Hello. I’m trying to call encrypted between phones in Asterisk 12.4 with pjsip. I have a blank sip.conf. I created CA.crt and user certs.
[Aug 4 11:58:09] WARNING[2335]: res_pjsip_mwi.c:656 mwi_subscribe_single: AOR phone_2_udp has no configured mailboxes. MWI subscription failed
-- Added contact 'sip:82370159@192.168.2.13:5062' to AOR 'phone_1_udp' with expiration of 600 seconds
-- Added contact 'sip:78596321@192.168.2.10:5062' to AOR 'phone_2_udp' with expiration of 600 seconds
-- Added contact 'sip:64230895@192.168.2.10:5063;transport=tls' to AOR 'phone_3_tls' with expiration of 600 seconds
-- Added contact 'sip:27349158@192.168.2.13:5063;transport=tls' to AOR 'phone_4_tls' with expiration of 600 seconds
They all say they are registered but when I ask in the CLI it shows nothing…
[code]asterisk12*CLI> pjsip show registrations
<Registration/ServerURI…> <Auth…> <Status…>
No objects found.
[/code]
Is that normal?
udp -> udp ok:
-- Executing [802@ctx:1] Dial("PJSIP/phone_1_udp-0000000b", "PJSIP/phone_2_udp,20") in new stack
-- Called PJSIP/phone_2_udp
-- PJSIP/phone_2_udp-0000000c is ringing
-- PJSIP/phone_2_udp-0000000c answered PJSIP/phone_1_udp-0000000b
-- Channel PJSIP/phone_1_udp-0000000b joined 'simple_bridge' basic-bridge <e1b5f4f0-32c2-4bf4-a42d-88cd05e65f85>
-- Channel PJSIP/phone_2_udp-0000000c joined 'simple_bridge' basic-bridge <e1b5f4f0-32c2-4bf4-a42d-88cd05e65f85>
> Bridge e1b5f4f0-32c2-4bf4-a42d-88cd05e65f85: switching from simple_bridge technology to native_rtp
> 0x7fb750055150 -- Probation passed - setting RTP source address to 192.168.2.13:19028
> 0x7fb75006d0f0 -- Probation passed - setting RTP source address to 192.168.2.10:19000
> 0x7fb750055150 -- Probation passed - setting RTP source address to 192.168.2.13:19028
-- Channel PJSIP/phone_1_udp-0000000b left 'native_rtp' basic-bridge <e1b5f4f0-32c2-4bf4-a42d-88cd05e65f85>
== Spawn extension (ctx, 802, 1) exited non-zero on 'PJSIP/phone_1_udp-0000000b'
-- Channel PJSIP/phone_2_udp-0000000c left 'native_rtp' basic-bridge <e1b5f4f0-32c2-4bf4-a42d-88cd05e65f85>
tls -> udp ok:
-- Executing [801@ctx:1] Dial("PJSIP/phone_3_tls-0000000f", "PJSIP/phone_1_udp,20") in new stack
-- Called PJSIP/phone_1_udp
-- PJSIP/phone_1_udp-00000010 is ringing
-- PJSIP/phone_1_udp-00000010 answered PJSIP/phone_3_tls-0000000f
-- Channel PJSIP/phone_3_tls-0000000f joined 'simple_bridge' basic-bridge <df34dec3-2ee4-45f3-addc-27fe7234c750>
-- Channel PJSIP/phone_1_udp-00000010 joined 'simple_bridge' basic-bridge <df34dec3-2ee4-45f3-addc-27fe7234c750>
> 0x7fb75007a380 -- Probation passed - setting RTP source address to 192.168.2.13:19032
> 0x7fb750072780 -- Probation passed - setting RTP source address to 192.168.2.10:19006
-- Channel PJSIP/phone_3_tls-0000000f left 'simple_bridge' basic-bridge <df34dec3-2ee4-45f3-addc-27fe7234c750>
-- Channel PJSIP/phone_1_udp-00000010 left 'simple_bridge' basic-bridge <df34dec3-2ee4-45f3-addc-27fe7234c750>
== Spawn extension (ctx, 801, 1) exited non-zero on 'PJSIP/phone_3_tls-0000000f'
tls -> tls fails:
