Am 03.03.2015 um 18:16 schrieb James B. Byrne:
CentOS-6.5 (FreePBX-2.6) Asterisk-11.14.2 (FreePBX) snom870-SIP 8.7.3.25.5I am having a very difficult time attempting to get TLS and SRTP working with Asterisk and anything else. At the moment I am trying to get TLS functioning with our Snom870 desk-sets. And I am not having much luck. Since this is an extraordinarily (to me) Byzantine environemnt I am going to ask if any of you have gotten this set-up (Asterisk11 with Snom870s using TLS) to work and if so could you provide the details? I have this in Asterisk sip.conf (loaded through FreePBXs sip_general_additional.conf). tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL tlsclientmethod=tlsv1 And I have this for the test device context: [41712] deny=0.0.0.0/0.0.0.0 secret=NearlyANastyThat dtmfmode=rfc2833 canreinvite=no context=from-internal host=dynamic trustrpid=yes sendrpid=no type=friend nat=no port=5060 qualify=yes qualifyfreq=60 transport=tls,udp,tcp avpf=no force_avp=no icesupport=no encryption=yes callgroup= pickupgroup= dial=SIP/41712 mailbox=41712@device permit=192.168.6.0/255.255.255.0 callerid=James B Byrne <41712> callcounter=yes faxdetect=no cc_monitor_policy=generic If I change the transport setting to TLS then I get this reported: [2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875 ast_tcptls_client_start: Unable to connect SIP socket to 192.168.6.112:5060: Connection refused I cannot seem to configure the Snom870 to listen for TCP on 5060. There is a setting for that on the phone but it seems to have no effect (it always returns to NO following a reboot). The Snom website says that the option is not available in FW8.5 and later. It does not inform one of whether that the phone listens by default or not on FW8.5+, only that the option has no effect. It also does not say, as far as I can find, whether Snom870s listen for TCP at all or on what port. One may infer that since these devices purport to support TLS that the answer is yes and that TCP5061 is a likely candidate. But they do not seem to come right out and say so anywhere. In a section devoted to the Snom370, which is a model that we do not employ, there is reference to DNS SRV RRs. The inference drawn from the examples given is that these will control what ports the Snom will listen on for which services. We have such records in our DNS zone. They look like this: ;# Configure sip/sips service records (VOIP) ;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT 300 IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.harte-lyne.ca. 300 IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.harte-lyne.ca. 300 IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.harte-lyne.ca. ;HOST TTL CLASS TYPE ORDER PREF PORT TARGET _sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca. _sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca. _sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca. However, our phones are configured to use SIP accounts having the form account@ipv4-addr. I doubt greatly that the Snom870s will perform a reverse DNS lookup on the provider's IPv4 to discover the forward zone domain and thus I do not believe that SRV RRs can help us in this instance. They certainly do not seem to have any effect. Asterisk seems not to distinguish between 5060 and 5061 regarless of protocol. I am not sure then how to proceed. Is there a way to force Asterisk to talk to port TCP5061 on a specific device? Is this an exclusive setting? This long background is by way of asking for help. If I have not provided specific information that is significant to this problem then I will do so if asked. What I am attempting has to be possible. Somehow. And somebody must have already accomplished this. Somewhere.
Forget about the reverse DNS stuff for the moment. Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work? Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag. Then try the rest. jg -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
