TLS, SRTP, Asterisk11 And Snom870s

Home » Asterisk Users » TLS, SRTP, Asterisk11 And Snom870s
Asterisk Users 9 Comments

CentOS-6.5 (FreePBX-2.6)
Asterisk-11.14.2 (FreePBX)
snom870-SIP 8.7.3.25.5

I am having a very difficult time attempting to get TLS and SRTP
working with Asterisk and anything else. At the moment I am trying to get TLS functioning with our Snom870 desk-sets. And I am not having much luck.

Since this is an extraordinarily (to me) Byzantine environemnt I am going to ask if any of you have gotten this set-up (Asterisk11 with Snom870s using TLS) to work and if so could you provide the details?

I have this in Asterisk sip.conf (loaded through FreePBXs sip_general_additional.conf).

tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL
tlsclientmethod=tlsv1

And I have this for the test device context:

[41712]
deny=0.0.0.0/0.0.0.0
secret=NearlyANastyThat dtmfmode=rfc2833
canreinvite=no context=from-internal host=dynamic trustrpid=yes sendrpid=no type=friend nat=no portP60
qualify=yes qualifyfreq`
transport=tls,udp,tcp avpf=no force_avp=no icesupport=no encryption=yes callgrouppickupgroupdial=SIP/41712
mailboxA712@device permit2.168.6.0/255.255.255.0
callerid=James B Byrne <41712>
callcounter=yes faxdetect=no cc_monitor_policy=generic

If I change the transport setting to TLS then I get this reported:

[2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

I cannot seem to configure the Snom870 to listen for TCP on 5060. There is a setting for that on the phone but it seems to have no effect (it always returns to NO following a reboot). The Snom website says that the option is not available in FW8.5 and later. It does not inform one of whether that the phone listens by default or not on FW8.5+, only that the option has no effect.

It also does not say, as far as I can find, whether Snom870s listen for TCP at all or on what port. One may infer that since these devices purport to support TLS that the answer is yes and that TCP5061
is a likely candidate. But they do not seem to come right out and say so anywhere.

In a section devoted to the Snom370, which is a model that we do not employ, there is reference to DNS SRV RRs. The inference drawn from the examples given is that these will control what ports the Snom will listen on for which services.

We have such records in our DNS zone. They look like this:

;# Configure sip/sips service records (VOIP)
;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT

300 IN NAPTR 50 50 “s” “SIPS+D2T” “” _sips._tcp.harte-lyne.ca.

300 IN NAPTR 90 50 “s” “SIP+D2T” “” _sip._tcp.harte-lyne.ca.

300 IN NAPTR 100 50 “s” “SIP+D2U” “” _sip._udp.harte-lyne.ca.

;HOST TTL CLASS TYPE ORDER PREF PORT TARGET

_sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca.

_sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.

_sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.

However, our phones are configured to use SIP accounts having the form account@ipv4-addr. I doubt greatly that the Snom870s will perform a reverse DNS lookup on the provider’s IPv4 to discover the forward zone domain and thus I do not believe that SRV RRs can help us in this instance. They certainly do not seem to have any effect.

Asterisk seems not to distinguish between 5060 and 5061 regarless of protocol. I am not sure then how to proceed. Is there a way to force Asterisk to talk to port TCP5061 on a specific device? Is this an exclusive setting?

This long background is by way of asking for help. If I have not provided specific information that is significant to this problem then I will do so if asked.

What I am attempting has to be possible. Somehow. And somebody must have already accomplished this. Somewhere.

9 thoughts on - TLS, SRTP, Asterisk11 And Snom870s

  • Am 03.03.2015 um 18:16 schrieb James B. Byrne:
    Forget about the reverse DNS stuff for the moment.

    Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work?

    Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag.

