...
| Tip | ||
|---|---|---|
| ||
If your client requires a .p12 certificate file instead, you can generate that using openssl like:
|
...
Asterisk
...
chan_pjsip configuration
Now, let's configure Asterisk's PJSIP channel driver to use TLS.
In the pjsip.conf configuration file, you'll need to enable a TLS-capable transport. An example of one would resemble:
| No Format |
|---|
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1 |
Note the protocol, cert_file, priv_key_file, and method options. Here, we're using the TLS protocol, we're specifying the keys that we generated earlier for cert_file and priv_key_file and we're setting the method to TLSv1.
Next, you'll need to configure a TLS-capable endpoint. An example of one would resemble:
| No Format |
|---|
[malcolm]
type=aor
max_contacts=1
remove_existing=yes
[malcolm]
type=auth
auth_type=userpass
username=malcolm
password=useabetterpasswordplease
[malcolm]
type=endpoint
aors=malcolm
auth=malcolm
context=local
disallow=all
allow=g722
dtmfmode=rfc4733
media_encryption=sdes
|
Note the media_encryption option for the endpoint. In this case, we've configured an endpoint that will be using SDES encryption for RTP.
Asterisk chan_sip configuration
Or, if you are using can_sip, you can use the following to assist.
In the sip.conf configuration file, set the following:
...
Here, we're enabling TLS support.
We're binding it to our local IPv4 wildcard (the port defaults to 5061 for TLS).
We've set the TLS certificate file to the one we created above.
We've set the Certificate Authority to the one we created above.
TLS Ciphers have been set to ALL, since it's the most permissive.
And we've set the TLS client method to TLSv1, since that's the preferred one for RFCs and for most clients.
Configuring a TLS-enabled SIP peer within Asterisk
Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Here's an example:
...