Asterisk IAX2 RSA Authentication

Recently our office just installed Asterisk on two servers. We supply support for PBX setup in our area and peer with other Asterisk-based deployments. We have set up our servers to use IAX2 to trunk between servers.

I have a connection that I have encrypted and set up for testing. The link is up and the servers can communicate over the IAX2 trunk using MD5 authentication. Now I want to upgrade these keys to RSA keys.

I followed this guide: https://www.voip-info.org/wiki/view/Asterisk+iax+rsa+auth and was able to create public and private keys. I have put all of my keys in the /var/lib/asterisk/keys/ directory and gave asterisk:asterisk the permissions to use the files. I log into Asterisk and run the “keys init” command followed by “keys show” and nothing is listed. Where do I need to put the keys?

Do a “module reload res_crypto.so” and see if any error messages are printed.
What version of Asterisk are you running?

Received the following:

*CLI> module reload res_crypto.so

Module ‘res_crypto.so’ reloaded successfully.

*CLI> – Reloading module ‘res_crypto.so’ (Cryptographic Digital
Signatures)

Hmmm. Do a “core show settings” and note where “IAX2 Keys directory” is. If it’s not /var/lib/asterisk, you can correct that in /etc/asterisk.conf. The key and certificate have the “key” and “pub” extensions respectively, correct?

Try “core set debug 9 res_crypto.so” and reload the module again and see what you get.

1 Like

Received the following:

*CLI> Module ‘Res_crypto.so’ reloaded successfully.
NOTICE[3200]: res_crypto.c:263 try_load_key: Key ‘MV11’ is not expected size.
NOTICE[3200]: res_crypto.c:263 try_load_key: Key ‘MV11’ is not expected size.

*Note that these keys were created using a key length of 4096. Modified line 50 of /usr/sbin/astgenkey from 1024 to 4096.

Currently res_crypto can only handle 128 byte (1024 bit) keys.

1 Like

@gjoseph
Is there a way to make asterisk support 256 byte keys? I’m using asterisk version 11. Does this 256 byte keys already supported in latest asterisk version?

You would need to modify the code and add support for it. As it is, that hasn’t been done by anyone even in new versions. The chan_iax2 module doesn’t see many changes or much work.

1 Like