-- Executing [804@ctx:1] Dial("PJSIP/phone_3_tls-00000011", "PJSIP/phone_4_tls,20") in new stack
-- Called PJSIP/phone_4_tls
[Aug 4 12:09:03] WARNING[2466]: pjsip:0 <?>: tsx0x7fb73c00c ...Failed to send Request msg INVITE/cseq=14187 (tdta0x7fb750028e60)! err=120013 (Permission denied)
== Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'PJSIP/phone_3_tls-00000011' status is 'CONGESTION'
udp -> tls fails:
-- Executing [804@ctx:1] Dial("PJSIP/phone_1_udp-00000013", "PJSIP/phone_4_tls,20") in new stack
-- Called PJSIP/phone_4_tls
[Aug 4 12:09:42] WARNING[2466]: pjsip:0 <?>: tsx0x7fb73c011 ...Failed to send Request msg INVITE/cseq=31070 (tdta0x7fb750028e60)! err=120013 (Permission denied)
== Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'PJSIP/phone_1_udp-00000013' status is 'CONGESTION'
These are my config files (sip.conf is a blank file), I used non-standard ports but that should be ok. I have tried both sslv23 and tlsv1 as method.
pjsip.conf
[transport-udp]
type=transport
protocol=udp ;udp,tcp,tls,ws,wss
bind=0.0.0.0:5062
[transport-local-tls]
type = transport
protocol = tls
bind = 0.0.0.0:5063
cert_file = /etc/asterisk/script/asterisk.crt
priv_key_file = /etc/asterisk/script/asterisk.key
ca_list_file = /etc/asterisk/script/ca.crt
method = sslv23
; -----
[phone_1_udp]
type = endpoint
context = ctx
disallow = all
allow = ulaw
auth = phone_1_udp
aors = phone_1_udp
transport = transport-udp
[phone_1_udp]
type = auth
auth_type = userpass
password = p1
username = phone_1_udp
[phone_1_udp]
type = aor
max_contacts = 4
; -----
[phone_2_udp]
type = endpoint
context = ctx
disallow = all
allow = ulaw
auth = phone_2_udp
aors = phone_2_udp
transport = transport-udp
[phone_2_udp]
type = auth
auth_type = userpass
password = p2
username = phone_2_udp
[phone_2_udp]
type = aor
max_contacts = 4
; -----
[phone_3_tls]
type = endpoint
context = ctx
disallow = all
allow = ulaw
auth = phone_3_tls
aors = phone_3_tls
transport = transport-local-tls
media_encryption = sdes
;direct_media = no
;disable_direct_media_on_nat = yes
;rewrite_contact = yes
[phone_3_tls]
type = auth
auth_type = userpass
[phone_3_tls]
type = aor
max_contacts = 1
; -----
[phone_4_tls]
type = endpoint
context = ctx
disallow = all
allow = ulaw
auth = phone_4_tls
aors = phone_4_tls
transport = transport-local-tls
media_encryption = sdes
;direct_media = no
;disable_direct_media_on_nat = yes
;rewrite_contact = yes
[phone_4_tls]
type = auth
auth_type = userpass
password = p4
username = phone_4_tls
[phone_4_tls]
type = aor
max_contacts = 1
; -----[/code]
extensions.conf
[code][ctx]
exten => 801,1,Dial(PJSIP/phone_1_udp,20)
exten => 802,1,Dial(PJSIP/phone_2_udp,20)
exten => 803,1,Dial(PJSIP/phone_3_tls,20)
exten => 804,1,Dial(PJSIP/phone_4_tls,20)
pjsip debug for tls to tls:
[code]asterisk12*CLI>
<— Received SIP request (1130 bytes) from TLS:192.168.2.10:51573 —>
INVITE sip:804@123.234.210.123 SIP/2.0
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;branch=z9hG4bKPjc33a2a7b45aa467da6dc41a4f8e15df9;alias
Max-Forwards: 70
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123
