I am attempting to establish a secure voip system within our organization. I have enabled TCP and TLS for chan_sip. I have installed our own RSA certificates and pointed Asterisk at them:
;#sip_general_additional.conf
tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
rtpend=20000
rtpstart=10000
I have set the transport options for the test device in FreePBX to ALL-TLS Primary which yields transport=tls,udp,tcp in sip_additional.conf.
Our Snom-870s are using Firmware-Version: snom870-SIP 8.7.3.25.5
On the Snom-870 I have enabled accept TCP on port 5060. I have also uploaded our Asterisk DER format public certificate to the phone:
Version: 3
Serial Number: 0083
Signature Algorithm: 1.2.840.113549.1.1.13 (unknownObjectIdentifier)
Signature: 94a7f0534a34638b757c4c2a3c8b7a3e31e79109a676a3ec0c10f513dc1f20aadb3b2a3ba082e28f...
Issuer: Country: CA; State: Ontario; Locality Hamilton; Organization: Harte & Lyne Limited; Common Name: CA HLL ISSUER 01; eMail:
Validity: 02/03/15 - 02/03/35
SHA1-Fingerprint: d010ad8d7b995a061a809af4c31d858d67c30206
MD5-Fingerprint: ec7242ebfdd6697f68bd3429654e20e9
PK Algorithm: 1.2.840.113549.1.1.1 (rsaEncryption)
RSA modulus: yyyy
RSA exponent: xxxx
Filename on FS: cd9cbf0f3e00f26a62656e8c80eb28689c371dcf.DER
SInce all protocols are permitted in sip_additional the phone works, but I see this in the Asterisk -rvvv trace:
. . .
WARNING[6980]: tcptls.c:711 ast_tcptls_server_root: Accept failed: Bad file descriptor
There are dozens and dozens of the preceding but it appears to me that these are a consequence of applying the device changes to Asterisk through FreePBX so naturally the old socket is closed. Possibly just a timing problem. But maybe it indicates something else.
. . .
[2015-03-03 09:19:38] WARNING[2739]: chan_sip.c:16903 register_verify: peer '41712' HAS NOT USED (OR SWITCHED TO) TLS in favor of 'UDP' (but this was allowed in sip.conf)!
[2015-03-03 09:19:38] WARNING[2739]: chan_sip.c:16903 register_verify: peer '41712' HAS NOT USED (OR SWITCHED TO) TLS in favor of 'UDP' (but this was allowed in sip.conf)!
-- Registered SIP '41712' at 192.168.6.112:5060
[2015-03-03 09:19:38] NOTICE[2739]: chan_sip.c:23575 handle_response_peerpoke: Peer '41712' is now Reachable. (8ms / 2000ms)
[2015-03-03 09:19:38] NOTICE[2739]: chan_sip.c:23575 handle_response_peerpoke: Peer '41712' is now Reachable. (8ms / 2000ms)
I have several questions.
-
Does anyone have a recipe for getting secure voip working on FreePBX with Snom equipment? if so, would you be so kind as to share it? There are a lot of settings on the phone and I do not possess the expertise to discern the interactions between them all.
-
How does one determine whether or not one has in fact a secure voip channel established between Asterisk and the device, whether desk-set or soft-phone? What are the indicators?
-
Does SRTP work without TLS? How does one ensure or confirm that traffic is in fact going via SRTP and not plain RTP?