Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?

Home » Asterisk Users » Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
Asterisk Users 6 Comments

Hi all,

We’re testing TLS and SRTP on Asterisk 1.8.10.0 and have it working
with a commerical (not self-sign) AlphaSSL wildcard (GlobalSign) using
Blink Lite 1.6.2 as per
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

We’ve tested with Bria on an iPhone and that doesn’t recognised the
commercial CA (GlobalSign Root CA).

On a Yealink 28P with V60/V61 is registers over TLS, but can’t do
SRTP. Yealink are working on this and are testing against one of our
dev servers.

My question is someone (Digium) must have this working against Polycom
(which is a requirement for this project) with commercial certs since
that’s their partner of choice?

This is our relevant setup:

tlsenable=yes
tlsbindaddr=0.0.0.0
tcpbindaddr=0.0.0.0
tcpenable=yes
transport=tcp,udp,tls
tlscertfile=/etc/asterisk/ssl/test_wildcard_cert.pem
tlscafile=/etc/asterisk/ssl/AlphaSSLroot.crt
tlscipher=ALL
tlsclientmethod=tlsv1

This file has the cert and key in it:

test_wildcard_cert.pem

is as per:

http://www.alphassl.com/support/install-ssl/apache.html

and AlphaSSLroot.crt is as per:

http://www.alphassl.com/support/install-root/apache.html

We haven’t tested Snom or Aastra yet.

Thanks,

Gavin.

6 thoughts on - Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?

  • I don’t believe we’ve done any interop testing with Polycom phones since
    TLS and SRTP support were added to Asterisk. Most (possibly all) of the
    interop testing was done with Asterisk Business Edition, the last
    version of which was based on Asterisk 1.4.

  • Ah, this makes sense now. So as of today the status of TLS and SRTP in anything
    other than 1.4.X is unknown?

  • Umm… no 🙂

    Asterisk 1.4 did not have support for SRTP or SIP/TLS. Thus, neither of
    these were tested with Polycom phones the last time we did interop
    testing with those phones.

    The status of SIP/TLS and SRTP support in the Asterisk releases that
    have them are not ‘unknown’; they are there and expected to be working.
    I was just pointing out that Digium has not specifically tested Polycom
    phones for interop with these features, and certainly has not
    specifically tested usage of TLS certificates issued by any particular CA.

  • AFAIK, it “works” in the 1.8 and 10.X branches (I have used it in 10.0.2)
    There was a known issue with some certificates that used multiple levels
    IIRC.

  • afaicr, it was in 1.6.2

    btw, “commercial” certs are not so special.
    Somewhere in the chain (root-ca), there is a self-signed cert.
    You can make such chain yourself,
    root-ca -> sub-ca -> sub-ca and finally a server+client cert.
    Or, you can get a free cert from cacert.org

    hw