Enabling tls for sip tls instead of sip udp

robertkwild · September 18, 2021, 8:51am

Hi all,

I’m trying to set up tls for sip tls instead of sip udp ie encrypting the signalling port 51160 and rtp ports 10k to 20k, I imagine I’m going to need let’s encrypt to do it

Is there a good guide on how to do it

Thanks,
Rob

robertkwild · September 18, 2021, 10:01am

https://wiki.freepbx.org/display/PHON/TLS+and+SRTP

I’ve found it, It says all my modules need to be up-to-date and using pjsip, is this mandatory to use pjsip?

david55 · September 18, 2021, 10:40am

It’s not mandatory to use PJSIP, but it is highly advisable, as chan_sip is effectively unsupported, and is scheduled for removal in, I believe, Asterisk version 23.

Lets Encrypt is OK if you have low security requirements, and, I believe, operate a public https server. I’d expect bigger organisations to create their own root certification authority, and distribute its public key to all internal users. That can be done with Open SSL. I guess one advantage of Lets Encrypt is that FreePBX can automate the obtaining of the certificates.

For more security, with the convenience of pre-installed root certificates, you may be able to buy a suitable product from one of the more up-market certifiers, who will more thoroughly check that you own the domain names in use.

robertkwild · September 18, 2021, 10:57am

Thanks @david55 are softphones supported for the use of sip tls

david55 · September 18, 2021, 11:13am

You’d have to be specific about the soft phone. There is nothing fundamentally different between soft and hard phones in the way they handle SIP, so any limitations would apply to particular phones. Free versions are less likely to support encryption, as it will be seen as something businesses will pay for, but WebRTC always uses encryption, is supported by both channel drivers, at least in Asterisk itself, and you could call a web browser a sort of soft phone.

robertkwild · September 19, 2021, 12:36pm

got it working

only thing tho, im using a custom pjsip tls port 50061 and for it to work i needed to change “allow transports reload” to yes instead of no

it worked for a bit as when i looked at “asteriks info” it said my extension was online but now when i look it says my extension is offline

ive changed the “allow transports reload” back to no but still says my extension is offline

any help on this matter

thanks,
rob

robertkwild · September 19, 2021, 1:10pm

i issued a fwconsole restart and it fixed my extension and it was back online

also if i change my pjsip udp port to lets say 50060, that will also change my outbound udp and then it breaks my trunk to my sip provider, so i changed that back to 5060

system · October 20, 2021, 1:10pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.