Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
This seems to me to be getting down to some sort of problem with configuring the Snom-870. when I register the device 41712 (set up for transport=tls only) then I see this in the SIP trace: Sent to udp:192.168.6.9:5060 at 4/3/2015 09:07:36:813 (836 bytes): REGISTER sip:voinet09.internal.hamilton.harte-lyne.ca:5061 SIP/2.0 Via: SIP/2.0/UDP 192.168.6.112:5060;branch=z9hG4bK-udx92poqese6;rport From: James B Byrne sip:41...@voinet09.internal.hamilton.harte-lyne.ca:5061;tag=frgaimnglp To: James B Byrne sip:41...@voinet09.internal.hamilton.harte-lyne.ca:5061 Call-ID: 71004941-gk6y4evf6dci CSeq: 482 REGISTER Max-Forwards: 70 Contact: sip:41712@192.168.6.112:5060;line=0p8zx4sh;reg-id=1;q=1.0;+sip.instance=urn:uuid:ad1349a7-e08d-411b-83b0-000413281B56;audio;mobility=fixed;duplex=full;description=snom870;actor=principal;events=dialog;methods=INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO User-Agent: snom870/8.7.3.25.5 Allow-Events: dialog X-Real-IP: 192.168.6.112 Supported: path, gruu Expires: 3600 Content-Length: 0 The SNOM-870 is sending registration via UDP and not by TLS. Is that how things are supposed to work? If only TLS is enabled in Asterisk for that peer then evidently the peer cannot register. But is registration supposed to be done via TLS? If so then how does one configure the Snom to do so? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
JBB == James B Byrne byrn...@harte-lyne.ca writes: JBB tcpenable=yes JBB tlsenable=yes JBB tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt JBB tlscafile=/etc/pki/tls/certs/ca-bundle.crt JBB tlsdontverifyserver=yes JBB tlscipher=ALL JBB tlsclientmethod=tlsv1 You are missing the tls key. The config name is tlsprivatekey; set that to the filename of your tls key, akin to how tlscertfile is set. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
These are the sip settings on our installion. Global Settings: UDP Bindaddress:0.0.0.0:5060 TCP SIP Bindaddress:0.0.0.0:5060 TLS SIP Bindaddress:(null) Videosupport: No Textsupport:No Ignore SDP sess. ver.: No AutoCreate Peer:Off Match Auth Username:No Allow unknown access: Yes Allow subscriptions:Yes Allow overlap dialing: Yes Allow promisc. redir: No Enable call counters: No SIP domain support: No Realm. auth:No Our auth realm asterisk Use domains as realms: No Call to non-local dom.: Yes URI user is phone no: No Always auth rejects:Yes Direct RTP setup: No User Agent: FPBX-12.0.40(11.14.2) SDP Session Name: Asterisk PBX 11.14.2 SDP Owner Name: root Reg. context: (not set) Regexten on Qualify:No Trust RPID: No Send RPID: No Legacy userfield parse: No Send Diversion: Yes Caller ID: Unknown From: Domain: Record SIP history: Off Call Events:On Auth. Failure Events: Off T.38 support: No T.38 EC mode: Unknown T.38 MaxDtgrm: 4294967295 SIP realtime: Disabled Qualify Freq : 6 ms Q.850 Reason header:No Store SIP_CAUSE:No Network QoS Settings: --- IP ToS SIP: CS3 IP ToS RTP audio: EF IP ToS RTP video: AF41 IP ToS RTP text:CS0 802.1p CoS SIP: 4 802.1p CoS RTP audio: 5 802.1p CoS RTP video: 6 802.1p CoS RTP text:5 Jitterbuffer enabled: No Network Settings: --- SIP address remapping: Enabled using externaddr Externhost: none Externaddr: 216.185.71.9:0 Externrefresh: 10 Localnet: 216.185.71.0/255.255.255.0 192.168.6.0/255.255.255.0 192.168.209.0/255.255.255.0 192.168.216.0/255.255.255.0 192.168.71.0/255.255.255.0 Global Signalling Settings: --- Codecs: (gsm|ulaw|alaw) Codec Order:ulaw:20,alaw:20,gsm:20 Relax DTMF: No RFC2833 Compensation: No Symmetric RTP: Yes Compact SIP headers:No RTP Keepalive: 0 (Disabled) RTP Timeout:30 RTP Hold Timeout: 300 MWI NOTIFY mime type: application/simple-message-summary DNS SRV lookup: No Pedantic SIP support: Yes Reg. min duration 60 secs Reg. max duration: 3600 secs Reg. default duration: 120 secs Sub. min duration 60 secs Sub. max duration: 3600 secs Outbound reg. timeout: 20 secs Outbound reg. attempts: 0 Outbound reg. retry 403:0 Notify ringing state: Yes Include CID: No Notify hold state: Yes SIP Transfer mode: open Max Call Bitrate: 384 kbps Auto-Framing: No Outb. proxy:not set Session Timers: Accept Session Refresher: uas Session Expires:1800 secs Session Min-SE: 90 secs Timer T1: 500 Timer T1 minimum: 100 Timer B:32000 No premature media: Yes Max forwards: 70 Default Settings: - Allowed transports: UDP Outbound transport: UDP Context:from-sip-external Record on feature: automon Record off feature: automon Force rport:Yes DTMF: rfc2833 Qualify:0 Keepalive: 0 Use ClientCode: No Progress inband:Never Language: Tone zone: Not set MOH Interpret: default MOH Suggest: Voice Mail Extension: *97 -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
