<html>
<head>
<meta name="viewport" content="width=device-width" />
<base href="https://wiki.asterisk.org/wiki" />
<style type="text/css">
body, #email-content, #email-content-inner { font-family: Arial,FreeSans,Helvetica,sans-serif; }
body, p, blockquote, pre, code, td, th, li, dt, dd { font-size: 13px; }
small { font-size: 11px; }
body { width:100% !important; -webkit-font-smoothing: antialiased; }
body,
#email-wrapper { background-color: #f0f0f0; }
#email-wrapper-inner { padding: 20px; text-align: center; }
#email-content-inner { background-color: #fff; border: 1px solid #bbb; color: $menuTxtColour; padding:20px; text-align:left; }
#email-wrapper-inner > table { width: 100%; }
#email-wrapper-inner.thin > table { margin: 0 auto; width: 50%; }
#email-footer { padding: 0 16px 32px 16px; margin: 0; }
.email-indent { margin: 8px 0 16px 0; }
.email-comment { margin: 0 0 0 56px; }
.email-comment.removed { background-color: #ffe7e7; border: 1px solid #df9898; padding: 0 8px;}
#email-title-avatar { text-align: left; vertical-align: top; width: 48px; padding-right: 8px; }
#email-title-flavor { margin: 0; padding: 0 0 4px 0; }
#email-title-heading { font-size: 16px; line-height: 20px; min-height: 20px; margin: 0; padding: 0; }
#email-title .icon { border: 0; padding: 0 5px 0 0; text-align: left; vertical-align: middle; }
#email-actions { border-top: 1px solid #bbb; color: #505050; margin: 8px 0 0 0; padding: 0; }
#email-actions td { padding-top: 8px; }
#email-actions .left { max-width: 45%; text-align: left; }
#email-actions .right { text-align: right; }
.email-reply-divider { border-top: 1px solid #bbb; color: #505050; margin: 32px 0 8px 0; padding: 8px 0; }
.email-section-title { border-bottom: 1px solid #bbb; margin: 8px 0; padding: 8px 0 0 0; }
.email-metadata { color: #505050; }
a { color: #326ca6; text-decoration: none; }
a:hover { color: #336ca6; text-decoration: underline; }
a:active {color: #326ca6; }
a.email-footer-link { color: #505050; font-size: 11px; }
.email-item-list { list-style: none; margin: 4px 0; padding-left: 0; }
.email-item-list li { list-style: none; margin: 0; padding: 4px 0; }
.email-list-divider { color: #505050; padding: 0 0.35em; }
.email-operation-icon { padding-right: 5px; }
.avatar { -ms-interpolation-mode: bicubic; border-radius: 3px;}
.avatar-link { margin: 2px; }
.tableview th { border-bottom: 1px solid #69C; font-weight: bold; text-align: left; }
.tableview td { border-bottom: 1px solid #bbbbbb; text-align: left; padding: 4px 16px 4px 0; }
.aui-message { margin: 1em 0; padding: 8px; }
.aui-message.info { background-color: #e0f0ff; border: 1px solid #9eb6d4; }
.aui-message.success { background-color: #ddfade; border: 1px solid #93c49f; }
.aui-message.error,
.aui-message.removed { background-color: #ffe7e7; border: 1px solid #df9898; color: #000; }
.call-to-action-table { margin: 10px 1px 1px 1px;}
.call-to-cancel-container, .call-to-action-container { padding: 5px 20px; }
.call-to-cancel-container { border: 1px solid #aaa; background-color: #eee; border-radius: 3px; }
.call-to-cancel-container a.call-to-cancel-button { background-color: #eee; font-size: 14px; line-height: 1; padding: 0; margin: 0; color: #666; font-family: sans-serif;}
.call-to-action-container { border: 1px solid #486582; background-color: #3068A2; border-radius: 3px; padding: 4px 10px; }
.call-to-action-container a.call-to-action-button { background-color: #3068A2; font-size: 14px; line-height: 1; padding: 0; margin: 0; color: #fff; font-weight: bold; font-family: sans-serif; }
/** The span around the inline task checkbox image */
.diff-inline-task-overlay {
display: inline-block;
text-align: center;
height: 1.5em;
padding: 5px 0px 1px 5px;
margin-right: 5px;
/** Unfortunately, the negative margin-left is stripped out in gmail */
margin-left: -5px;
}
@media handheld, only screen and (max-device-width: 480px) {
div, a, p, td, th, li, dt, dd { -webkit-text-size-adjust: auto; }
small, small a { -webkit-text-size-adjust: 90%; }
td[id=email-wrapper-inner] { padding: 2px !important; }
td[id=email-content-inner] { padding: 8px !important; }
td[id="email-wrapper-inner"][class="thin"] > table { text-align: left !important; width: 100% !important; }