Contact: sip:64230895@192.168.2.10:5063;transport=tls
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
CSeq: 29248 INVITE
Allow: SUBSCRIBE, NOTIFY, PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: 100rel, replaces, norefersub, gruu
User-Agent: Blink 0.9.1.2 (Windows)
Content-Type: application/sdp
Content-Length: 515
v=0
o=- 3616144689 3616144689 IN IP4 192.168.2.10
s=Blink 0.9.1.2 (Windows)
t=0 0
m=audio 19018 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.2.10
a=rtcp:19019
a=rtpmap:113 opus/48000
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:f+SNdS2DdmnP12uMNufZOmGVemhNUIe5pRJl8f6d
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:8xjQiGKZHZKOtWzAidRiWCnnfFBQD1F2vyP4IWr+
a=sendrecv
<— Transmitting SIP response (542 bytes) to TLS:192.168.2.10:51573 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;received=192.168.2.10;branch=z9hG4bKPjc33a2a7b45aa467da6dc41a4f8e15df9;alias
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123;tag=z9hG4bKPjc33a2a7b45aa467da6dc41a4f8e15df9
CSeq: 29248 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1407148762/21bd5ef08afa29d490581117da3de2b5”,opaque=“10dc011b79818ede”,algorithm=md5,qop="auth"
Content-Length: 0
<— Received SIP request (432 bytes) from TLS:192.168.2.10:51573 —>
ACK sip:804@123.234.210.123 SIP/2.0
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;branch=z9hG4bKPjc33a2a7b45aa467da6dc41a4f8e15df9;alias
Max-Forwards: 70
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123;tag=z9hG4bKPjc33a2a7b45aa467da6dc41a4f8e15df9
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
CSeq: 29248 ACK
User-Agent: Blink 0.9.1.2 (Windows)
Content-Length: 0
<— Received SIP request (1429 bytes) from TLS:192.168.2.10:51573 —>
INVITE sip:804@123.234.210.123 SIP/2.0
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;branch=z9hG4bKPj72883ae17b024edfb03894553e254463;alias
Max-Forwards: 70
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123
Contact: sip:64230895@192.168.2.10:5063;transport=tls
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
CSeq: 29249 INVITE
Allow: SUBSCRIBE, NOTIFY, PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: 100rel, replaces, norefersub, gruu
User-Agent: Blink 0.9.1.2 (Windows)
Authorization: Digest username=“phone_3_tls”, realm=“asterisk”, nonce=“1407148762/21bd5ef08afa29d490581117da3de2b5”, uri="sip:804@123.234.210.123", response=“3218235302fc9bb3dcd35dc31117994d”, algorithm=md5, cnonce=“d7f3afab65b944b582807eb075b8e691”, opaque=“10dc011b79818ede”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 515
v=0
o=- 3616144689 3616144689 IN IP4 192.168.2.10
s=Blink 0.9.1.2 (Windows)
t=0 0
m=audio 19018 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.2.10
a=rtcp:19019
a=rtpmap:113 opus/48000
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:f+SNdS2DdmnP12uMNufZOmGVemhNUIe5pRJl8f6d
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:8xjQiGKZHZKOtWzAidRiWCnnfFBQD1F2vyP4IWr+
a=sendrecv
<— Received SIP request (1253 bytes) from UDP:192.168.2.13:5062 —>
