[asterisk-users] TLS, SRTP, Asterisk11 and Snom870s

James B. Byrne byrnejb at harte-lyne.ca
Tue Mar 3 11:16:07 CST 2015 

CentOS-6.5 (FreePBX-2.6)
Asterisk-11.14.2 (FreePBX)
snom870-SIP 8.7.3.25.5

I am having a very difficult time attempting to get TLS and SRTP
working with Asterisk and anything else.  At the moment I am trying to
get TLS functioning with our Snom870 desk-sets.  And I am not having
much luck.

Since this is an extraordinarily (to me) Byzantine environemnt I am
going to ask if any of you have gotten this set-up (Asterisk11 with
Snom870s using TLS) to work and if so could you provide the details?

I have this in Asterisk sip.conf (loaded through FreePBXs
sip_general_additional.conf).

tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1

And I have this for the test device context:

[41712]
deny=0.0.0.0/0.0.0.0
secret=NearlyANastyThat
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=no
port=5060
qualify=yes
qualifyfreq=60
transport=tls,udp,tcp
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/41712
mailbox=41712 at device
permit=192.168.6.0/255.255.255.0
callerid=James B Byrne <41712>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic

If I change the transport setting to TLS then I get this reported:

[2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

I cannot seem to configure the Snom870 to listen for TCP on 5060. 
There is a setting for that on the phone but it seems to have no
effect (it always returns to NO following a reboot). The Snom website
says that the option is not available in FW8.5 and later. It does not
inform one of whether that the phone listens by default or not on
FW8.5+, only that the option has no effect.

It also does not say, as far as I can find, whether Snom870s listen
for TCP at all or on what port.  One may infer that since these
devices purport to support TLS that the answer is yes and that TCP5061
is a likely candidate.  But they do not seem to come right out and say
so anywhere.

In a section devoted to the Snom370, which is a model that we do not
employ, there is reference to DNS SRV RRs.  The inference drawn from
the examples given is that these will control what ports the Snom will
listen on for which services.

We have such records in our DNS zone. They look like this:

;# Configure sip/sips service records (VOIP)
;HOST					TTL	CLASS	TYPE	ORDER	PREF	FLAGS	SERVICE		REGEXP	REPLACEMENT

					300	IN	NAPTR	50	50	"s"	"SIPS+D2T"	""	_sips._tcp.harte-lyne.ca.

					300	IN	NAPTR	90	50	"s"	"SIP+D2T"	""	_sip._tcp.harte-lyne.ca.

					300	IN	NAPTR	100	50	"s"	"SIP+D2U"	""	_sip._udp.harte-lyne.ca.

;HOST					TTL	CLASS	TYPE	ORDER	PREF	PORT	TARGET

_sips._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5061	voinet09.hamilton.harte-lyne.ca.

_sip._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5060	voinet09.hamilton.harte-lyne.ca.

_sip._udp.harte-lyne.ca.		300	IN	SRV	10	10	5060	voinet09.hamilton.harte-lyne.ca.

However, our phones are configured to use SIP accounts having the form
account at ipv4-addr.  I doubt greatly that the Snom870s will perform a
reverse DNS lookup on the provider's IPv4 to discover the forward zone
domain and thus I do not believe that SRV RRs can help us in this
instance.  They certainly do not seem to have any effect.

Asterisk seems not to distinguish between 5060 and 5061 regarless of
protocol.  I am not sure then how to proceed.  Is there a way to force
Asterisk to talk to port TCP5061 on a specific device?  Is this an
exclusive setting?

This long background is by way of asking for help.  If I have not
provided specific information that is significant to this problem then
I will do so if asked.

What I am attempting has to be possible.  Somehow.  And somebody must
have already accomplished this. Somewhere.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

More information about the asterisk-users mailing list