[asterisk-users] Questions about sRTP
Hi all, I'm getting ready to setup SIP/TLS and SRTP. But I have a few questions. The first one is that I was reading an article at: https://supportforums.cisco.com/docs/DOC-15381 That indicated that Asterisk doesn't support TLS as an OPTIONAL transport. It's either all or nothing. Specifically, this is what it said: == *Note: There is no optional SRTP mode in Asterisk, i.e. if encryption is active on peer, it will not accept non-ciphered audio and viceversa. On the IP phones, however, it is possible to have unsecure calls if the other peer does not support SRTP, i.e. incoming calls may work, but not outgoing calls. This is an Asterisk limitation (Snom supports also the “optional”mode on SRTP sending two m=audio attributes, but Asterisk does not know how to handle those descriptors).* == This is from a quite dated article (2011), so I'm hoping that I newer versions of Asterisk will fall back on plaintext if TLS isn't available for some reason. Secondly, is there any way to detect if a call is secure from inside the dialplan or AGI script? I think that's all for now. Thanks in advance, Mike Diehl. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Questions about sRTP
Mike Diehl wrote: Hi all, I'm getting ready to setup SIP/TLS and SRTP. But I have a few questions. The first one is that I was reading an article at: https://supportforums.cisco.com/docs/DOC-15381 That indicated that Asterisk doesn't support TLS as an OPTIONAL transport. It's either all or nothing. Specifically, this is what it said: Your statement is incorrect. Asterisk supports TLS as an optional signaling transport (although if you do SDES SRTP without it then someone can snoop on your keys and ultimately decrypt your media). What it does not support is optional *SRTP*. If a device requests SRTP and it's not possible, the call will fail. -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Questions about sRTP
On Thu, Jun 20, 2013 at 2:05 PM, Joshua Colp jc...@digium.com wrote: Mike Diehl wrote: Hi all, I'm getting ready to setup SIP/TLS and SRTP. But I have a few questions. The first one is that I was reading an article at: https://supportforums.cisco.com/docs/DOC-15381 That indicated that Asterisk doesn't support TLS as an OPTIONAL transport. It's either all or nothing. Specifically, this is what it said: Your statement is incorrect. Asterisk supports TLS as an optional signaling transport (although if you do SDES SRTP without it then someone can snoop on your keys and ultimately decrypt your media). What it does not support is optional *SRTP*. If a device requests SRTP and it's not possible, the call will fail. So then, is it safe to say that Asterisk will ALLOW a secure phone call, but the client hast to REQUEST it? I understand that requesting SRTP without SIP/TLS is evil; I just misunderstood what I was reading. I'm also thinking that the AGI script I use to route calls can check if either leg of a call comes from or goes to port 5061 and play a sound file to indicate that the cal is 'secure.' Does this seem reasonable? Thanks, Mike. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Questions about sRTP
On Thu, Jun 20, 2013 at 5:10 PM, Mike Diehl mdiehlena...@gmail.com wrote: On Thu, Jun 20, 2013 at 2:05 PM, Joshua Colp jc...@digium.com wrote: Mike Diehl wrote: Hi all, I'm getting ready to setup SIP/TLS and SRTP. But I have a few questions. The first one is that I was reading an article at: https://supportforums.cisco.com/docs/DOC-15381 That indicated that Asterisk doesn't support TLS as an OPTIONAL transport. It's either all or nothing. Specifically, this is what it said: Your statement is incorrect. Asterisk supports TLS as an optional signaling transport (although if you do SDES SRTP without it then someone can snoop on your keys and ultimately decrypt your media). What it does not support is optional *SRTP*. If a device requests SRTP and it's not possible, the call will fail. So then, is it safe to say that Asterisk will ALLOW a secure phone call, but the client hast to REQUEST it? I understand that requesting SRTP without SIP/TLS is evil; I just misunderstood what I was reading. I'm also thinking that the AGI script I use to route calls can check if either leg of a call comes from or goes to port 5061 and play a sound file to indicate that the cal is 'secure.' Does this seem reasonable? You can query a channel using the CHANNEL function ( https://wiki.asterisk.org/wiki/display/AST/Function_CHANNEL) to see if the channel currently supports secure communication, and you can request that the outbound channel be made secure using the same function. An example of doing this is on the wiki: https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics -- Matthew Jordan Digium, Inc. | Engineering Manager 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com http://asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