td[id=email-footer] { padding: 8px 12px !important; }
div[class=email-indent] { margin: 8px 0px !important; }
div[class=email-comment] { margin: 0 !important; }
p[id=email-title-flavor] a { display: block; } /* puts the username and the action on separate lines */
p[id=email-permalink] { padding: 4px 0 0 0 !important; }
table[id=email-actions] td { padding-top: 0 !important; }
table[id=email-actions] td.right { text-align: right !important; }
table[id=email-actions] .email-list-item { display: block; margin: 1em 0 !important; word-wrap: normal !important; }
span[class=email-list-divider] { display: none; }
}
</style>
</head>
<body style="font-family: Arial, FreeSans, Helvetica, sans-serif; font-size: 13px; width: 100%; -webkit-font-smoothing: antialiased; background-color: #f0f0f0">
<table id="email-wrapper" width="100%" cellspacing="0" cellpadding="0" border="0" style="background-color: #f0f0f0">
<tbody>
<tr valign="middle">
<td id="email-wrapper-inner" style="font-size: 13px; padding: 20px; text-align: center">
<table id="email-content" cellspacing="0" cellpadding="0" border="0" style="font-family: Arial, FreeSans, Helvetica, sans-serif; width: 100%">
<tbody>
<tr valign="top">
<td id="email-content-inner" align="left" style="font-family: Arial, FreeSans, Helvetica, sans-serif; font-size: 13px; background-color: #fff; border: 1px solid #bbb; padding: 20px; text-align: left">
<table id="email-title" cellpadding="0" cellspacing="0" border="0" width="100%">
<tbody>
<tr>
<td id="email-title-avatar" rowspan="2" style="font-size: 13px; text-align: left; vertical-align: top; width: 48px; padding-right: 8px"> <img class="avatar" src="cid:avatar_925838d3d8b1f71935f30b314c925d64" border="0" height="48" width="48" style="-ms-interpolation-mode: bicubic; border-radius: 3px" /> </td>
<td valign="top" style="font-size: 13px">
<div id="email-title-flavor" class="email-metadata" style="margin: 0; padding: 0 0 4px 0; color: #505050">
<a href=" https://wiki.asterisk.org/wiki/display/~rnewton " style="color:#326ca6;text-decoration:none;; color: #326ca6; text-decoration: none">Rusty Newton</a> edited the page:
</div> </td>
</tr>
<tr>
<td valign="top" style="font-size: 13px"> <h2 id="email-title-heading" style="font-size: 16px; line-height: 20px; min-height: 20px; margin: 0; padding: 0"> <a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial" style="color: #326ca6; text-decoration: none"> <img class="icon" src="cid:page-icon" alt="" style="border: 0; padding: 0 5px 0 0; text-align: left; vertical-align: middle" /> <strong style="font-size:16px;line-height:20px;vertical-align:top;">Secure Calling Tutorial</strong> </a> </h2> </td>
</tr>
</tbody>
</table>
<div class="email-indent" style="margin: 8px 0 16px 0">
<p class="aui-message info" style="font-size: 13px; margin: 1em 0; padding: 8px; background-color: #e0f0ff; border: 1px solid #9eb6d4"> <b>Comment:</b> Added notes and error example for when to use the tlsdontverifyserver option </p>
<div class="email-diff">
<div id="page-diffs" class="wiki-content">
<h2 id="SecureCallingTutorial-toc" class="diff-block-target diff-block-context">
<table class="diff-macro bodyless diff-html-added" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin: 10px 1px;padding: 0 2px 2px;width: 100%;margin: 5px 0; padding: 0; width: auto;background-color: #ddfade;border-color: #93c49f;">
<thead>
<tr>
<th class="diff-macro-title" style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;; font-size: 13px"><span class="diff-html-added" id="added-diff-0" style="font-size: 100%; background-color: #ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height: 20px;"><img src="https://wiki.asterisk.org/wiki/s/en_GB-1988229788/4252/6ac85e9b14675c5514a674e1aecae99c9505ed36.48/_/images/icons/macrobrowser/dropdown/toc.png" style="padding-right: 5px; vertical-align: text-bottom;" /> </span>Table of Contents</span></th>
</tr>
</thead>
</table> </h2>
<h1 id="SecureCallingTutorial-Overview" class="diff-block-target diff-block-context"> <span class="diff-html-changed" id="changed-diff-0" style="background-color: #d6f0ff;">Overview</span> </h1>
