Trying to register PJSIP extension over TLS and SRTP

moussa854 · October 25, 2019, 11:44pm

I was able to do an encrypted echo test using BLINK softphone http://icanblink.com/ using the default settings as described in the FreePBX wiki.

If I find a solution to the Polycom phone wili post it here.

billsimon · October 26, 2019, 1:37am

What did you do to get blink working on tls?

moussa854 · October 26, 2019, 1:41am

It is just a different app. I saw in this tutorial https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial that they used Blink so I tried it. I did not have to download client certificate.

billsimon · October 26, 2019, 1:51am

What about the certificate on Asterisk? Did you have to set a custom path?

moussa854 · October 26, 2019, 1:58am

I did not use the pjsip.transports_custom_post.conf and did not have to put custom path. From the article I just used the app. I followed the freepbx wiki for the TLS PJSIP setup.

partgenius · October 29, 2019, 8:23pm

Why does your phone say FREEPBX_IP? Use credentials no? Looks odd to me.

partgenius · October 29, 2019, 8:27pm

No I realize you probably masked your IP. Lol. Duhh…Sorry. Use Credentials No though?

billsimon · October 29, 2019, 8:54pm

Can you confirm then that the certificate file being pointed to has the KEY and CERT in the same file? As I mentioned before, asterisk rejects this - it does not work. I am trying to understand how you did everything without fixing this issue, and yet it works…

moussa854 · October 29, 2019, 9:37pm

currently the output of the pjsip show transport 0.0.0.0-tls is:

 Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
 ==========================================================================================
 
 Transport:  0.0.0.0-tls               tls      3     96  0.0.0.0:5061
 
 ParameterName              : ParameterValue
 =================================================================
 allow_reload               : true
 async_operations           : 1
 bind                       : 0.0.0.0:5061
 ca_list_file               : /etc/pki/tls/certs/ca-bundle.crt
 ca_list_path               : 
 cert_file                  : /etc/asterisk/keys/domain.pem
 cipher                     : 
 cos                        : 3
 domain                     : 
 external_media_address     : freepbx_IP
 external_signaling_address : freepbx_IP
 external_signaling_port    : 0
 local_net                  : 
 method                     : tlsv1
 password                   : 
 priv_key_file              : /etc/asterisk/keys/domain.key
 protocol                   : tls
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 96
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

The /etc/asterisk/keys/domain.pem file looks like:

 -----BEGIN PRIVATE KEY-----
 some text
 -----END PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 some text
 -----END CERTIFICATE-----

Few changes that I tested

I deleted all certificates other than the third party one
I removed local_net (not sure if it makes a difference)
I used softphone app

Polycom phone is still not registering as tls

I have been looking at Yealink / Freepbx / SIP / TLS and I will try to import the server (ca.crt?) and client certificates (domain.pem?) to the Polycom phone
Is /etc/asterisk/keys/domain.pem a client certificate?

moussa854 · October 29, 2019, 9:39pm

Can you explain?

partgenius · October 29, 2019, 9:39pm

You have the line settings set to not send a username or password?

moussa854 · October 29, 2019, 9:45pm

I followed the freepbx wiki https://wiki.freepbx.org/display/PHON/TLS+and+SRTP and this setting seems to work with softphone. Do I have to use username / password?

partgenius · October 29, 2019, 9:50pm

Did you use a username and password on the softphone for extension and secret?
Also see… https://community.polycom.com/t5/VoIP-SIP-Phones/FAQ-Do-Polycom-phones-support-wildcard-certificates/m-p/79702/thread-id/16093

Polycom likely has some tls restrictions. You might have to tone down the verifications and make sure the firmware is the latest version so it supports new CA certs.
Looks like by default it doesnt like wildcard certs.

partgenius · October 29, 2019, 9:57pm

Are you self generating your cert and its not from a valid CA. Polycom might not like that either.
There is a free option built into freepbx

moussa854 · October 29, 2019, 9:58pm

Yes, I use username and password with all extensions.

I am up to date with the phone software and I tried disabling the Common Name Validation. Still the polycom phone did not register

moussa854 · October 29, 2019, 10:00pm

I used Domain Validation SSL from GoGetSSL

partgenius · October 29, 2019, 10:22pm

In your screenshot use login credentials is set to no though.
How does it know what your extension and secret are?

moussa854 · October 29, 2019, 10:31pm

Correct

Not sure. It just work.

I followed these instruction (explanation @12 minute).

partgenius · October 29, 2019, 10:46pm

Yeah **"Use Login Credentials: Disable looks right sorry about that. Maybe I should have actually fired up one of my polycoms.

Last thing to look at is here
https://documents.polycom.com/bundle/rprm-ops-10-5/page/rprm_ops/Management_Security/TOC_Configure_TLS_Settings.htm

and here

partgenius · October 29, 2019, 10:48pm

From the second link it looks like they make you upload the CA cert into the phone, but that can be disabled.