Using EPM with Yealink and TLS/SRTP


(Lorne Gaetz) #1

I don’t know if this is a long standing issue or a recent regression, but this ticket is marked as resolved:
https://issues.freepbx.org/browse/FREEPBX-22663

EPM provisioning of Yealink endpoints with TLS/SRTP.


(Jared Busch) #2

So many issues/questions… Like everything dealing with a Commercial module ticket (even when it was not a FREEI ticket)…
How was it implemented. @kgupta1 posted no examples on the ticket. You posted nothing here.

Does EPM now force TLS/SRTP on each extension? Is it an option when I map the extension in EPM?

Do I just update a site and randomly have to guess?


(Lorne Gaetz) #3

EPM will use the transport and encryption that is set on the Advanced tab when you define the extension. If the extension has TLS set for transport, then EPM should config the phone to use TLS, otherwise no device will register. Likewise if media encryption is set for the extension, then EPM needs to provision the device with matching encryption params. If everything is left to defaults, with transport set to auto, then UDP transport with no media encryption is used.


(Jared Busch) #4

One of the points of pjsip is to allow multiple contacts. Yet not all endpoints can use TLS as created by FreePBX’s implmentation of the ACME protocol.

So that means if I leave transport on auto I can have an endpoint connect with either UDP or TLS.
image

Additionally, if I set media encryption as stated.

There is an entirely separate option for requiring it or letting it be opportunistic.
And this option is ONLY POSSIBLE is media encryption is not “none”…

This change is a mess. This functionality should have been made in the endpoint mapping section.


(Defcomllc) #5

This is not working for me.

I have a hosted test environment FreePBX 15.0.17.48 on Vultr with commercial SysAdmin Pro and Endpoint Manager modules. All latest updates installed.

I have S705, D65 and DECT DC201 all running great HTTPS provisioning with TLS/SRTP. Support was logged into this install 2 weeks ago helping with diagnosing TLS issue with Digium phones which they found the problem and updated the Wiki for TLS/SRTP setup…So I know all my TLS and HTTPS setup is correct. Im running a LE cert.

I am testing with a Yealink T46S today and when I set Extension transport to auto, log into the Yealink WebGUI and set Auto Provision server to https://myfqdn.com:2443 (2443 is my HTTPS provisioning port) it provisions no problem and works great…

When I change transport to TLS and Media to SRTP for this same extension, default the phone, upon reboot log into Yealink WebGUI and set auto provision server to https://myfqdn.com:2443 it pulls the config, the phone reboots, but the extension will not register… Switch Transport back to Auto in Extension and it registers right away.