Getting TLS to work on Snom-870

General Help
1

I am attempting to establish a secure voip system within our organization. I have enabled TCP and TLS for chan_sip. I have installed our own RSA certificates and pointed Asterisk at them:

;#sip_general_additional.conf
tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
rtpend=20000
rtpstart=10000

I have set the transport options for the test device in FreePBX to ALL-TLS Primary which yields transport=tls,udp,tcp in sip_additional.conf.

Our Snom-870s are using Firmware-Version: snom870-SIP 8.7.3.25.5
On the Snom-870 I have enabled accept TCP on port 5060. I have also uploaded our Asterisk DER format public certificate to the phone:

Version:	3
Serial Number:	0083
Signature Algorithm:	1.2.840.113549.1.1.13 (unknownObjectIdentifier)
Signature:	94a7f0534a34638b757c4c2a3c8b7a3e31e79109a676a3ec0c10f513dc1f20aadb3b2a3ba082e28f...
Issuer:	Country: CA; State: Ontario; Locality Hamilton; Organization: Harte & Lyne Limited; Common Name: CA HLL ISSUER 01; eMail:
Validity:	02/03/15 - 02/03/35
SHA1-Fingerprint:	d010ad8d7b995a061a809af4c31d858d67c30206
MD5-Fingerprint:	ec7242ebfdd6697f68bd3429654e20e9
PK Algorithm:	1.2.840.113549.1.1.1 (rsaEncryption)
RSA modulus:	yyyy
RSA exponent:	xxxx
Filename on FS:	cd9cbf0f3e00f26a62656e8c80eb28689c371dcf.DER

SInce all protocols are permitted in sip_additional the phone works, but I see this in the Asterisk -rvvv trace:

. . .

WARNING[6980]: tcptls.c:711 ast_tcptls_server_root: Accept failed: Bad file descriptor

There are dozens and dozens of the preceding but it appears to me that these are a consequence of applying the device changes to Asterisk through FreePBX so naturally the old socket is closed. Possibly just a timing problem. But maybe it indicates something else.
. . .

[2015-03-03 09:19:38] WARNING[2739]: chan_sip.c:16903 register_verify: peer '41712' HAS NOT USED (OR SWITCHED TO) TLS in favor of 'UDP' (but this was allowed in sip.conf)!
[2015-03-03 09:19:38] WARNING[2739]: chan_sip.c:16903 register_verify: peer '41712' HAS NOT USED (OR SWITCHED TO) TLS in favor of 'UDP' (but this was allowed in sip.conf)!
    -- Registered SIP '41712' at 192.168.6.112:5060
[2015-03-03 09:19:38] NOTICE[2739]: chan_sip.c:23575 handle_response_peerpoke: Peer '41712' is now Reachable. (8ms / 2000ms)
[2015-03-03 09:19:38] NOTICE[2739]: chan_sip.c:23575 handle_response_peerpoke: Peer '41712' is now Reachable. (8ms / 2000ms)

I have several questions.

  1. Does anyone have a recipe for getting secure voip working on FreePBX with Snom equipment? if so, would you be so kind as to share it? There are a lot of settings on the phone and I do not possess the expertise to discern the interactions between them all.

  2. How does one determine whether or not one has in fact a secure voip channel established between Asterisk and the device, whether desk-set or soft-phone? What are the indicators?

  3. Does SRTP work without TLS? How does one ensure or confirm that traffic is in fact going via SRTP and not plain RTP?

2

Hi B*,

Have multiple snom 3xx & 7xx running secure VoIP to asterisk. But it’s not simple to setup. I use auto provisioning in xml and have never setup in the phone gui.

  1. Asterisk certs installed
  2. Tls on in ext. leave secure rtp off for now.
  3. Load certs to phone. See the file-settings in snom auto provisioning. I think you can do this in the gui these days.
  4. Set sip register for tls working.
    At this point get the phone to register. Turn on level 9 logging in the phone.
  5. Turn on secure rtp in Freepbx.
  6. Enable secure rtp in the phone.
    Test and debug again

There is ample info on the Internet on how to do this. Hopefully my breadcrumbs of info assist you.

Oh a important note. Once you enable secure rtp audio, you can no longer use reinvite. All srtp traffic will route via the pbx. This I’ve not found a way around yet.

The phone will show a closed lock symbol when both tls & srtp are working, and all are secure.

Please let me know how you go.

3

The solution I discovered is to add this to the sip proxy entry in the snom phone configuration:

;transport=tls

So, if your asterisk server listens on 192.168.99.99 then the proxy entry on the phone is:

192.168.99.99;transport=tls

If you use a non-standard port then it looks like:

192.168.99.99:7766;transport=tls

4

Yes correct. I had to leave you something to do.

Did you end up getting a lock symbol on the phone when on a call?