PUBLISH sip:phone_1_udp@123.234.210.123 SIP/2.0
Via: SIP/2.0/UDP 192.168.2.13:5062;rport;branch=z9hG4bKPjc666c89c767f4283871c44f22ba6ea81
Max-Forwards: 70
From: “p1” sip:phone_1_udp@123.234.210.123;tag=ad50d4cdd2cf41c1b858591aec780680
To: “p1” sip:phone_1_udp@123.234.210.123
Call-ID: 16c5a350d612427bb82e43858bacfe01
CSeq: 1 PUBLISH
Event: presence
Expires: 600
User-Agent: Blink 0.9.1.2 (Windows)
Content-Type: application/pidf+xml
Content-Length: 783
closedagp-pidf:extendedoffline</agp-pidf:extended>caps:servcaps/sip%3Aphone_1_udp%40123.234.210.1232014-08-04T11:59:14.524125+02:00<dm:person id=“PID-8c43abcbf6138e658a4acb9c93f3c882”>rpid:activitiesrpid:otheroffline</rpid:other></rpid:activities>dm:timestamp2014-08-04T11:59:14.524125+02:00</dm:timestamp></dm:person>
<— Transmitting SIP response (541 bytes) to UDP:192.168.2.13:5062 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.2.13:5062;rport;received=192.168.2.13;branch=z9hG4bKPjc666c89c767f4283871c44f22ba6ea81
Call-ID: 16c5a350d612427bb82e43858bacfe01
From: “p1” sip:phone_1_udp@123.234.210.123;tag=ad50d4cdd2cf41c1b858591aec780680
To: “p1” sip:phone_1_udp@123.234.210.123;tag=z9hG4bKPjc666c89c767f4283871c44f22ba6ea81
CSeq: 1 PUBLISH
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1407148762/c34e918b2d15c3e5501c5c834df5a525”,opaque=“629a86ee75ce5544”,algorithm=md5,qop="auth"
Content-Length: 0
<— Transmitting SIP response (343 bytes) to TLS:192.168.2.10:51573 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;received=192.168.2.10;branch=z9hG4bKPj72883ae17b024edfb03894553e254463;alias
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123
CSeq: 29249 INVITE
Content-Length: 0
-- Executing [804@ctx:1] Dial("PJSIP/phone_3_tls-00000006", "PJSIP/phone_4_tls,20") in new stack
-- Called PJSIP/phone_4_tls
[Aug 4 12:39:32] WARNING[2572]: pjsip:0 <?>: tsx0x1491908 …Failed to send Request msg INVITE/cseq=21798 (tdta0xfdda80)! err=120013 (Permission denied)
== Everyone is busy/congested at this time (1:0/1/0)
– Auto fallthrough, channel ‘PJSIP/phone_3_tls-00000006’ status is ‘CONGESTION’
<— Transmitting SIP response (421 bytes) to TLS:192.168.2.10:51573 —>
SIP/2.0 503 Service Unavailable
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;received=192.168.2.10;branch=z9hG4bKPj72883ae17b024edfb03894553e254463;alias
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123;tag=985f2983-e6ad-4ece-a59d-77c950facb4a
CSeq: 29249 INVITE
Reason: Q.850;cause=34
Content-Length: 0
<— Received SIP request (427 bytes) from TLS:192.168.2.10:51573 —>
ACK sip:804@123.234.210.123 SIP/2.0
Via: SIP/2.0/TLS 192.168.2.10:51573;rport;branch=z9hG4bKPj72883ae17b024edfb03894553e254463;alias
Max-Forwards: 70
From: “p3_tls” sip:phone_3_tls@123.234.210.123;tag=1eb63905bc3845ca848a6e28f6e6c999
To: sip:804@123.234.210.123;tag=985f2983-e6ad-4ece-a59d-77c950facb4a
Call-ID: d13a416e156d4f48a586ed82f6d28b5a
CSeq: 29249 ACK
User-Agent: Blink 0.9.1.2 (Windows)
Content-Length: 0
<— Received SIP request (1253 bytes) from UDP:192.168.2.10:5062 —>
PUBLISH sip:phone_2_udp@123.234.210.123 SIP/2.0
