Securing the conversation with TLS and SRTP - Not so fast

cosmicwombat · July 1, 2011, 3:27am

Since I started doing VoIP related work full time I am finding I have less time and energy to grind forward on certain… shall I say nagging aspects of VoIP in general. In particular TLS and SRTP. Sure, I was able do to the tutorial and get Blink to work with Asterisk 1.8.X ( a tip is that if you are using the FreePBX Distro - you may need to grab Asterisk and untar it to run the script - https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial )

While I did the tutorial, I also started looking at X-Lite, Bria, etc… Snom, Polycom, and Aastra IP Phones and how one might extrapolate.

Naturally they are vary slightly in how they access and/or store keys for encryption.

Next problem is we often weave several Asterisk/FreePBX systems and so the real picture is several CentOS boxes and VoIP Devices. This reads as a key management issue followed by a vendor specific key storage and retrieval issue.

So, what is the point of all this diatribe you might ask ?

I need help.

Perhaps a few pointers in adopting MIKEY on CentOS > http://www.scribd.com/doc/52374665/90/Key-Management-for-SRTP-–-MIKEY

And/or if anyone has contacted Aastra and worked out the key access for the 67XX series of phones ?

For now I am just going to continue to mess with Blink keep after Aastra ( tempted to try Snom 1st) and muddle forward.

If we can put together some working procedures surrounding TLS / SRTP it would be a good thing.

cosmicwombat · July 3, 2011, 1:00am

I guess I have myself to blame as I have been more or less absent online for the last 6~9 months. Accordingly I should not expect… anything.

No worries. I am a bit amazed that my original post has thus far not elicited one or two “Google is your friend” or “that has been covered here link” comments.

Actually, color me fascinated. Spock style. If no one has tackled TLS and SRTP beyond the Blink softphone then there be some uncharted territory ahead. Key management is the ocean, device specific requirements the islands and for treasure…solutions.

As for clues? Not so much.

Mateus · July 10, 2011, 5:54pm

Hallo!
Thats what i am working now… Asterisk based PBX with TLS/SRTP but i am not @finish for now.

Still working and working really hard

jingjong · January 18, 2012, 10:08pm

Hi Guys,

Anyone had a successful SRTP implementation with Asterisk 1.8.x and FreePBX?

I have been googling the whole week now and still can’t find a away to make SRTP work.

Thanks

jhunholz · February 3, 2012, 8:15am

Seems there’s a lot of us in the same boat: trying to get SRTP/TLS working with Asterisk 1.8/FreePBX, but not having any luck. If someone does figure it out, some tips would be much appreciated!

whitehat237 · February 16, 2012, 5:46am

After messing with this for about a day I have TLS working but not SRTP.

This guide helped me get TLS working, for a softphone.

http://www.voip-info.org/wiki/view/SIP+TLS

I added all of these lines:

tlsenable=yes
tlsbindaddr=192.168.0.1 (put your actual ip address of your box here)
tlscertfile=/etc/asterisk/certificates/asterisk.something.com.pem
tlsdontverifyserver=no
tlscipher=DES-CBC3-SHA
tlsclientmethod=tlsv1

to /etc/asterisk/sip_custom.conf which was a blank file, and then restarted asterisk

asterisk -rx “core restart now”

What the guide doesn’t tell you, is that you need to download the server certificate to the computer running the softphone and “install” it.

in windows 7, I just double clicked the file which ended with a .crt extension, and used the wizard to import the certificate. Accept all of the defaults, next, next, finish

I’m using the windows version of linphone as the softphone client. In the preferences menu in linphone, under Network protocol and ports, select “SIP (TLS)”

Then restart linphone.

After doing this linphone registers with asterisk properly, and I can make calls, etc.

This seemed like the hard part. Shouldn’t SRTP just work once the certificate process is resolved?

In freepbx --> extensions --> encryption

I set Yes (SRTP only) and clicked submit.

After that the extension stops working, and the message received is:

Not allowed here

The asterisk debug output shows:

[2012-02-16 00:42:15] ERROR[1415]: chan_sip.c:28813 setup_srtp: No SRTP module loaded, can’t setup SRTP session.

If I try and use the cli to load the res_rtp_asterisk module, it states that it’s already loaded

asterisk*CLI> module load res_rtp
[2012-02-16 00:43:38] WARNING[1663]: loader.c:829 load_resource: Module ‘res_rtp_asterisk.so’ already exists.

Is this the necessary module that provides srtp support?

I also thought maybe I was missing the libsrtp library, but yum search srtp returns nothing.

How can srtp support be enabled in freepbx?

geek15 · April 23, 2012, 11:54pm

I believe that the module ‘res_rtp_asterisk.so’ is the correct module. For some reason I can’t seem to find a way to get it to load. I’ve added it to /etc/asterisk/modules.conf and the module still isn’t loaded.

geek15 · April 24, 2012, 12:01am

Okay. I’ve accomplished getting the module to load. module load res_rtp_asterisk.so seems to work. However even after the module is loaded the same old error keep showing up [2012-04-23 19:53:35] ERROR[-1] chan_sip.c: No SRTP module loaded, can’t setup SRTP session. I’m wondering if there is something missing here.

jackryan · May 4, 2012, 3:19pm

Hi,
I seem to have the exact same problem, except my installation is * 1.8.11 in optware on a dd wrt ASUS N16 router. (package from here http://ipkg.nslu2-linux.org/feeds/optware/openwrt-brcm24/cross/stable/).

Like you I can make a regular (non SRTP) call, but when I try to enable SRTP I get the same message: “chan_sip.c: No SRTP module loaded, can’t setup SRTP session”. I tried loading the res_rtp_asterisk.so manually and, like you, I get the message that it is already loaded. I don’t understand why it doesn’t work.
I also get a strange error message when I run * about dropping down to UDP transport even though I have it set up and working with TLS despite the error message.

All this is very strange and sounds like a bug (or 2) to me. I don’t know what else I can do since the SRTP module is supposed to be already included in res_rtp_asterisk.so which is loaded by default.

Any ideas would be much appreciated.

Thanks

jackryan · May 4, 2012, 6:49pm

Still have the exact same problem.
Is SRTP not included by default?

Very frustrating.

simcity · May 31, 2012, 9:37pm

Hi Folks,

Just wondering if anyone has had any luck getting TLS and SRTP working reliably? I’ve been googling around and found what look to be like some useful resources:

on the Asterisk Project Wiki there is a neat Secure Calling Tutorial. Reading this it would appear that your SRTP errors may relate to the fact that “libsrtp has to be installed on the machine before Asterisk is compiled”. See the note on SRTP (Part 2) about half-way down the page.
on Cisco Support Community there is an article which explains how to get TLS and SRTP working with Cisco SPA5XX series phones. Looks like there is a small Asterisk patch involved in this particular scenario because these SPA5XX phones send out a crypto attribute with 2 lines (one for AES_32 and another for AES_80) which apparently Asterisk cannot negotiate as it is expecting one or the other attributes, but not both…

Following along the Cisco endpoint peculiarities, in my case for the Cisco 89xx/99xx series, I think getting the TLS / SRTP settings and certificate files correctly configured with these bad boys will be no small feat, especially given Cisco’s infamous lack of non-CallManager specific documentation…hmmm.

It would be quite cool to get this working though.

marcus2k3 · July 19, 2013, 1:11pm

Any one got this working I have wasted a few days trying to get mine going. Goinf to try using repro