2 Server Asterisk TLS

Hello, I’m new and I have configured 2 asterisk servers for studies content and maybe for deployment but I’m stuck in TLS trunk I didn’t find any guide or how to make handshakes between the 2 server I have tried but calls drop bad config so I’ve used my backup

i’m using extensions.conf , pjsip.conf , iax.conf , voicemail.conf only in both server
server1:



server2:


iax

i really need a guide or steps to make it ( ./ast_tls_cert ) where and how in both the two servers if possible and also what to change or add in : extensions.conf , pjsip.conf , iax.conf

thanks a lot

Your problem is that you are misusing the term server! Asterisk is both a SIP client and a SIP server, and every SIP dialogue involves both a client and a server. asterisk itself is a daemon. I suppose you could call the machine running asterisk a server, but that has nothing to do with the software configuration.

You would configure the transports at both ends of the trunk with the same CA certificate, and with their own user agent certificate and private key. That’s all at the transport level, and if you look at the documentation (the sample configuration file), it doesn’t use the terms client or server for the basic options. There are client and server specific options, but they are relative to which side set up the underlying TCP connection, at the time.

There should be nothing in other sections that differs, in principle, from a TCP connected “trunk”, not that SIP has the concept of a trunk, although you may want to set media_encryption, if you also want the speech to be encrypted, but that is client server agnostic.

I’m not sure what you are using iax2 for. That is most commonly used for tie trunks, but is firmly UDP, so your reference to TLS means that you must be using chan_pjsip for the tie trunk.

Also note that there is no point in saying calls just drop. You need to provide protocol logging showing how they are failing.

It looks like you edited in your configuration files after I started replying. As noted in my main reply, IAX2 is a UDP based protocol, so cannot use the, TCP based, TLS transport layer.

I’m not familiar with IAX2, but having register at both ends would be wrong with SIP. One would normally do IP based matching. Normally you would not want to set a caller ID on a tie trunk, but rather pass the caller ID through unmodified.

Although I think googletts caches speech, it doesn’t seem an efficient use of resources, or a resilient design, to put constant text through text to speech on the fly; I would get it encoded once, to get a consistent voice, then Playback() the file. I assume you do use it with real dynamic text elsewhere, otherwise you would be better off just recording all your announcements locally.

I think people on the forum strongly prefer plain text files, not images. It is difficult search, and provide corrections to, images.

1 Like

alright so for TLS, i have to change configuration IAX2 doesn’t support that i see, which .conf i need to reconfigure? and for the part : configure the transports at both ends of the trunk with the same CA certificate > what do you mean by this one i execute ./ast_ and copy all of them in the secondary one ? or how? thanks

i’d like if there is documentation about that

That appears to be garbled. There are scripts that take some short cuts in generating cryptographic material, but any procedure that produces TLS private keys and certificates and the certificate(s) from the CA used to sign them can be used, as long as it is done in a secure way. If you are going to use TLS, you need to understand the principles behind certificates, or you are very likely to make a system that isn’t really secure.

The general best practice is to generate private keys on each server and from them to generate signed public keys and challenges. You send the latter to your certifying authority (many FreePBX users use LetsEncrypt, but there can also be good reasons for using one managed by your own company. You can also use the traditional ones, like Verisign.)

They will return return certificates, which should be installed on the respective systems. The certifying authority’s own certificate should be added to list of CA certificates on all machines.

I believe the asterisk script works in two modes. In the server mode it first constructs a local certifying authority, then generates the private key and signed public key and challenge and gets the certifying authority it created to create the working certificate. In the client mode, it bypasses the creation of the certifying authority and just uses the one previously created. This all results in the secret keys for everything being stored on the same machine, rather than all being only on the machine that actually uses them, so doesn’t follow best security practice. (Actually the real mode switching is done by whether or not you tell it where the certifying authority key material is stored, rather than the client/server option, which just sets default names.)

IAX2 can also do encryption, but is not public key encryption, and definitely not TLS, and both machines must store the same secret, which is actually the password itself. Neither chan_pjsip nor chan_iax2 use TLS for media, although chan_pjsip can use the TLS session for the key exchange.

1 Like

do you recommend me some docs? if there’s about that?

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

1 Like

thanks, last question beside what i have done, pjsip.conf extensions.conf and which file are important for 2 servers i mean which are required and which are not (including tls), as long you told me that iax i can pass it just for knowledge

asterisk.conf, pjsip.conf, modules.conf. I’m not sure if you have to have rtp.conf, or whether it will default without it. You don’t need extensions.conf, as there are other files and methods for defining extensions, but you will probably want it. However, I’ve always started from the full sample configuration, so I’ve never tried to see how few I can get away with.

