I am having a very difficult time attempting to get TLS and SRTP
working with Asterisk and anything else. At the moment I am trying to get TLS functioning with our Snom870 desk-sets. And I am not having much luck.
Since this is an extraordinarily (to me) Byzantine environemnt I am going to ask if any of you have gotten this set-up (Asterisk11 with Snom870s using TLS) to work and if so could you provide the details?
I have this in Asterisk sip.conf (loaded through FreePBXs sip_general_additional.conf).
tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL
And I have this for the test device context:
canreinvite=no context=from-internal host=dynamic trustrpid=yes sendrpid=no type=friend nat=no portP60
transport=tls,udp,tcp avpf=no force_avp=no icesupport=no encryption=yes callgrouppickupgroupdial=SIP/41712
callerid=James B Byrne <41712>
callcounter=yes faxdetect=no cc_monitor_policy=generic
If I change the transport setting to TLS then I get this reported:
[2015-03-03 11:10:08] ERROR: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused
I cannot seem to configure the Snom870 to listen for TCP on 5060. There is a setting for that on the phone but it seems to have no effect (it always returns to NO following a reboot). The Snom website says that the option is not available in FW8.5 and later. It does not inform one of whether that the phone listens by default or not on FW8.5+, only that the option has no effect.
It also does not say, as far as I can find, whether Snom870s listen for TCP at all or on what port. One may infer that since these devices purport to support TLS that the answer is yes and that TCP5061
is a likely candidate. But they do not seem to come right out and say so anywhere.
In a section devoted to the Snom370, which is a model that we do not employ, there is reference to DNS SRV RRs. The inference drawn from the examples given is that these will control what ports the Snom will listen on for which services.
We have such records in our DNS zone. They look like this:
;# Configure sip/sips service records (VOIP)
;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT
300 IN NAPTR 50 50 “s” “SIPS+D2T” “” _sips._tcp.harte-lyne.ca.
300 IN NAPTR 90 50 “s” “SIP+D2T” “” _sip._tcp.harte-lyne.ca.
300 IN NAPTR 100 50 “s” “SIP+D2U” “” _sip._udp.harte-lyne.ca.
;HOST TTL CLASS TYPE ORDER PREF PORT TARGET
_sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca.
_sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.
_sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.
However, our phones are configured to use SIP accounts having the form account@ipv4-addr. I doubt greatly that the Snom870s will perform a reverse DNS lookup on the provider’s IPv4 to discover the forward zone domain and thus I do not believe that SRV RRs can help us in this instance. They certainly do not seem to have any effect.
Asterisk seems not to distinguish between 5060 and 5061 regarless of protocol. I am not sure then how to proceed. Is there a way to force Asterisk to talk to port TCP5061 on a specific device? Is this an exclusive setting?
This long background is by way of asking for help. If I have not provided specific information that is significant to this problem then I will do so if asked.
What I am attempting has to be possible. Somehow. And somebody must have already accomplished this. Somewhere.