<html>
<head>
<base href="https://wiki.asterisk.org/wiki">
<link rel="stylesheet" href="/wiki/s/2036/1/7/_/styles/combined.css?spaceKey=AST&forWysiwyg=true" type="text/css">
</head>
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
<h2><a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial">Secure Calling Tutorial</a></h2>
<h4>Page <b>edited</b> by <a href="https://wiki.asterisk.org/wiki/display/~mdavenport">Malcolm Davenport</a>
</h4>
<br/>
<h4>Changes (1)</h4>
<div id="page-diffs">
<table class="diff" cellpadding="0" cellspacing="0">
<tr><td class="diff-snipped" >...<br></td></tr>
<tr><td class="diff-unchanged" > <br> <br></td></tr>
<tr><td class="diff-changed-lines" >Reload Asterisk's SIP configuration (sip reload), make a call, and <span class="diff-changed-words">voil<span class="diff-deleted-chars"style="color:#999;background-color:#fdd;text-decoration:line-through;">a</span><span class="diff-added-chars"style="background-color: #dfd;">à</span>:</span> <br></td></tr>
<tr><td class="diff-unchanged" > <br>!BlinkTLSSRTP.png|border=1! <br></td></tr>
<tr><td class="diff-snipped" >...<br></td></tr>
</table>
</div> <h4>Full Content</h4>
<div class="notificationGreySide">
<h2><a name="SecureCallingTutorial-Overview"></a>Overview</h2>
<p>So you'd like to make some secure calls.</p>
<p>Here's how to do it, using <a href="http://www.icanblink.com/" class="external-link" rel="nofollow">Blink</a>, a SIP soft client for Mac OS X, Windows, and Linux.</p>
<p>These instructions assume that you're running as the root user (sudo su -).</p>
<h3><a name="SecureCallingTutorial-Part1%28TLS%29"></a>Part 1 (TLS)</h3>
<p><a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" class="external-link" rel="nofollow">Transport Layer Security</a> (TLS) provides encryption for call signaling. It's a practical way to prevent people who aren't Asterisk from knowing who you're calling. Setting up TLS between Asterisk and a SIP client involves creating key files, modifying Asterisk's SIP configuration to enable TLS, creating a SIP peer that's capable of TLS, and modifying the SIP client to connect to Asterisk over TLS.</p>
<h5><a name="SecureCallingTutorial-Keys"></a>Keys</h5>
<p>First, let's make a place for our keys.</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>mkdir /etc/asterisk/keys
</pre>
</div></div>
<p>Next, use the "ast_tls_cert" script in the "contrib/scripts" Asterisk source directory to make a self-signed certificate authority and an Asterisk certificate.</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>./ast_tls_cert -C pbx.mycompany.com -O "My Super Company" -d /etc/asterisk/keys
</pre>
</div></div>
<ul class="alternate" type="square">
<li>The "-C" option is used to define our host - DNS name or our IP address.</li>
<li>The "-O" option defines our organizational name.</li>
<li>The "-d" option is the output directory of the keys.</li>
</ul>
<ol>
<li>You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key, put in something that you'll remember for later.</li>
<li>This will create the /etc/asterisk/keys/ca.crt file.</li>
<li>You'll be asked to enter the pass phrase again, and then the /etc/asterisk/keys/asterisk.key file will be created.</li>
<li>The /etc/asterisk/keys/asterisk.crt file will be automatically generated.</li>
<li>You'll be asked to enter the pass phrase a third time, and the /etc/asterisk/keys/asterisk.pem will be created, a combination of the asterisk.key and asterisk.crt files.</li>
</ol>
<p>Next, we generate a client certificate for our SIP device.</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C phone1.mycompany.com -O "My Super Company" -d /etc/asterisk/keys -o malcolm
</pre>
</div></div>
<ul class="alternate" type="square">
<li>The "-m client" option tells the script that we want a client certificate, not a server certificate.</li>
<li>The "-c /etc/asterisk/keys/ca.crt" option specifies which Certificate Authority (ourselves) that we're using.</li>
<li>The "-k /etc/asterisk/keys/ca.key" provides the key for the above-defined Certificate Authority.</li>
<li>The "-C" option, since we're defining a client this time, is used to define the hostname or IP address of our SIP phone</li>
<li>The "-O" option defines our organizational name.</li>
<li>The "-d" option is the output directory of the keys."</li>
<li>The "-o" option is the name of the key we're outputting.</li>
</ul>
<ol>
<li>You'll be asked to enter the pass phrase from before to unlock /etc/asterisk/keys/ca.key.</li>
</ol>
<p>Now, let's check the keys directory to see if all of the files we've built are there. You should have:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>asterisk.crt
asterisk.csr
asterisk.key
asterisk.pem
malcolm.crt
malcolm.csr
malcolm.key
malcolm.pem
ca.cfg
ca.crt
ca.key
tmp.cfg
</pre>
</div></div>
<p>Next, copy the malcolm.pem and ca.crt files to the computer running the Blink soft client.</p>
<h5><a name="SecureCallingTutorial-TheAsteriskSIPconfiguration"></a>The Asterisk SIP configuration</h5>
<p>Now, let's configure Asterisk to use TLS.</p>
<p>In the <b>sip.conf</b> configuration file, set the following:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client
</pre>
</div></div>
<p>Here, we're enabling TLS support.<br/>
We're binding it to our local IPv4 wildcard (the port defaults to 5061 for TLS).<br/>
We've set the TLS certificate file to the one we created above.<br/>
We've set the Certificate Authority to the one we created above.<br/>