Only pjsip.conf is specific to TLS support on pjsip, although you will need to ensure that modules.conf allows the relevant shared objects to be loaded.

You will need a file for the machine’s private key, a file for the machine’s own certificate, and either a file, or a directory of files, containing all the certificates back to the root certifying authority. These do not have fixed names. Files and directories will need sensible permissions and owners, as I believe that OpenSSL checks for insecure ones.

1 Like

You should also consider whether you really want TLS. E.g. you could use IAX2 encryption, or a secure VPN. NB for IAX2, the security depends on the password length. To get full security there must be 128 bits of entropy in the password, which would be equivalent to 32 bytes of completely random hexadecimal characters. You should construct them using a truly random number source,

1 Like

my reel problem is i don’t know how to make same CA certificate for each the two asterisk debian and client issued certificate.there is documentation : https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

but there is not for 2 asterisk guide to make same CA

You use the client procedure with a -C parameter that reflects that it is really a second server. (The -m option doesn’t really do anything if you have a -C option.)

1 Like

for the -C i use the hostname or the IP address? and for exemple i use
for the first server
./ast_tls_cert -C pbx.192.168.1.39 -O “DG” -d /etc/asterisk/keys
and in the second server i use
./ast_tls_cert -C pbx.192.168.1.38 -O “DR” -d /etc/asterisk/keys
right?
and the CA i need to generate it in each server or in the primary one and copy it to the secondary one ? how it works to both know each other?

You use the common name that you want to use. In principle this should be the name you use to refer to the machine from the other side, but I don’t think that Asterisk checks it. When you use TLS on a web site, the browser does check it, and you will get an error, with dire warnings about a possible security compromise,if the certificate isn’t for the server you are accessing.

I’m concerned that you are specifying TLS with no idea how it works. It sounds like it is a checkbox item, rather than an attempt at real security.

1 Like

i agree about that i have an idea how it works in AD, but no in asterisk i have clearly no idea how it works there

Well i have changed my config as you told me PJSIP and EXTENSION is enough

So for S1 :
PJSIP :

[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0

[asterisk1]
type=auth
auth_type=userpass
password=pass
username=1000

[asterisk1]
type = aor
contact = sip:192.168.10.100

[asterisk1]
type=endpoint
context=internal
disallow=all
allow=ulaw
outbound_auth=asterisk1
aors=asterisk1

[asterisk1]
type = identify
endpoint = asterisk1
match = 192.168.10.100

[2000]
type = aor
max_contacts = 1

[2000]
type = auth
username = 2000
password = pass

[2000]
type = endpoint
context = internal
allow = all
auth = 2000
outbound_auth = 2000
aors = 2000

Extensions:
[internal]

exten => 2000,1,Dial(PJSIP/2000)
exten => 2000,n,Hangup()

exten => _1XXX,1,Dial(PJSIP/${EXTEN}@asterisk1)
exten => _1XXX,n,Hangup()

for S2:
Pjsip:

[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0

[asterisk2]
type=auth
auth_type=userpass
password=pass
username=2000

[asterisk2]
type = aor
contact = sip:192.168.10.102

[asterisk2]
type=endpoint
context=internal
disallow=all
allow=ulaw
outbound_auth=asterisk2
aors=asterisk2

[asterisk2]
type = identify
endpoint = asterisk2
match = 192.168.10.102

[1000]
type = aor
max_contacts = 1

[1000]
type = auth
username = 1000
password = pass

[1000]
type = endpoint
context = internal
allow = all
auth = 1000
outbound_auth = 1000
aors = 1000

Extensions:
[internal]
exten => 1000,1,Dial(PJSIP/1000)
exten => 1000,n,Hangup()

exten => _2XXX,1,Dial(PJSIP/${EXTEN}@asterisk2)
exten => _2XXX,n,Hangup()

i used simple config trunk between them now my next step is port 5061 which is TLS

You should not be using register if you know the address. register is a way of providing an unknown address. The user part of your registration URLs are, in any case, wrong.

If you use two way authentication, the authorisation parameters should be the same at both ends. If you want them different, you need to use separate settings in each direction.

One of your unmapped elements is the result of a spelling error.

well i edited it it should be good

You’ve now turned off authentication completely, as SIP authentication requires the challenge that is trigged by inbound authentication before outbound authentication will be sent.