FreePBX 12 w/ Asterisk 13 - TLS/SRTP

Am I missing something, or did the push to GUI SIP channel configuration (both chan_sip and pjsip) make implementing TLS/SRTP nearly impossible?

Some of the hurdles to overcome:

  • PJSIP channel configuration (GUI) has no way to add a TLS transport, just UDP, TCP, and WS. You can add it in pjsip.custom.conf, more or less.
  • Similiar problem with chan_sip, but at least you can set custom properties via the GUI to accomplish the same thing
  • Configuring a device for PJSIP requires you to choose “Auto” transport, even if you want to enforce TLS, because that channel isn’t configured via the GUI.
  • Worse, there’s no longer a way to enforce chan_sip devices onto a TLS transport.
  • DTLS - All over the GUI, but I’m hard pressed to find any of my already-deployed devices able to use it.
  • With PJSIP the DTLS settings preclude the use of SRTP on the device. The device may connect via your manually-configured TCP transport, but when trying to INVITE with SRTP will always get a 488 response. (There is no PJSIP DTLS “SRTP” mode, just DTLS or not.)

With a number of mobile/remote users, TLS/SRTP is a must-have, and is broken to the point of unusable in the current incarnation of FreePBX 12.

Is this regression something the devs are working to correct in the very near term in the FPBX12 architecture, or would a series of patches submitted to the Jira be more productive?

That’s mainly my fault. Yes. The Sip settings for PJSIP were written before we had rolled in all the certificate management stuff, and I’d never gone back and plugged it all together. So yeah, that still needs to be done, and it fell off my radar.

However, we didn’t really change anything in chan_sip to break stuff. It’s just as confusing and difficult as it always has been.

PJSip will fix that, hopefully.

I’d love it if you would! Feel free to talk to us on IRC, too, and we can probably help you understand why we did things a certain way. (The certain way may be ‘because we were wrong’, too! :sunglasses:

We hang out on FreePBX and #freepbx-dev, but make sure you say our names so that our IRC clients alert us

1 Like

Kinda what I figured… I’ll see what I can roll together and get it up on Jira.

Fair enough, my apologies if it read that way. What I mean to say was that the device side transport selection is now broken on chan_sip devices, not necessarily the general chan_sip configuration.

More generically, transport selection on devices is either too strict/literal (pjsip) or non-existent (chan_sip). Nothing some code can’t fix.

I’ll pop by after I’ve had a chance to dive into the current code and see if I can divine some how/why before I put some code together and come up with a basic plan as to how it will work you all can be happy with.

1 Like

Any update on this topic? I’d love to get at least SRTP up and running on our FreePBX server.

I have successfully gotten SRTP to work, but it took a heck of a long time, obviously because there’s nothing in the GUI, and good luck finding documentation. Someday I will get around to dishing out what I did. I’ve just been too dang busy, but the short end of it is that you’ll need to use the config addition documented in the Asterisk Wiki using (+). The media_encryption=sdes setting needs to be specified for each PJSIP extension.

If you can handle me piecemealing the instructions to you, feel free to private message me, but I will, at some point, post a guide on how to do this.

For best results, use a SSL certificate from any known good issuing CA.

4 Likes

Thx for the feedback, I sent you a PM.

Oh gosh. Alright. I feel like I can breathe for a moment. I’m sorry for taking over 3 months to get back to this. You may have already figured it out, and 6.12.65-29 actually has an option in extensions for Media Encryption. But that doesn’t solve the entire issue. Hoping this will help others who haven’t quite figured it out yet.

This assumes the following:

  • You already have an SSL certificate and a way to install the CA certificate on whatever device you’re using. (Bria on Mac is insanely picky on how the CA certificate is installed, hence this warning. Those of you who do not know how to get any of this stuff, please look up tutorials on using OpenSSL. Should be part of your sysadmin’s brain arsenal!)
  • You have the private key for your SSL certificate.
  • You are using PJSIP. There is a pretty good CHAN_SIP tutorial if you need it in the Asterisk documentation…but why are you still using CHAN_SIP?

You will pretty much be working out of /etc/asterisk the whole time. The first file we will look at is pjsip.transports_custom.conf. If you haven’t made any changes already, this file should be blank. Here is what you should add:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
ca_list_file=/path/to/your/cacert.ca
cert_file=/path/to/your/ssl.crt
priv_key_file=/path/to/your/private.key
method=tlsv1

Notice that the bind is on port 5061 - my understanding is that this is the standard TCP port for PJSIP TLS authentication (remember, you get UDP non-encrypted authentication by default).

At this point, if you are using 6.12.65-29, you will notice that there is a Media Encryption option in whatever extension you are using. SRTP via in-SDP is what you are looking for.

Now if you are not using -29, or if you are still having trouble, the Asterisk documentation mentions something about [media-encryption] - but, the way FreePBX works, you can’t just throw that parameter in an extension. So you will need to add it later…the trick is where. The magic lies in this file: pjsip.registration_custom.conf. Add this to the necessary extensions (where [100] is your extension):

[100](+)
media_encryption=sdes

And at this point, it should work - when you restart Asterisk. You may have issues with RTP ports and such…but that you can adjust. Don’t forget to use a STUN server and fill out all the necessary network IPs if you are behind a firewall, etc. Again, my apologies for those who were depending on me for this - I know exactly how you feel. I’m also sure you know how busy life can get. Somebody call me out if this doesn’t work.

Thanks a lot pixel! This might really come in hand for us at work. I’ll try to update here again if we go through with implementing this

HI,
Using th GUI:
I get to the point when I’ve created the CA and a certificate. Then I turn DTLS on in my extension, It register but can not make, receive calls but when I answer the call drops. What’s the next step?

I did create all certificated and CA without uploading anything from the GUI.

Thanks.

No sorry, DTLS is a totally separate feature. That requires devices end-to-end to support such encryption. What you are most likely looking for is TLS over SRTP. You can’t really do this over the GUI; only enabling an extension using SRTP will work, though I’ve never tried it.

Read my guide again above and let me know if you have questions. I’ll do my best to help…can’t promise anything in a timely manner.