I am trying to setup TLS in a secure way. Asterisk is ver 15.6 zoiper is ver 3.14.
At current I can make outbound calls but sip endpoints (zoiper) can’t receive a call
The status when I do a sip show peers is Unreachable it does show port 5061 which should be correct.
on the console window I see the following message
[Oct 18 13:27:03] ERROR[31155]: tcptls.c:553 ast_tcptls_client_start: Unable to connect SIP socket to 10.119.101.243:5061: Connection timed out (My ip address of local station)
[Oct 18 13:27:03] ERROR[31155]: iostream.c:556 ast_iostream_close: close() failed: Bad file descriptor
That’s an unusual diagnostic. My guess is that it never got an ARP response when trying to route the TCP SYN to that address, i.e. a low level network problem.
I don’t understand what that is from… it’s like DAHDI, IAX2, and SIP configuration all thrown together. Your problem, though, is likely “nat=no”. Set it to “nat=yes” for testing and try again.
I don’t think reinvite is valid, even as a deprecated value, and devicie is not a valid spelling, as well as not being anything I recognize. I’m not sure you have a complete set of parameters for any technology, but it s certainly not complete for chan_sip.
In the text file configuration, chan_sip needs a host= parameter, which should either be “dynamic”, or the host name of the peer. It should not, normally, be your own host name.
To get a good cert I did the following,
Generated a key at 4096 lenght,
Generated a csr
Had a cert issues
used the trusted chain as the CA
User the cert to make my asterisk.pem file
I’m now focused on getting security set high
for tlsclientmethod = TLSv1_2
for tlscipher RSA:+HIGH
I have a lot of issues still Has anyone done a good write up to secure asterisk properly? I must be missing something as the more I do to set good ciphers and tlsv1_2 I’m not getting what I shoudl be getting.
When it comes to SIP over TLS with SDES-sRTP, I recommend to sniff the whole network traffic via tools like Wireshark. Wireshark can even decrypt TLS/SSL traffic, when a non-PFS based cipher suite was negotiated. For this, you add your private key via Wireshark → Preferences → Protocols → TLS (or SSL) → RSA keys: any/5061/sip.tcp
This cipher suite is not supported by many VoIP/SIP clients because it does not involve certificates (Anonymous Cipher Suite). For testing with Wireshark, I recommend AES128-GCM-SHA256:AES128-SHA. For a production system ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA is a good starter.
My Zoiper Premium 3.21.1 for iPhone still does not support DTLS-sRTP, just SDES-sRTP. Therefore, I would set that to the default value ‘no’.