNS lookup on the provider's IPv4 to discover the forward zone
domain and thus I do not believe that SRV RRs can help us in this
instance. They certainly do not seem to have any effect.
Asterisk seems not to distinguish between 5060 and 5061 regarless of
protocol. I am not sure then how to proceed. Is there a way to force
Asterisk to talk to port TCP5061 on a specific device? Is this an
This long background is by way of asking for help. If I have not
provided specific information that is significant to this problem then
I will do so if asked.
What I am attempting has to be possible. Somehow. And somebody must
have already accomplished this. Somewhere.
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the asterisk-users