Am 03.03.2015 um 18:16 schrieb James B. Byrne: CentOS-6.5 (FreePBX-2.6) Asterisk-11.14.2 (FreePBX) snom870-SIP 8.7.3.25.5 I am having a very difficult time attempting to get TLS and SRTP working with Asterisk and anything else. At the moment I am trying to get TLS functioning with our Snom870 desk-sets. And I am not having much luck. Since this is an extraordinarily (to me) Byzantine environemnt I am going to ask if any of you have gotten this set-up (Asterisk11 with Snom870s using TLS) to work and if so could you provide the details? I have this in Asterisk sip.conf (loaded through FreePBXs sip_general_additional.conf). tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL tlsclientmethod=tlsv1 And I have this for the test device context: [41712] deny=0.0.0.0/0.0.0.0 secret=NearlyANastyThat dtmfmode=rfc2833 canreinvite=no context=from-internal host=dynamic trustrpid=yes sendrpid=no type=friend nat=no port=5060 qualify=yes qualifyfreq=60 transport=tls,udp,tcp avpf=no force_avp=no icesupport=no encryption=yes callgroup= pickupgroup= dial=SIP/41712 mailbox=41712@device permit=192.168.6.0/255.255.255.0 callerid=James B Byrne 41712 callcounter=yes faxdetect=no cc_monitor_policy=generic If I change the transport setting to TLS then I get this reported: [2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875 ast_tcptls_client_start: Unable to connect SIP socket to 192.168.6.112:5060: Connection refused I cannot seem to configure the Snom870 to listen for TCP on 5060. There is a setting for that on the phone but it seems to have no effect (it always returns to NO following a reboot). The Snom website says that the option is not available in FW8.5 and later. It does not inform one of whether that the phone listens by default or not on FW8.5+, only that the option has no effect. It also does not say, as far as I can find, whether Snom870s listen for TCP at all or on what port. One may infer that since these devices purport to support TLS that the answer is yes and that TCP5061 is a likely candidate. But they do not seem to come right out and say so anywhere. In a section devoted to the Snom370, which is a model that we do not employ, there is reference to DNS SRV RRs. The inference drawn from the examples given is that these will control what ports the Snom will listen on for which services. We have such records in our DNS zone. They look like this: ;# Configure sip/sips service records (VOIP) ;HOST TTL CLASS TYPEORDER PREF FLAGS SERVICE REGEXP REPLACEMENT 300 IN NAPTR 50 50 s SIPS+D2T_sips._tcp.harte-lyne.ca. 300 IN NAPTR 90 50 s SIP+D2T _sip._tcp.harte-lyne.ca. 300 IN NAPTR 100 50 s SIP+D2U _sip._udp.harte-lyne.ca. ;HOST TTL CLASS TYPEORDER PREF PORTTARGET _sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061voinet09.hamilton.harte-lyne.ca. _sip._tcp.harte-lyne.ca.300 IN SRV 10 10 5060voinet09.hamilton.harte-lyne.ca. _sip._udp.harte-lyne.ca.300 IN SRV 10 10 5060voinet09.hamilton.harte-lyne.ca. However, our phones are configured to use SIP accounts having the form account@ipv4-addr. I doubt greatly that the Snom870s will perform a reverse DNS lookup on the provider's IPv4 to discover the forward zone domain and thus I do not believe that SRV RRs can help us in this instance. They certainly do not seem to have any effect. Asterisk seems not to distinguish between 5060 and 5061 regarless of protocol. I am not sure then how to proceed. Is there a way to force Asterisk to talk to port TCP5061 on a specific device? Is this an exclusive setting? This long background is by way of asking for help. If I have not provided specific information that is significant to this problem then I will do so if asked. What I am attempting has to be possible. Somehow. And somebody must have already accomplished this. Somewhere. Forget about the reverse DNS stuff for the moment. Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work? Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag. Then try the rest. jg -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