<p class="diff-block-context" style="font-size: 13px">So you'd like to make some secure calls.</p>
<p class="diff-context-placeholder" style="font-size: 13px">...</p>
<p class="diff-block-context" style="font-size: 13px">These instructions assume that you're running as the root user (sudo su -).</p>
<h1 id="SecureCallingTutorial-Part1%28TLS%29" class="diff-block-target"> <span class="diff-html-changed" id="changed-diff-1" style="background-color: #d6f0ff;">Part 1 (TLS)</span> </h1>
<p class="diff-block-context" style="font-size: 13px"> <a href="http://en.wikipedia.org/wiki/Transport_Layer_Security" class="external-link" rel="nofollow" style="color: #326ca6; text-decoration: none">Transport Layer Security</a> (TLS) provides encryption for call signaling. It's a practical way to prevent people who aren't Asterisk from knowing who you're calling. Setting up TLS between Asterisk and a SIP client involves creating key files, modifying Asterisk's SIP configuration to enable TLS, creating a SIP peer that's capable of TLS, and modifying the SIP client to connect to Asterisk over TLS.</p>
<h2 id="SecureCallingTutorial-Keys" class="diff-block-target"> <span class="diff-html-changed" id="changed-diff-2" style="background-color: #d6f0ff;">Keys</span> </h2>
<p class="diff-block-context" style="font-size: 13px">First, let's make a place for our keys.</p>
<p class="diff-context-placeholder" style="font-size: 13px">...</p>
<p class="diff-block-context" style="font-size: 13px">Next, copy the malcolm.pem and ca.crt files to the computer running the Blink soft client.</p>
<h2 id="SecureCallingTutorial-TheAsteriskSIPconfiguration" class="diff-block-target"> <span class="diff-html-changed" id="changed-diff-3" style="background-color: #d6f0ff;">The Asterisk SIP configuration</span> </h2>
<p class="diff-block-context" style="font-size: 13px">Now, let's configure Asterisk to use TLS.</p>
<p class="diff-context-placeholder" style="font-size: 13px">...</p>
<p class="diff-block-context" style="font-size: 13px">Here, we're enabling TLS support.<br /> We're binding it to our local IPv4 wildcard (the port defaults to 5061 for TLS).<br /> We've set the TLS certificate file to the one we created above.<br /> We've set the Certificate Authority to the one we created above.<br /> TLS Ciphers have been set to ALL, since it's the most permissive.<br /> And we've set the TLS client method to TLSv1, since that's the preferred one for RFCs and for most clients.</p>
<h2 id="SecureCallingTutorial-ConfiguringaTLS-enabledSIPpeerwithinAsterisk" class="diff-block-target"> <span class="diff-html-changed" id="changed-diff-4" style="background-color: #d6f0ff;">Configuring a TLS-enabled SIP peer within Asterisk</span> </h2>
<p class="diff-block-context" style="font-size: 13px">Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Here's an example:</p>
<p class="diff-context-placeholder" style="font-size: 13px">...</p>
<p class="diff-block-context" style="font-size: 13px">Notice the <strong>transport</strong> option. The Asterisk SIP channel driver supports three types: udp, tcp and tls. Since we're configuring for TLS, we'll set that. It's also possible to list several supported transport types for the peer by separating them with commas.</p>
<h2 id="SecureCallingTutorial-ConfiguringaTLS-enabledSIPclienttotalktoAsterisk" class="diff-block-target"> <span class="diff-html-changed" id="changed-diff-5" style="background-color: #d6f0ff;">Configuring a TLS-enabled SIP client to talk to Asterisk</span> </h2>
<p class="diff-block-context" style="font-size: 13px">Next, we'll configure Blink.</p>
<p class="diff-context-placeholder" style="font-size: 13px">...</p>
<p class="diff-block-context" style="font-size: 13px">Now, make a call. You should see a small secure lockbox in your Blink calling window to indicate that the call was made using secure (TLS) signaling:</p>
<p class="diff-block-context" style="font-size: 13px"> <img class="confluence-embedded-image confluence-content-image-border" src="/wiki/download/attachments/8127019/BlinkTLSCall.png?version=1&modificationDate=1295881825589&api=v2" data-image-src="/wiki/download/attachments/8127019/BlinkTLSCall.png?version=1&modificationDate=1295881825589&api=v2" /></p>
