Versions Compared

Old Version 21

changes.mady.by.user Rusty Newton

Saved on

compared with

New Version Current

changes.mady.by.user Michael Bradeen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

No Format
./ast_tls_cert -C pbx.mycompany.com -O "My Super Company" -d /etc/asterisk/keys -b 2048
  • The "-C" option is used to define our host - DNS name or our IP address.
  • The "-O" option defines our organizational name.
  • The "-d" option is the output directory of the keys.
  • The "-b" option specifies the size of the private key file, default is 1024 unless on master branch.
  1. You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key, put in something that you'll remember for later.
  2. This will create the /etc/asterisk/keys/ca.crt file.
  3. You'll be asked to enter the pass phrase again, and then the /etc/asterisk/keys/asterisk.key file will be created.
  4. The /etc/asterisk/keys/asterisk.crt file will be automatically generated.
  5. You'll be asked to enter the pass phrase a third time, and the /etc/asterisk/keys/asterisk.pem will be created, a combination of the asterisk.key and asterisk.crt files.

...

No Format
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C phone1.mycompany.com -O "My Super Company" -d /etc/asterisk/keys -o malcolm -b 2048
  • The "-m client" option tells the script that we want a client certificate, not a server certificate.
  • The "-c /etc/asterisk/keys/ca.crt" option specifies which Certificate Authority (ourselves) that we're using.
  • The "-k /etc/asterisk/keys/ca.key" provides the key for the above-defined Certificate Authority.
  • The "-C" option, since we're defining a client this time, is used to define the hostname or IP address of our SIP phone
  • The "-O" option defines our organizational name.
  • The "-d" option is the output directory of the keys."
  • The "-o" option is the name of the key we're outputting.
  • The "-b" option specifies the size of the private key file, default is 1024 unless on master branch.
  1. You'll be asked to enter the pass phrase from before to unlock /etc/asterisk/keys/ca.key.

...

Tip
title.p12 Client Certificates

If your client requires a .p12 certificate file instead, you can generate that using openssl like:

Code Block
# openssl pkcs12 -export -out MySuperClientCert.p12 -inkey ca.key -in ca.crt -certfile asterisk.crt

 

...

Asterisk

...

chan_pjsip configuration

Now, let's configure Asterisk's PJSIP channel driver to use TLS.

In the sippjsip.conf configuration file, set the followingyou'll need to enable a TLS-capable transport.  An example of one would resemble:

No Format
tlsenable=yes
tlsbindaddr=[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
tlscertfilecert_file=/etc/asterisk/keys/asterisk.pem
tlscafilecrt
priv_key_file=/etc/asterisk/keys/caasterisk.crtkey
tlscipher=ALL
tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client
method=sslv23

Note the protocolcert_filepriv_key_file, and method options.  Here, we're using the TLS protocol, we're specifying the keys that we generated earlier for cert_file and priv_key_file and we're setting the method to SSLv23.

Next, you'll need to configure a TLS-capable endpoint.  An example of one would resemble:

No Format
[malcolm]
type=aor
max_contacts=1
remove_existing=yes
 
[malcolm]
type=auth
auth_type=userpass
username=malcolm
password=useabetterpasswordplease
 
[malcolm]
type=endpoint
aors=malcolm
auth=malcolm
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes
 

Note the media_encryption option for the endpoint.  In this case, we've configured an endpoint that will be using SDES encryption for RTP.

You might be tempted to add a transport=transport-tls to the endpoint but in pjproject versions at least as late as 2.4.5, this will cause issues like Connection refused in a few situations.  Let pjproject do the transport selection on its own.  If you still see issues, set rewrite_contact = yes in the endpoint configuration.

Asterisk chan_sip configuration

Or, if you are using chan_sip, you can use the following to assist.

In the sip.conf configuration file, set the following:

No Format
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt

Here, we're enabling TLS support.
We're binding it to our local IPv4 wildcard (the port defaults to 5061 for TLS).
We've set the TLS certificate file to the one we created above.
We've set the Certificate Authority to the one we created above. TLS Ciphers have been set to ALL, since it's the most permissive.
And we've set the TLS client method to TLSv1, since that's the preferred one for RFCs and for most clients.

Configuring a TLS-enabled SIP peer within Asterisk

Next, you'll need to configure a SIP peer within Asterisk to use TLS as a transport type. Here's an example:

...

Then, we need to modify the Account Preferences, and under the SIP Settings, we need to set the outbound proxy to connect to the TLS port and transport type on our Asterisk server. In this case, there's an Asterisk server running on port 5061 on host 10.24.13.233224.

Now, we need to point the TLS account settings to the client certificate (malcolm.pem) that we copied to our computer.

...