    Then try the rest.

    jg

  • JBB> tcpenable=yes JBB> tlsenable=yes JBB> tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt JBB> tlscafile=/etc/pki/tls/certs/ca-bundle.crt JBB> tlsdontverifyserver=yes JBB> tlscipher=ALL
    JBB> tlsclientmethod=tlsv1

    You are missing the tls key.

    The config name is tlsprivatekey; set that to the filename of your tls key, akin to how tlscertfile is set.

    -JimC

  • The Snom870s and our Asterisk FreePBX are communicating with each other and have been for the past two years. The Snoms are configured for AES-80 and SRTP is enabled on the FreePBX device entry. We have a working PBX system. I am trying to secure it.

  • Thank you. The settings in sip_general_additional.conf are now:

    tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL
    tlsclientmethod=tlsv1
    tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key

    However, issuing ‘amportal a r’ still results in this error:

    [2015-03-03 15:40:42] ERROR[13681]: tcptls.c:875
    ast_tcptls_client_start: Unable to connect SIP socket to
    192.168.6.112:5060: Connection refused

  • I reconfigured sip.conf to have these settings:

    tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL
    tlsclientmethod=tlsv1
    tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key tcpbindaddr=0.0.0.0/0.0.0.0:5061
    tlsbindaddr=0.0.0.0/0.0.0.0:5061

    Following amportal a r I see this:

    [2015-03-03 16:26:48] ERROR[17130]: tcptls.c:875
    ast_tcptls_client_start: Unable to connect SIP socket to
    192.168.6.112:5060: Connection refused

    This is what sip show settings reveals:

    Global Settings:
    ————–

  • Other things to consider:

    The transport config, which can be in [general] or in a peer’s [] block.
    if you want tls-only, use transport=tls
    it also accepts tcp, udp or a comma-separated list.
    if given a list, it tries them in order

    If you need ast to register over tls, use something like this:

    register => tls://username:xxxxxx@sip-tls-proxy.example.org

    (copied from the example sip.conf).

    Set tlsbindaddr to the address to which to bind(2) the tls socket. tlsbindaddr=0.0.0.0 is typical in ipv4-only configs.

    -JimC

  • The specific device I am using to test this with has only transport=tls set. Which is why it cannot register because the default fall-back to udp is not permitted.

    Does this go in the device context? In other words is it placed in the same context that the device’s transport value is set? Would the following be valid?

    [device]
    register => tls://user:extension@192.168.6.112:5061

    How would multiple users at a single device be handled?

    Presumably this is equivalent to tlsbindaddr=0.0.0.0/0.0.0.0? Is the syntax tlsbindaddr=0.0.0.0/0.0.0.0:5061 is also correct?

  • This seems to me to be getting down to some sort of problem with configuring the Snom-870.

    when I register the device 41712 (set up for transport=tls only) then I see this in the SIP trace:

    Sent to udp:192.168.6.9:5060 at 4/3/2015 09:07:36:813 (836 bytes):

    REGISTER sip:voinet09.internal.hamilton.harte-lyne.ca:5061 SIP/2.0
    Via: SIP/2.0/UDP 192.168.6.112:5060;branch=z9hG4bK-udx92poqese6;rport From: “James B Byrne”
    ;tag=frgaimnglp To: “James B Byrne”

    Call-ID: 710000004941-gk6y4evf6dci CSeq: 482 REGISTER
    Max-Forwards: 70
    Contact:
    ;reg-id=1;q=1.0;+sip.instance=”“;audio;mobility=”fixed”;duplex=”full”;description=”snom870″;actor=”principal”;events=”dialog”;methods=”INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO”
    User-Agent: snom870/8.7.3.25.5
    Allow-Events: dialog X-Real-IP: 192.168.6.112
    Supported: path, gruu Expires: 3600
    Content-Length: 0

    The SNOM-870 is sending registration via UDP and not by TLS. Is that how things are supposed to work? If only TLS is enabled in Asterisk for that peer then evidently the peer cannot register. But is registration supposed to be done via TLS? If so then how does one configure the Snom to do so?