On Tue, March 3, 2015 13:19, jg wrote: Forget about the reverse DNS stuff for the moment. Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work? Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag. Then try the rest. jg The Snom870s and our Asterisk FreePBX are communicating with each other and have been for the past two years. The Snoms are configured for AES-80 and SRTP is enabled on the FreePBX device entry. We have a working PBX system. I am trying to secure it. -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
Other things to consider: The transport config, which can be in [general] or in a peer's [] block. if you want tls-only, use transport=tls it also accepts tcp, udp or a comma-separated list. if given a list, it tries them in order If you need ast to register over tls, use something like this: register = tls://username:xxx...@sip-tls-proxy.example.org (copied from the example sip.conf). Set tlsbindaddr to the address to which to bind(2) the tls socket. tlsbindaddr=0.0.0.0 is typical in ipv4-only configs. -JimC -- James Cloos cl...@jhcloos.com OpenPGP: 0x997A9F17ED7DAEA6 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
I reconfigured sip.conf to have these settings: tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL tlsclientmethod=tlsv1 tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key tcpbindaddr=0.0.0.0/0.0.0.0:5061 tlsbindaddr=0.0.0.0/0.0.0.0:5061 Following amportal a r I see this: [2015-03-03 16:26:48] ERROR[17130]: tcptls.c:875 ast_tcptls_client_start: Unable to connect SIP socket to 192.168.6.112:5060: Connection refused This is what sip show settings reveals: Global Settings: UDP Bindaddress:0.0.0.0:5060 TCP SIP Bindaddress:0.0.0.0:5060 TLS SIP Bindaddress:0.0.0.0:5061 Is it just me or is there something odd about specifying a TCP port and then having it ignored? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
On Tue, March 3, 2015 16:34, James Cloos wrote: Other things to consider: The transport config, which can be in [general] or in a peer's [] block. if you want tls-only, use transport=tls it also accepts tcp, udp or a comma-separated list. if given a list, it tries them in order The specific device I am using to test this with has only transport=tls set. Which is why it cannot register because the default fall-back to udp is not permitted. If you need ast to register over tls, use something like this: register = tls://username:xxx...@sip-tls-proxy.example.org Does this go in the device context? In other words is it placed in the same context that the device's transport value is set? Would the following be valid? [device] register = tls://user:extension@192.168.6.112:5061 How would multiple users at a single device be handled? (copied from the example sip.conf). Set tlsbindaddr to the address to which to bind(2) the tls socket. tlsbindaddr=0.0.0.0 is typical in ipv4-only configs. -JimC Presumably this is equivalent to tlsbindaddr=0.0.0.0/0.0.0.0? Is the syntax tlsbindaddr=0.0.0.0/0.0.0.0:5061 is also correct? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] TLS, SRTP, Asterisk11 and Snom870s
On Tue, March 3, 2015 13:37, James Cloos wrote: JBB == James B Byrne byrn...@harte-lyne.ca writes: JBB tcpenable=yes JBB tlsenable=yes JBB tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt JBB tlscafile=/etc/pki/tls/certs/ca-bundle.crt JBB tlsdontverifyserver=yes JBB tlscipher=ALL JBB tlsclientmethod=tlsv1 You are missing the tls key. The config name is tlsprivatekey; set that to the filename of your tls key, akin to how tlscertfile is set. -JimC Thank you. The settings in sip_general_additional.conf are now: tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL tlsclientmethod=tlsv1 tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key However, issuing 'amportal a r' still results in this error: [2015-03-03 15:40:42] ERROR[13681]: tcptls.c:875 ast_tcptls_client_start: Unable to connect SIP socket to 192.168.6.112:5060: Connection refused -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
