Howto verify TLS connection

paugerinos · February 12, 2014, 6:12pm

Hi,

I have configured the TLS on my asterisk PBX as follows:

on sip.conf:
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
on my extension:
transport=tls

After that my extension was successfully registered to my PBX, as you can see bellow:

asterisk log file: Registered SIP ‘2224’ at xxx.xxx.xxx.xxx:50098
voip1*CLI> sip show tcp
Address Transport Type
xxx.xxx.xxx.xxx:50098 TLS Server

I would like to know how to verify that the TLS connection encrypts the sip registration or what I should check to verify that the registration authentication is secure.

Regards,
Panos

david55 · February 12, 2014, 8:56pm

Strong method: read and analyze the source code.

Weak method: do a packet capture with tcpdump or wireshark and check that the data stream looks random.

Note that encrypted is not sufficient for secure. You will also need to prove you are not talking to a man in the middle.

paugerinos · February 13, 2014, 9:56am

Hi ,

Thanks for your reply.

You said that “encrypted is not sufficient for secure”. The question is how to be sure that I’m secure?
I have password complexity enabled on my extensions and also, I have configured tls.

My main issue is that I have checked the tcpdump and I have tls traffic on port tcp 5061 while my sip phone is registered, but after the registration I have traffic on udp port 5060 (SUBSCRIBE) which contains the authorization with username, realm, nonce, response and algorithm.
Is this correct?

For example, as you can seen bellow, I have the REGISTER with TLS and the SUBSCRIBE without tls.

REGISTER: sip:voip1;transport=tls;lr SIP/2.0
Via: SIP/2.0/TLS xxx.xxx.xxx.xxx:37156;rport;branch=z9hG4bKPjoCCw0.LEC-qhSMVBqFcWE8K4.jeEqwpI;alias
Authorization: Digest username=“2224”, realm=“asterisk”, nonce=“22603797”, uri=“sip:voip1;transport=tls;lr”, response=“125b4df1280600f6dfaf8313ffe6d7cb”, algorithm=MD5
SUBSCRIBE sip:2224@voip1 SIP/2.0
Authorization: Digest username=“2224”, realm=“asterisk”, nonce=“0eacf511”, uri="sip:2224@xxx.xxx.xxx.xxx", response=“8c8f98e83f215f25359d3c67fffb0eac”, algorithm=MD5

Do you know if the subscribe’s response contains the extension’s password?
If yes, then why this is not over TLS?

Regards,
Panos

david55 · February 13, 2014, 10:50am

There should be nothing on port 5060. It sounds like this is the fault of the phone, although one would need to see the responses to be sure.

The response parameter (as against he SIP response) contains a hash of the password, so is vulnerable to an offline dictionary attack.

To verify that the TLS session is effectively encrypted, you will need to examine the code, or at least use a known valid client. To verify that is secure, you will need to check that the client is being authenticated at the TLS level, and the authentication keys have not been compromised. This is independent of the SIP level authentication. Again you sill need to examine the code to make sure that the authentication is being implemented correctly.

I haven’t used TLS with Asterisk, so I’m not sure what authentication options it uses, but note that the general public has an inadequate understanding of the role of authentication in SSL and often tolerates unauthenticated connection warnings.

Topic		Replies	Views
Pjsip.conf - tls confusing config issue Asterisk SIP	3	2463	July 13, 2018
Pjsip tls registration Asterisk SIP	5	1940	May 1, 2020
Using TLS, client can register using any certificate Asterisk Support	0	433	November 11, 2014
Asterisk to Asterisk TLS Communication Issues Asterisk SIP	5	851	March 9, 2023
TLS: How to advertise actual source port in register contact? Asterisk SIP	3	25	January 3, 2025

Howto verify TLS connection

Related topics