TLS Ciphers have been set to ALL, since it's the most permissive.<br/>
And we've set the TLS client method to TLSv1, since that's the preferred one for RFCs and for most clients.</p>
<h5><a name="SecureCallingTutorial-ConfiguringaTLSenabledSIPpeerwithinAsterisk"></a>Configuring a TLS-enabled SIP peer within Asterisk</h5>
<p>Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Here's an example:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>[malcolm]
type=peer
secret=malcolm ;note that this is NOT a secure password
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
context=local
</pre>
</div></div>
<p>Notice the <b>transport</b> option. The Asterisk SIP channel driver supports three types: udp, tcp and tls. Since we're configuring for TLS, we'll set that. It's also possible to list several supported transport types for the peer by separating them with commas.</p>
<h5><a name="SecureCallingTutorial-ConfiguringaTLSenabledSIPclienttotalktoAsterisk"></a>Configuring a TLS-enabled SIP client to talk to Asterisk</h5>
<p>Next, we'll configure Blink.</p>
<p>First, let's add a new account.</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkAddNewAccount.png?version=1&modificationDate=1295881836294" style="border: 1px solid black" /></span></p>
<p>Then, we need to modify the Account Preferences, and under the SIP Settings, we need to set the outbound proxy to connect to the TLS port and transport type on our Asterisk server. In this case, there's an Asterisk server running on port 5061 on host 10.24.13.233.</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkAccountPrefs.png?version=1&modificationDate=1295881825184" style="border: 1px solid black" /></span></p>
<p>Now, we need to point the TLS account settings to the client certificate (malcolm.pem) that we copied to our computer.</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkTLSAccount.png?version=1&modificationDate=1295881825336" style="border: 1px solid black" /></span></p>
<p>Then, we'll point the TLS server settings to the ca.crt file that we copied to our computer.</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkTLSServer.png?version=1&modificationDate=1295881825632" style="border: 1px solid black" /></span></p>
<p>Press "close," and you should see Blink having successfully registered to Asterisk.</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkTLSRegistered.png?version=1&modificationDate=1295881825611" style="border: 1px solid black" /></span></p>
<p>Depending on your Asterisk CLI logging levels, you should see something like:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre> -- Registered SIP 'malcolm' at 10.24.250.178:5061
> Saved useragent "Blink 0.22.2 (MacOSX)" for peer malcolm
</pre>
</div></div>
<p>Notice that we registered on port 5061, the TLS port.</p>
<p>Now, make a call. You should see a small secure lockbox in your Blink calling window to indicate that the call was made using secure (TLS) signaling:</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkTLSCall.png?version=1&modificationDate=1295881825589" style="border: 1px solid black" /></span></p>
<h3><a name="SecureCallingTutorial-Part2%28SRTP%29"></a>Part 2 (SRTP)</h3>
<p>Now that we've got TLS enabled, our signaling is secure - so no one knows what extensions on the PBX we're dialing. But, our media is still not secure - so someone can snoop our RTP conversations from the wire. Let's fix that.</p>
<p>SRTP support is provided by libsrtp. libsrtp has to be installed on the machine before Asterisk is compiled, otherwise you're going to see something like:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>[Jan 24 09:29:16] ERROR[10167]: chan_sip.c:27987 setup_srtp: No SRTP module loaded, can't setup SRTP session.
</pre>
</div></div>
<p>on your Asterisk CLI. If you do see that, install libsrtp (and the development headers), and then reinstall Asterisk (./configure; make; make install).</p>
<p>With that complete, let's first go back into our peer definition in <b>sip.conf.</b> We're going to add a new encryption line, like:</p>
<div class="preformatted panel" style="border-width: 1px;"><div class="preformattedContent panelContent">
<pre>[malcolm]
type=peer
secret=malcolm ;note that this is NOT a secure password
host=dynamic
context=local
dtmfmode=rfc2833
disallow=all
allow=g722
transport=tls
encryption=yes
context=local
</pre>
</div></div>
<p>Next, we'll set Blink to use SRTP:</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkEnableSRTP.png?version=1&modificationDate=1295883511431" style="border: 1px solid black" /></span></p>
<p>Reload Asterisk's SIP configuration (sip reload), make a call, and voilà:</p>
<p><span class="image-wrap" style=""><img src="/wiki/download/attachments/8127019/BlinkTLSSRTP.png?version=1&modificationDate=1295883613036" style="border: 1px solid black" /></span></p>
<p>We're making secure calls with TLS (signaling) and SRTP (media).</p>
</div>
<div id="commentsSection" class="wiki-content pageSection">
<div style="float: right;">
<a href="https://wiki.asterisk.org/wiki/users/viewnotifications.action" class="grey">Change Notification Preferences</a>
</div>
<a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial">View Online</a>
|
<a href="https://wiki.asterisk.org/wiki/pages/diffpagesbyversion.action?pageId=8127019&revisedVersion=13&originalVersion=12">View Changes</a>
|
<a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial?showComments=true&showCommentArea=true#addcomment">Add Comment</a>
</div>
</div>
</div>
</div>
</div>
</body>
</html>