<h2 id="SecureCallingTutorial-Problemswithserververification" class="diff-block-target diff-block-context"> <span class="diff-html-added" id="added-diff-1" style="font-size: 100%; background-color: #ddfade;">Problems with server verification</span> </h2>
<p class="diff-block-target diff-block-context" style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">If the host or IP you used for the common name on your cert doesn't match up with your server then you may run into problems when your client is calling Asterisk. Make sure the client is configured to </span><strong><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">not</span></strong><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> verify the server against the cert.</span> </p>
<p class="diff-block-target diff-block-context" style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">When calling </span><strong><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">from</span></strong><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> Asterisk to Blink or another client, you might run into an ERROR on the Asterisk CLI similar to this:</span> </p>
<table class="diff-macro diff-html-added diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin: 10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ddfade;border-color: #93c49f;">
<thead>
<tr>
<th class="diff-macro-title" style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;; font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height: 20px;"><img src="https://wiki.asterisk.org/wiki/s/en_GB-1988229788/4252/6ac85e9b14675c5514a674e1aecae99c9505ed36.48/_/images/icons/macrobrowser/dropdown/noformat.png" style="padding-right: 5px; vertical-align: text-bottom;" /> </span>No Format</span></th>
</tr>
</thead>
<tbody>
<tr>
<td class="diff-macro-body" style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px"> <pre style="font-size: 13px">
<span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">[Jan 29 16:04:11] DEBUG[11217]: tcptls.c:248 handle_tcptls_connection: SSL Common Name compare s1='10.24.18.124' s2='phone1.mycompany.com'
[Jan 29 16:04:11] ERROR[11217]: tcptls.c:256 handle_tcptls_connection: Certificate common name did not match (10.24.18.124)</span>
</pre> </td>
</tr>
</tbody>
</table>
<p class="diff-block-target diff-block-context" style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">This is the opposite scenario, where Asterisk is acting as the client and by default attempting to verify the destination server against the cert.</span> </p>
<p class="diff-block-target diff-block-context" style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">You can set </span><strong><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">tlsdontverifyserver=yes</span></strong><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> in sip.conf to prevent Asterisk from attempting to verify the server.</span> </p>
<table class="diff-macro diff-html-added diff-block-target diff-block-context" style="background-color: #f0f0f0;border: 1px solid #dddddd;margin: 10px 1px;padding: 0 2px 2px;width: 100%;background-color: #ddfade;border-color: #93c49f;">
<thead>
<tr>
<th class="diff-macro-title" style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;; font-size: 13px"><span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"><span class="icon macro-placeholder-icon" style="background-color: ;line-height: 20px;"><img src="https://wiki.asterisk.org/wiki/s/en_GB-1988229788/4252/6ac85e9b14675c5514a674e1aecae99c9505ed36.48/_/images/icons/macrobrowser/dropdown/noformat.png" style="padding-right: 5px; vertical-align: text-bottom;" /> </span>No Format</span></th>
</tr>
</thead>
<tbody>
<tr>
<td class="diff-macro-body" style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px"> <pre style="font-size: 13px">
<span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;">;tlsdontverifyserver=[yes|no]
; If set to yes, don't verify the servers certificate when acting as
; a client. If you don't have the server's CA certificate you can
; set this and it will connect without requiring tlscafile to be set.