Via: SIP/2.0/UDP 192.168.2.10:5062;rport;branch=z9hG4bKPj78ba19a75f5649d68341f751bfe5db3b
Max-Forwards: 70
From: “p2” sip:phone_2_udp@123.234.210.123;tag=f2a856d08cf44ff1b42331e81a303cc0
To: “p2” sip:phone_2_udp@123.234.210.123
Call-ID: ba2dc99ba55f4650822d0046e9dcec0f
CSeq: 1 PUBLISH
Event: presence
Expires: 600
User-Agent: Blink 0.9.1.2 (Windows)
Content-Type: application/pidf+xml
Content-Length: 783
closedagp-pidf:extendedoffline</agp-pidf:extended>caps:servcaps/sip%3Aphone_2_udp%40123.234.210.1232014-08-04T12:37:40.475974+02:00<dm:person id=“PID-d834c58e247911c9ac2f584d637ab4a9”>rpid:activitiesrpid:otheroffline</rpid:other></rpid:activities>dm:timestamp2014-08-04T12:37:40.475974+02:00</dm:timestamp></dm:person>
<— Transmitting SIP response (541 bytes) to UDP:192.168.2.10:5062 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.2.10:5062;rport;received=192.168.2.10;branch=z9hG4bKPj78ba19a75f5649d68341f751bfe5db3b
Call-ID: ba2dc99ba55f4650822d0046e9dcec0f
From: “p2” sip:phone_2_udp@123.234.210.123;tag=f2a856d08cf44ff1b42331e81a303cc0
To: “p2” sip:phone_2_udp@123.234.210.123;tag=z9hG4bKPj78ba19a75f5649d68341f751bfe5db3b
CSeq: 1 PUBLISH
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1407148781/b3ea75313afeab1ef7d49083a320b40a”,opaque=“27a001cc214f97d3”,algorithm=md5,qop="auth"
Content-Length: 0
<— Received SIP request (1253 bytes) from UDP:192.168.2.13:5062 —>
PUBLISH sip:phone_1_udp@123.234.210.123 SIP/2.0
Via: SIP/2.0/UDP 192.168.2.13:5062;rport;branch=z9hG4bKPj676cfa59536249b183569c7230db2679
Max-Forwards: 70
From: “p1” sip:phone_1_udp@123.234.210.123;tag=bac47d38bfb942b4835fd3e74db9a5e3
To: “p1” sip:phone_1_udp@123.234.210.123
Call-ID: c95a08e50570487d980617c37a32e25c
CSeq: 1 PUBLISH
Event: presence
Expires: 600
User-Agent: Blink 0.9.1.2 (Windows)
Content-Type: application/pidf+xml
Content-Length: 783
closedagp-pidf:extendedoffline</agp-pidf:extended>caps:servcaps/sip%3Aphone_1_udp%40123.234.210.1232014-08-04T11:59:14.524125+02:00<dm:person id=“PID-8c43abcbf6138e658a4acb9c93f3c882”>rpid:activitiesrpid:otheroffline</rpid:other></rpid:activities>dm:timestamp2014-08-04T11:59:14.524125+02:00</dm:timestamp></dm:person>
<— Transmitting SIP response (541 bytes) to UDP:192.168.2.13:5062 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.2.13:5062;rport;received=192.168.2.13;branch=z9hG4bKPj676cfa59536249b183569c7230db2679
Call-ID: c95a08e50570487d980617c37a32e25c
From: “p1” sip:phone_1_udp@123.234.210.123;tag=bac47d38bfb942b4835fd3e74db9a5e3
To: “p1” sip:phone_1_udp@123.234.210.123;tag=z9hG4bKPj676cfa59536249b183569c7230db2679
CSeq: 1 PUBLISH
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1407148802/b737f2bf9a6169415e2022449295f610”,opaque=“2d3e2a3515558db2”,algorithm=md5,qop="auth"
Content-Length: 0
asterisk12*CLI>
[/code]
I can play back a capture in Wireshark of the tls-to-udp, so it doesn’t seem to be properly encrypted, although the Blink tls-client shows both padlocks for tls and srtp. So I guess the one I need to figure out is tls-tls for it to be encrypted.
What am I missing…?
Thanks in advance.