Connect Asterisk to two tls sip providers

psiderov · November 13, 2017, 1:15pm

Hi,

I have configured my asterisk to connect to a sip tls provider. It’s working fine (tls & srtp). I am trying to connect to a second provider without success. I can configure asterisk to connect to the second one only and again it is working fine. The case is that I need both trunks working simultaneously. So if I set certs in sip.conf in peer configuration asterisk doesn’t start port 5061 at all.

[peer1]
type=peer
host=1.2.3.4
context=peers
dtmfmode=rfc2833
disallow=all
allow=alaw
qualify=yes
transport=tls
encryption=yes
tlscertfile=/etc/asterisk/keys/provider1/peer1.pem
tlscafile=/etc/asterisk/keys/provider1/ca.crt

[peer2]
type=peer
host=1.2.3.5
context=peers
dtmfmode=rfc2833
disallow=all
allow=alaw
qualify=yes
transport=tls
encryption=yes
tlscertfile=/etc/asterisk/keys/provider2/peer2.pem
tlscafile=/etc/asterisk/keys/provider2/ca.crt

If I add a certificate in sip.conf [general] and in peers too it tries to authenticate to sip provider with the cert added in [general]…

So it looks like asterisk reads only certs added in [general] section and can authenticate to only one sip provider. Is there any way to make it work with several certificates to several providers?

I am using latest Ubuntu 16.04 LTS with Asterisk-13.1.0~dfsg-1.1ubuntu4.1 and chan_sip

Regards,
Pavel

jcolp · November 13, 2017, 1:16pm

Both chan_sip and chan_pjsip do not currently support per-endpoint TLS certificates like that.

psiderov · November 13, 2017, 1:18pm

Any ideas if there are any plans this feature to be supported?

jcolp · November 13, 2017, 1:20pm

I know of no individual actively working on such a feature.

psiderov · November 13, 2017, 1:23pm

Thanks for the info! Huge restriction to me :(. Will have to change asterisk with some sip proxy.

david551 · November 13, 2017, 1:29pm

Why can’t you use the same identity for both? In principle, the identity belongs to you, not the provider account.

If that is not possible you need to run two instances.

Is this one of these broken multi-homing cases where you appear as two, unrelated, IP addresses?

psiderov · November 13, 2017, 1:43pm

The case is like this… I have two asterisk servers doing… lots of things somewhere on the net. At the same time I have two clients (asterisks) somewhere else on the net. These four boxes must be cross connected for failover in both directions.

According to the documentation you create server and customer certificate this way:
#server
./ast_tls_cert -C 7.7.7.7 -O “server1” -d /etc/asterisk/keys
This commad generates all server certificates, keys, etc. Then using them you can create customer certificates:
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 1.2.3.4 -O “server1” -d /etc/asterisk/keys -o peer1
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 1.2.3.5 -O “server1” -d /etc/asterisk/keys -o peer2

So this procedure is done twice for both servers using their ip addresses (and respectively clients).

So what I have to do to make client cert (and ca) work auth at both servers?

Running two instances at one server is not a good idea because I will need these for failover.

jcolp · November 13, 2017, 1:46pm

In that case you would have a single certificate authority and multiple client certificates all from it. Then each server would be able to verify that the client certificate was issued from the same certificate authority.

psiderov · November 13, 2017, 2:08pm

Ok, this way I will have one way validation and I will have to set tlsdontverifyserver=yes in [general], right?

jcolp · November 13, 2017, 2:09pm

If each client also has the certificate authority certificate they can also verify that each client comes from it.

david551 · November 13, 2017, 2:27pm

Just to expand on what Jonathon has said, all four machines should use the same CA.

psiderov · November 14, 2017, 8:48am

Ok, thanks! Everything is up and working now… here is what I did:

I saw in ast_tls_cert that if ca.crt exists it didn’t overwrite it. So first I created first server cert:

./ast_tls_cert -C 7.7.7.7 -O “server1” -d /etc/asterisk/temp_keys
Copied combined key and certificate to a new name:
cp asterisk.pem server1.pem
Create certificate for the second server:
./ast_tls_cert -C 9.9.9.9 -O “server2” -d /etc/asterisk/temp_keys
It overwrites asterisk.pem (and the other asterisk.* files). Copied file to
cp asterisk.pem server2.pem

Then I created certificates for the clients:
./ast_tls_cert -m client -c /etc/asterisk/temp_keys/ca.crt -k /etc/asterisk/temp_keys/ca.key -C 1.2.3.4 -O “server1” -d /etc/asterisk/temp_keys -o peer1
./ast_tls_cert -m client -c /etc/asterisk/temp_keys/ca.crt -k /etc/asterisk/temp_keys/ca.key -C 1.2.3.5 -O “server1” -d /etc/asterisk/temp_keys -o peer2

At the end I had the same ca.crt for servers and clients and pem (certificate and key combined) for everyone:
server1.pem, server2.pem, peer1.pem, peer2.pem

TLS and SRTP are working fine!

Thanks,
Pavel