|Table of Contents|
This tutorial makes use of SRTP and TLS. SRTP support was added in Asterisk 1.8, TLS was added in 1.6.
So you'd like to make some secure calls.
Next, copy the malcolm.pem and ca.crt files to the computer running the Blink soft client.
If your client requires a .p12 certificate file instead, you can generate that using openssl like:
Asterisk chan_pjsip configuration
Now, let's configure Asterisk's PJSIP channel driver to use TLS.
In the sippjsip.conf configuration file, set the followingyou'll need to enable a TLS-capable transport. An example of one would resemble:
tlsenable=yes tlsbindaddr=[transport-tls] type=transport protocol=tls bind=0.0.0.0:5061 tlscertfilecert_file=/etc/asterisk/keys/asterisk.pem tlscafilecrt priv_key_file=/etc/asterisk/keys/caasterisk.crtkey tlscipher=ALL tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client method=sslv23
Note the protocol, cert_file, priv_key_file, and method options. Here, we're using the TLS protocol, we're specifying the keys that we generated earlier for cert_file and priv_key_file and we're setting the method to SSLv23.
Next, you'll need to configure a TLS-capable endpoint. An example of one would resemble:
[malcolm] type=aor max_contacts=1 remove_existing=yes [malcolm] type=auth auth_type=userpass username=malcolm password=useabetterpasswordplease [malcolm] type=endpoint aors=malcolm auth=malcolm context=local disallow=all allow=g722 dtmf_mode=rfc4733 media_encryption=sdes
Note the media_encryption option for the endpoint. In this case, we've configured an endpoint that will be using SDES encryption for RTP.
You might be tempted to add a transport=transport-tls to the endpoint but in pjproject versions at least as late as 2.4.5, this will cause issues like Connection refused in a few situations. Let pjproject do the transport selection on its own. If you still see issues, set rewrite_contact = yes in the endpoint configuration.
Asterisk chan_sip configuration
Or, if you are using chan_sip, you can use the following to assist.
In the sip.conf configuration file, set the following:
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt
Here, we're enabling TLS support.
We're binding it to our local IPv4 wildcard (the port defaults to 5061 for TLS).
We've set the TLS certificate file to the one we created above.
We've set the Certificate Authority to the one we created above. TLS Ciphers have been set to ALL, since it's the most permissive.
And we've set the TLS client method to TLSv1, since that's the preferred one for RFCs and for most clients.
Configuring a TLS-enabled SIP peer within Asterisk
Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Here's an example:
Then, we need to modify the Account Preferences, and under the SIP Settings, we need to set the outbound proxy to connect to the TLS port and transport type on our Asterisk server. In this case, there's an Asterisk server running on port 5061 on host 10.24.13.233224.
Now, we need to point the TLS account settings to the client certificate (malcolm.pem) that we copied to our computer.