I have configured the TLS on my asterisk PBX as follows:
After that my extension was successfully registered to my PBX, as you can see bellow:
I would like to know how to verify that the TLS connection encrypts the sip registration or what I should check to verify that the registration authentication is secure.
Strong method: read and analyze the source code.
Weak method: do a packet capture with tcpdump or wireshark and check that the data stream looks random.
Note that encrypted is not sufficient for secure. You will also need to prove you are not talking to a man in the middle.
Thanks for your reply.
You said that “encrypted is not sufficient for secure”. The question is how to be sure that I’m secure?
I have password complexity enabled on my extensions and also, I have configured tls.
My main issue is that I have checked the tcpdump and I have tls traffic on port tcp 5061 while my sip phone is registered, but after the registration I have traffic on udp port 5060 (SUBSCRIBE) which contains the authorization with username, realm, nonce, response and algorithm.
Is this correct?
For example, as you can seen bellow, I have the REGISTER with TLS and the SUBSCRIBE without tls.
REGISTER: sip:voip1;transport=tls;lr SIP/2.0
Via: SIP/2.0/TLS xxx.xxx.xxx.xxx:37156;rport;branch=z9hG4bKPjoCCw0.LEC-qhSMVBqFcWE8K4.jeEqwpI;alias
Authorization: Digest username=“2224”, realm=“asterisk”, nonce=“22603797”, uri=“sip:voip1;transport=tls;lr”, response=“125b4df1280600f6dfaf8313ffe6d7cb”, algorithm=MD5
SUBSCRIBE sip:2224@voip1 SIP/2.0
Authorization: Digest username=“2224”, realm=“asterisk”, nonce=“0eacf511”, uri="sip:firstname.lastname@example.org", response=“8c8f98e83f215f25359d3c67fffb0eac”, algorithm=MD5
Do you know if the subscribe’s response contains the extension’s password?
If yes, then why this is not over TLS?
There should be nothing on port 5060. It sounds like this is the fault of the phone, although one would need to see the responses to be sure.
The response parameter (as against he SIP response) contains a hash of the password, so is vulnerable to an offline dictionary attack.
To verify that the TLS session is effectively encrypted, you will need to examine the code, or at least use a known valid client. To verify that is secure, you will need to check that the client is being authenticated at the TLS level, and the authentication keys have not been compromised. This is independent of the SIP level authentication. Again you sill need to examine the code to make sure that the authentication is being implemented correctly.
I haven’t used TLS with Asterisk, so I’m not sure what authentication options it uses, but note that the general public has an inadequate understanding of the role of authentication in SSL and often tolerates unauthenticated connection warnings.