; Default is no.</span>
</pre> </td>
</tr>
</tbody>
</table>
<p class="diff-block-target diff-block-context" style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color: #ddfade;"> </span> </p>
<h1 id="SecureCallingTutorial-Part2%28SRTP%29" class="diff-block-target diff-block-context"> <span class="diff-html-changed" id="changed-diff-6" style="background-color: #d6f0ff;">Part 2 (SRTP)</span> </h1>
<p class="diff-block-context" style="font-size: 13px">Now that we've got TLS enabled, our signaling is secure - so no one knows what extensions on the PBX we're dialing. But, our media is still not secure - so someone can snoop our RTP conversations from the wire. Let's fix that.</p>
<p class="diff-context-placeholder" style="font-size: 13px">...</p>
</div>
</div>
</div>
<table id="email-actions" class="email-metadata" cellspacing="0" cellpadding="0" border="0" width="100%" style="border-top: 1px solid #bbb; color: #505050; margin: 8px 0 0 0; padding: 0; color: #505050">
<tbody>
<tr>
<td class="left" valign="top" style="font-size: 13px; padding-top: 8px; max-width: 45%; text-align: left"> <span class="email-list-item"><a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial" style="color: #326ca6; text-decoration: none">View Online</a> </span> <span class="email-list-divider" style="color: #505050; padding: 0 0.350em">·</span> <span class="email-list-item"><a href="https://wiki.asterisk.org/wiki/plugins/likes/like.action?contentId=8127019" style="color: #326ca6; text-decoration: none">Like</a> </span> <span class="email-list-divider" style="color: #505050; padding: 0 0.350em">·</span> <span class="email-list-item"><a href="https://wiki.asterisk.org/wiki/pages/diffpagesbyversion.action?pageId=8127019&revisedVersion=16&originalVersion=15" style="color: #326ca6; text-decoration: none">View Changes</a> </span> <span class="email-list-divider" style="color: #505050; padding: 0 0.350em">·</span> <span class="email-list-item"><a href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial?showComments=true&showCommentArea=true#addcomment" style="color: #326ca6; text-decoration: none">Add Comment</a> </span> </td>
<td class="right" width="50%" valign="top" style="font-size: 13px; padding-top: 8px; text-align: right"> <span class="email-list-item"><a href="https://wiki.asterisk.org/wiki/users/removespacenotification.action?spaceKey=AST" style="color: #326ca6; text-decoration: none">Stop watching space</a> </span> <span class="email-list-divider" style="color: #505050; padding: 0 0.350em">·</span> <span class="email-list-item"><a href="https://wiki.asterisk.org/wiki/users/editmyemailsettings.action" style="color: #326ca6; text-decoration: none">Manage Notifications</a> </span> </td>
</tr>
</tbody>
</table> </td>
</tr>
</tbody>
</table> </td>
</tr>
<tr>
<td id="email-footer" align="center" style="font-size: 13px; padding: 0 16px 32px 16px; margin: 0"> <small style="font-size: 11px"> This message was sent by <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;; color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence">Atlassian Confluence</a> 5.1.5, <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;; color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence/overview/team-collaboration-software?utm_source=email-footer">Team Collaboration Software</a> </small> </td>
</tr>
</tbody>
</table>
</body>
</html>