Pjsip trunk with tls registration

sami-hep · December 28, 2021, 10:38am

I am trying to create a trunk with type registration between 2 asterisk servers using TLS.

asterisk1 192.168.133.90
asterisk2 192.168.133.100

at asterisk 1: pjsip.conf

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2
require_client_cert=yes
verify_client=yes
verify_server=yes


[1234]
type=registration
outbound_auth=1234
server_uri=sip:192.168.133.100\;transport=transport-tls
client_uri=sip:1234@192.168.133.100\;transport=transport-tls
retry_interval=60

[1234]
type=auth
auth_type=userpass
password=1234
username=1234

[1234]
type=aor
max_contacts=1
contact=sip:1234@192.168.133.100:5061
remove_existing=no

[1234]
type=endpoint
context=phones
disallow=all
allow=gsm,ulaw,alaw
outbound_auth=1234
aors=1234

[1234]
type=identify
endpoint=1234
match=192.168.133.100

at same asterisk 2:

I created a user of username=1234
password=1234
and transport tls
then i generated the certificates

but i still could not figure out where should i put this certificate (at asterisk 1).
and how should i pass these certificates for the user at asterisk 1 pjsip.conf !!

any help would be appreciated

david551 · December 28, 2021, 10:55am

I don’t know what you mean by a user; it isn’t a term used for PJSIP configuration, except for the user fields in URIs.

The CACert should be the same on both machines. The certificate and private keys should be signed by the CACert, but should be different.

sami-hep · December 28, 2021, 11:04am

this is what i’ve done at asterisk 2 pjsip.conf:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
ca_list_file=/etc/asterisk/keys/ca.crt
method=tlsv1_2
require_client_cert=yes
verify_client=yes
verify_server=yes


`[endpoint-basic](!)`
`type=endpoint`
`context=phones`
`disallow=all`
`allow=ulaw,alaw`
`[auth-userpass](!)`
`type=auth`
`auth_type=userpass`
`[aor-single-reg](!)`
`type=aor`
`max_contacts=1`

`;===============EXTENSION 1234`
`[1234](endpoint-basic)`
transport=transport-tls
media_encryption=sdes
`auth=auth1234`
`aors=1234`
`[auth1234](auth-userpass)`
`password=1234`
`username=1234`
`[1234](aor-single-reg)`

the question is: i have the client certificate at asterisk 2 which i should pass to the trunk at asterisk1, right?

where should i put these certificates and how could i pass the path of the certificates at asterisk 1 pjsip.conf for the trunk that i defined.

david551 · December 28, 2021, 11:14am

A trunk will act as both client and server. Each end should have its own certificate, which should match the private key at that end. Ideally, the certificates should have a subject name that correctly identifies it, but Asterisk doesn’t check those, and it is not clear to me what subject name you would use for a SIP user agent.

sami-hep · December 28, 2021, 11:26am

then i should generate certificate at both ends ?

so you are telling that if I only generated the user certificates at both servers, then this trunk would be authenticated by these certs? but where should i define the path of it?

david551 · December 28, 2021, 12:02pm

If you are talking about ast_tls_cert, the only difference between server and client is in the default common names. For a server, the -C option defaults to its address, and for a client it defaults to asterisk. I don’t believe that Asterisk checks this at run time, so for a trunk it really doesn’t matter.

The actual cert_file and priv_key_file names don’t matter. All that matters is that they contain the user agent certificate and user agent key for that machine.

The important thing is that you only specify -c and -k, to ast_tls_cert, the first time you run it, and you copy the same CA cert file to both machines.

david551 · December 28, 2021, 12:24pm

No. You should nominate one end (or a ideally a completely different machine that is kept, as far as possible offline) as your, single, CA and generate the CA certificate and both user agent certificates on that machine. In the sense used by ast_tls_cert, they are both server certificates, but as you should use explicit -C options, that makes no real difference.

You should destroy the private keys on all but the machine to which they apply. (ast_tls_cert takes some liberties with security, partly because phones don’t play by the TLS the key management rules properly. With the official certificate generation method, the private key would be generated on the machine to which it applied and should never leave it.)

sami-hep · December 29, 2021, 7:14am

yes but if i nominated one of the two servers to act as a CA, then at this server i generated the certificates.

now i need to copy this certificate and put it at the other server.

the question is: when i need to copy the files to an ip phone, then i put these certificate files at a location then i can tell this ip phone where these TLS certificates are because there is a parameter that asks for the certificates!
but now, at my example, i put these certificates at the other server but then how could i inform the trunk at that server about the location of the certificate! what are the options at pjsip.conf which allows me to do that?

david551 · December 29, 2021, 10:58am

The options used are the same on both machines, just that different user agent certificates and keys are used:

github.com

asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample#L1029

    
      
          ;==========================TRANSPORT SECTION OPTIONS=========================
          ;[transport]
          ;  SYNOPSIS: SIP Transport
          ;
          ;async_operations=1     ; Number of simultaneous Asynchronous Operations
                                  ; (default: "1")
          ;bind=  ; IP Address and optional port to bind to for this transport (default:
                  ; "")
          ; Note that for the Websocket transport the TLS configuration is configured
          ; in http.conf and is applied for all HTTPS traffic.
          ;ca_list_file=  ; File containing a list of certificates to read TLS ONLY
                          ; (default: "")
          ;ca_list_path=  ; Path to directory containing certificates to read TLS ONLY.
                          ; PJProject version 2.4 or higher is required for this option to
                          ; be used.
                          ; (default: "")
          ;cert_file=     ; Certificate file for endpoint TLS ONLY
                          ; Will read .crt or .pem file but only uses cert,
                          ; a .key file must be specified via priv_key_file.
                          ; Since PJProject version 2.5: If the file name ends in _rsa,
                          ; for example "asterisk_rsa.pem", the files "asterisk_dsa.pem"

ca_list_file or ca_list_path for the CA certificate file. cert_file for the specific machine’s user agent certificate, and priv_key_file for the specific machine’s private key file.

system · January 28, 2022, 10:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pjsip trunk 2 asterisk servers Asterisk SIP	11	1832	November 19, 2021
PJSIP trunking. Trunk not established Asterisk SIP	6	2012	March 14, 2017
SIP Trunk with TLS Asterisk SIP	2	652	May 17, 2023
SIP TLS TRUNK between 2 asterisk server Asterisk Support	26	4145	March 31, 2022
Trunk with auth between 2 Asterisks PJSIP Asterisk Support	0	612	December 20, 2015

Pjsip trunk with tls registration

Related topics