<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Jun 20, 2013 at 5:10 PM, Mike Diehl <span dir="ltr"><<a href="mailto:mdiehlenator@gmail.com" target="_blank">mdiehlenator@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br><br><div class="gmail_quote"><div class="im"><div style="margin-left:40px">
On Thu, Jun 20, 2013 at 2:05 PM, Joshua Colp <span dir="ltr"><<a href="mailto:jcolp@digium.com" target="_blank">jcolp@digium.com</a>></span> wrote:<br></div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="margin-left:40px">Mike Diehl wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi all,<br>
<br>
I'm getting ready to setup SIP/TLS and SRTP. But I have a few<br>
questions. The first one is that I was reading an article at:<br>
<br>
<a href="https://supportforums.cisco.com/docs/DOC-15381" target="_blank">https://supportforums.cisco.com/docs/DOC-15381</a><br>
<br>
That indicated that Asterisk doesn't support TLS as an OPTIONAL<br>
transport. It's either all or nothing. Specifically, this is what it said:<br>
</blockquote>
<br></div><div style="margin-left:40px">
Your statement is incorrect. Asterisk supports TLS as an optional signaling transport (although if you do SDES SRTP without it then someone can snoop on your keys and ultimately decrypt your media).<br>
<br>
What it does not support is optional *SRTP*. If a device requests SRTP and it's not possible, the call will fail.<br></div>
<br></blockquote><div> </div></div><div>So then, is it safe to say that Asterisk will ALLOW a secure phone call, but the client hast to REQUEST it? <br><br>I understand that requesting SRTP without SIP/TLS is evil; I just misunderstood what I was reading. <br>
<br>I'm also thinking that the AGI script I use to route calls can check if either leg of a call comes from or goes to port 5061 and play a sound file to indicate that the cal is 'secure.' Does this seem reasonable?<br>
<br></div></div></blockquote><div><br></div><div style>You can query a channel using the CHANNEL function (<a href="https://wiki.asterisk.org/wiki/display/AST/Function_CHANNEL">https://wiki.asterisk.org/wiki/display/AST/Function_CHANNEL</a>) to see if the channel currently supports secure communication, and you can request that the outbound channel be made secure using the same function.</div>
<div style><br></div><div style>An example of doing this is on the wiki:</div><div style><br></div><div style><a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics">https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics</a><br>
</div><div style> </div></div>-- <br><div dir="ltr"><div>Matthew Jordan<br></div><div>Digium, Inc. | Engineering Manager</div><div>445 Jan Davis Drive NW - Huntsville, AL 35806 - USA</div><div>Check us out at: <a href="http://digium.com" target="_blank">http://digium.com</a> & <a href="http://asterisk.org" target="_blank">http://asterisk.org</a></div>
</div>
</div></div>