[asterisk-users] TLS, SRTP, Asterisk11 and Snom870s

jg webaccounts173 at jgoettgens.de
Tue Mar 3 12:19:51 CST 2015 

Am 03.03.2015 um 18:16 schrieb James B. Byrne:
> CentOS-6.5 (FreePBX-2.6)
> Asterisk-11.14.2 (FreePBX)
> snom870-SIP 8.7.3.25.5
>
> I am having a very difficult time attempting to get TLS and SRTP
> working with Asterisk and anything else.  At the moment I am trying to
> get TLS functioning with our Snom870 desk-sets.  And I am not having
> much luck.
>
> Since this is an extraordinarily (to me) Byzantine environemnt I am
> going to ask if any of you have gotten this set-up (Asterisk11 with
> Snom870s using TLS) to work and if so could you provide the details?
>
> I have this in Asterisk sip.conf (loaded through FreePBXs
> sip_general_additional.conf).
>
> tcpenable=yes
> tlsenable=yes
> tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
> tlscafile=/etc/pki/tls/certs/ca-bundle.crt
> tlsdontverifyserver=yes
> tlscipher=ALL
> tlsclientmethod=tlsv1
>
> And I have this for the test device context:
>
> [41712]
> deny=0.0.0.0/0.0.0.0
> secret=NearlyANastyThat
> dtmfmode=rfc2833
> canreinvite=no
> context=from-internal
> host=dynamic
> trustrpid=yes
> sendrpid=no
> type=friend
> nat=no
> port=5060
> qualify=yes
> qualifyfreq=60
> transport=tls,udp,tcp
> avpf=no
> force_avp=no
> icesupport=no
> encryption=yes
> callgroup=
> pickupgroup=
> dial=SIP/41712
> mailbox=41712 at device
> permit=192.168.6.0/255.255.255.0
> callerid=James B Byrne <41712>
> callcounter=yes
> faxdetect=no
> cc_monitor_policy=generic
>
> If I change the transport setting to TLS then I get this reported:
>
> [2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875
> ast_tcptls_client_start: Unable to connect SIP socket to
> 192.168.6.112:5060: Connection refused
>
> I cannot seem to configure the Snom870 to listen for TCP on 5060.
> There is a setting for that on the phone but it seems to have no
> effect (it always returns to NO following a reboot). The Snom website
> says that the option is not available in FW8.5 and later. It does not
> inform one of whether that the phone listens by default or not on
> FW8.5+, only that the option has no effect.
>
> It also does not say, as far as I can find, whether Snom870s listen
> for TCP at all or on what port.  One may infer that since these
> devices purport to support TLS that the answer is yes and that TCP5061
> is a likely candidate.  But they do not seem to come right out and say
> so anywhere.
>
> In a section devoted to the Snom370, which is a model that we do not
> employ, there is reference to DNS SRV RRs.  The inference drawn from
> the examples given is that these will control what ports the Snom will
> listen on for which services.
>
> We have such records in our DNS zone. They look like this:
>
> ;# Configure sip/sips service records (VOIP)
> ;HOST					TTL	CLASS	TYPE	ORDER	PREF	FLAGS	SERVICE		REGEXP	REPLACEMENT
>
> 					300	IN	NAPTR	50	50	"s"	"SIPS+D2T"	""	_sips._tcp.harte-lyne.ca.
>
> 					300	IN	NAPTR	90	50	"s"	"SIP+D2T"	""	_sip._tcp.harte-lyne.ca.
>
> 					300	IN	NAPTR	100	50	"s"	"SIP+D2U"	""	_sip._udp.harte-lyne.ca.
>
> ;HOST					TTL	CLASS	TYPE	ORDER	PREF	PORT	TARGET
>
> _sips._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5061	voinet09.hamilton.harte-lyne.ca.
>
> _sip._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5060	voinet09.hamilton.harte-lyne.ca.
>
> _sip._udp.harte-lyne.ca.		300	IN	SRV	10	10	5060	voinet09.hamilton.harte-lyne.ca.
>
> However, our phones are configured to use SIP accounts having the form
> account at ipv4-addr.  I doubt greatly that the Snom870s will perform a
> reverse DNS lookup on the provider's IPv4 to discover the forward zone
> domain and thus I do not believe that SRV RRs can help us in this
> instance.  They certainly do not seem to have any effect.
>
> Asterisk seems not to distinguish between 5060 and 5061 regarless of
> protocol.  I am not sure then how to proceed.  Is there a way to force
> Asterisk to talk to port TCP5061 on a specific device?  Is this an
> exclusive setting?
>
> This long background is by way of asking for help.  If I have not
> provided specific information that is significant to this problem then
> I will do so if asked.
>
> What I am attempting has to be possible.  Somehow.  And somebody must
> have already accomplished this. Somewhere.
>
Forget about the reverse DNS stuff for the moment.

Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work?

Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag.

Then try the rest.

jg

More information about the asterisk-users mailing list