Using SRTP TLS and Yealink phones

Yustav · February 22, 2025, 10:01am

I’m trying to use SRTP to connect remote phones.
With the instruction GAA Techblog - Securing Calls with TLS and SRTP I managed connect phone
Aor: 2114
Contact: 2114/sip:[email protected]:12617;transpor 2bbe8ad22f Avail 5.087
ParameterName : ParameterValue
===================================================================
authenticate_qualify : false
contact : sip:[email protected]:12617;transport=TLS
…
But I doubt the safety of this method.
Isn’t it necessary to use ca.crt during connection?

I see many crt, key and pem files in /etc/asterisk/keys/ folder…
Is there anywhere description of them?
Maybe it is necessary to generate a certificate for each phone? How?

Is there a step-by-step instruction on how to connect a phone to Freepbx using the SRTP and TLS?

Spent a lot of time looking for that information, but without any success (

david55 · February 22, 2025, 10:48am

That would be the gold standard, but I suspect that most people use the LetsEncrypt option, which can only generate certificates for publicly visible entities, and has a low level of authentication of the certificate requester. Generally they aren’t concerned about calls being spoofed direct to phones, so they don’t authenticate outbound requests from the PABX, and rely on the phone using the certificate to authenticate Asterisk and set up encryption, then authenticating the phone by standard SIP methods.

The phones need access to, at least, the root certificate used by LetsEncrypt.

You need to do a proper security audit, and determine what threats you face. The standard method is not going to be suitable for high risk sites. I’d suggest that such sites ought, already, to have their own public key infrastructure in place, and expertise on its use. I’d suggest, in such cases, a corporate root certificate should be used, and browsers, etc. should have most or all other CAs disabled.

It is important to understand that certificates are for authentication, not encryption, although, without them, an attacker might let you establish and encrypted connection to them and then relay it as a new one, to the server, with full clear text visibility, in between,

For information on Asterisk’s use, you should look a Asteirisk, rather than FreePBX documentation, and also familiarise yourself with OpenSSL.

Asterisk does provide tools for creating a corporate CA and creating certificates for phones, but they don’t follow best practice, in that the CA secret key tends to end up on the machine running Asterisk, when it really should be on a dedicated machine, with an air gap.

Stewart1 · February 22, 2025, 10:58am

Indeed, the linked article’s suggestion to Only Accept Trusted Certificates to Disabled means that you have no protection against an MITM attack. For most SMBs, if Asterisk’s certificate is signed by Let’s Encrypt or another commercial CA, and the phone has that CA’s root cert, you should be able to set Only Accept Trusted Certificates to Enabled and be good to go. If you’re a large enterprise, let your security folks provide a solution.

Yustav · February 22, 2025, 11:45am

Thank you for advice!
I’l start reading openssl documentation
Am i right if i use Asterisk methods of generating certificates they would work with FreePBX too?

Yes. It souded weird, thats why i started thus thread.

No, I don’t have any other people except me)

david55 · February 22, 2025, 1:48pm

In terms of run time use with phones, FreePBX uses Asterisk to do all this. FreePBX does include certificate management stuff, whereas all that Asterisk provides are minimal tools for creating your own CA. I was involved with development, not production, so I never handled live certificates, and all that I did to see how they worked was with the Asterisk provided CA. I have a feeling that, if you uses a public CA, you either have to use FreePBX, or directly use the OpenSSL tools.

Yustav · February 23, 2025, 7:09am

Thanks a lot!
Now i have the right direction at least

Yustav · February 24, 2025, 2:05pm

UPD
I created certificates with ast_tls_cert script as said at Overview - Asterisk Documentation
After changing the owner of the created files FreePBX could “Import Locally” them and i set new “asterisk” certificate as default.
I added this certificate into Yealink/Security/TrustedCertificates and phone connected to FreePBX with enabled Only Accept Trusted Certificates option.
In SIP Settings :
Verify Client: yes
Verify Server: yes
But i didn’t understand how to use certificate created for the phone at second step of instruction?

PS
I’m wrong.
It works with default.crt only, not asterisk.crt

BlazeStudios · February 24, 2025, 2:29pm

You’ve created a self-signed certificate this way. This will require you to load the generated CA file(s) into the phone so the phone knows the CA and can deal with the certificate.