i followed the secure calling tutorial in asterisk wiki in order to achieve tls with sdes encryption. so i was able to generate keys and certificates.
then i configured tls and endpoints in pjsip.conf:
[transport-tls1]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1
[44301]
type = endpoint
context = phones
disallow = all
allow = ulaw,alaw,gsm
aors = 44301
auth = auth44301
device_state_busy_at=1
direct_media=no
media_encryption=sdes
dtmf_mode=rfc4733
[44301]
type = aor
max_contacts = 1
remove_existing=yes
[auth44301]
type=auth
auth_type=userpass
password=123
username=44301
and the other endpoint 44302 is similar.
**anyway i used blink softphone then i configured TLS with port and added certificates ca.crt and client.pem **
i was able to register the endpoints
i made a call without setting sdes in blink and i remove encryption_mode from pjsip
then the call worked fine
**then i set encryption as sdes in blink and re-added encryption_mode=sdes **
but when i make a call it always says 488 not acceptable and here is the logs:
<— Received SIP request (1121 bytes) from TLS:192.168.133.146:51070 —>
INVITE sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPje43b2e854153439f9b6dde0b452c6711;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30160 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Content-Type: application/sdp
Content-Length: 517
v=0
o=- 3794895279 3794895279 IN IP4 192.168.133.146
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50020 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.133.146
a=rtcp:50021
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:6pwzMoqu8vvwq/KRXenf7Gi4V4qZ+1bLD4zkKGqU
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:w16aghr3DEkGl6Blt+C60VLoUiIrdqTdA6hpToje
a=sendrecv
<— Transmitting SIP response (591 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPje43b2e854153439f9b6dde0b452c6711;alias
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=z9hG4bKPje43b2e854153439f9b6dde0b452c6711
CSeq: 30160 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1585895680/ea9aac9606c630b71bd4153b77e78525”,opaque=“33cd922350d34520”,algorithm=md5,qop=“auth”
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0
<— Received SIP request (434 bytes) from TLS:192.168.133.146:51070 —>
ACK sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPje43b2e854153439f9b6dde0b452c6711;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=z9hG4bKPje43b2e854153439f9b6dde0b452c6711
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30160 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0
<— Received SIP request (1418 bytes) from TLS:192.168.133.146:51070 —>
INVITE sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30161 INVITE
Allow: SUBSCRIBE, NOTIFY, INVITE, ACK, BYE, CANCEL, UPDATE, MESSAGE, REFER
Supported: replaces, norefersub, gruu
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“44301”, realm=“asterisk”, nonce=“1585895680/ea9aac9606c630b71bd4153b77e78525”, uri="sip:44302@192.168.133.222", response=“3e33f0f09be2b651b1da4b4b7116d6f9”, algorithm=md5, cnonce=“09c015dab2db45dbb9ffc429cd98efdd”, opaque=“33cd922350d34520”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 517
v=0
o=- 3794895279 3794895279 IN IP4 192.168.133.146
s=Blink 3.2.0 (Windows)
t=0 0
m=audio 50020 RTP/SAVP 113 9 0 8 101
c=IN IP4 192.168.133.146
a=rtcp:50021
a=rtpmap:113 opus/48000/2
a=fmtp:113 useinbandfec=1
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:6pwzMoqu8vvwq/KRXenf7Gi4V4qZ+1bLD4zkKGqU
a=crypto:2 AES_CM_128_HMAC_SHA1_32 inline:w16aghr3DEkGl6Blt+C60VLoUiIrdqTdA6hpToje
a=sendrecv
== Setting global variable ‘SIPDOMAIN’ to ‘192.168.133.222’
<— Transmitting SIP response (393 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222
CSeq: 30161 INVITE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0
<— Transmitting SIP response (447 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=c33ba276-2cd9-43cc-9c51-ee7fbb6e47cd
CSeq: 30161 INVITE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0
<— Received SIP request (429 bytes) from TLS:192.168.133.146:51070 —>
ACK sip:44302@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPjedfdb54c1a0e4ef497b1a0df19d09563;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=4b66bb3fe5614065b7d02a12c9f143a7
To: sip:44302@192.168.133.222;tag=c33ba276-2cd9-43cc-9c51-ee7fbb6e47cd
Call-ID: 56464b50b47947b9a6e2d25bea563ff3
CSeq: 30161 ACK
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0
**and one more thing: **
there is always a subscribe signal which i dont understand why it is sent and it is not being authorized :
<— Received SIP request (699 bytes) from TLS:192.168.133.146:51070 —>
SUBSCRIBE sip:44301@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPj2a83e3a4c5774c89b077a0d151506506;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
CSeq: 11021 SUBSCRIBE
Event: message-summary
Expires: 600
Supported: 100rel, replaces, norefersub, gruu
Accept: application/simple-message-summary
Allow-Events: conference, message-summary, dialog, presence, presence.winfo, xcap-diff, dialog.winfo, refer
User-Agent: Blink 3.2.0 (Windows)
Content-Length: 0
<— Transmitting SIP response (594 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPj2a83e3a4c5774c89b077a0d151506506;alias
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222;tag=z9hG4bKPj2a83e3a4c5774c89b077a0d151506506
CSeq: 11021 SUBSCRIBE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1585895629/259f5f63ba466b1b169fa1e040a048a1”,opaque=“7096d73218097dde”,algorithm=md5,qop=“auth”
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0
<— Received SIP request (996 bytes) from TLS:192.168.133.146:51070 —>
SUBSCRIBE sip:44301@192.168.133.222 SIP/2.0
Via: SIP/2.0/TLS 192.168.133.146:51070;rport;branch=z9hG4bKPjfc38c54f99df4d43aaae479d5289d48d;alias
Max-Forwards: 70
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222
Contact: sip:79528613@192.168.133.146:51081;transport=tls
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
CSeq: 11022 SUBSCRIBE
Event: message-summary
Expires: 600
Supported: 100rel, replaces, norefersub, gruu
Accept: application/simple-message-summary
Allow-Events: conference, message-summary, dialog, presence, presence.winfo, xcap-diff, dialog.winfo, refer
User-Agent: Blink 3.2.0 (Windows)
Authorization: Digest username=“44301”, realm=“asterisk”, nonce=“1585895629/259f5f63ba466b1b169fa1e040a048a1”, uri="sip:44301@192.168.133.222", response=“9075b5eb08dc988b40de27bead8195c2”, algorithm=md5, cnonce=“e4a08bb680d94baa88d805220f46ca1b”, opaque=“7096d73218097dde”, qop=auth, nc=00000001
Content-Length: 0
<— Transmitting SIP response (445 bytes) to TLS:192.168.133.146:51070 —>
SIP/2.0 404 Not Found
Via: SIP/2.0/TLS 192.168.133.146:51070;rport=51070;received=192.168.133.146;branch=z9hG4bKPjfc38c54f99df4d43aaae479d5289d48d;alias
Call-ID: f6b7e45da6a44c04840750ebe5ec6ee1
From: “44301” sip:44301@192.168.133.222;tag=b55fc3bc676e46578fac63ca3bf0d12d
To: sip:44301@192.168.133.222;tag=z9hG4bKPjfc38c54f99df4d43aaae479d5289d48d
CSeq: 11022 SUBSCRIBE
Server: Asterisk PBX certified/16.3-cert1
Content-Length: 0
i only posted for one endpoint which is 44301 but both are making the same subscribe method and eventually it says not found