Secure outgoing calls (TLS)

foxer69 · April 25, 2013, 9:14pm

hi
I have some questions about asterisk and TLS.
I have asterisk with enable TLS with this settings:

tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
#and all this stuff

If I’m not mistaken, this mean secure between asterisk and sip clients.
My questions is:

How could I secure outgoing call to another asterisk???Something like this:

Is it possible just with Server_a registering to Server_b?? Like this: (wiki.asterisk.org/wiki/display/ … +Transport)
When I uses ENUM, how to secure outgoing calls to unknown voip servers???

jpsharp · May 2, 2013, 2:04am

There’s two layers of security available.

TLS secures the signalling portion of SIP. Registration, call processing/progress, and other SIP messages. It DOES NOT secure the voice path.

If you want to encrypt voice, you need to use either SRTP or ZRTP to encrypt the voice packets along with TLS to secure the messaging path. You must secure the messaging path via TLS first before attempting SRTP/ZRTP otherwise the keys exchanged to encrypt the voice path are exchanged in cleartext. Kind of pointless.

You can use TLS/SRTP to any endpoint that supports it, either Asterisk or an end user with a crypto-friendly softphone.

Once you have TLS/SRTP installed, it is up to you to configure how you want Asterisk to handle encryption. You can have SIP peers/users to one of 3 options: “Never use encryption”, “Offer to use encryption, but proceed anyway if encryption cannot be negotiated”, and “Do not connect unless an encrypted session can be negotiated”.

ambiorixg12 · May 5, 2013, 6:31am

Great explanation jpsharp , good contribution. Keep it up!

david55 · May 5, 2013, 10:01am

If you want security to an unknown party, you are both going to have to have their certificate signed by a trusted third party, otherwise you are vulnerable to man in the middle attacks. At most this guarantees that you are talking to the phone number you tried to dial. Checking the organisation is that intended probably requires retrieving the actual certificate, something that I suspect is not that easy.

A lot of TLS applications either only authenticate one way, or don’t carry out all the checks. I’m not sure how well behaved Asterisk is.