VoIP Mailing List Archives

[byrnejb at harte-lyne.ca]

CentOS-6.5 (FreePBX-2.6)
Asterisk-11.14.2 (FreePBX)
snom870-SIP 8.7.3.25.5

I am having a very difficult time attempting to get TLS and SRTP
working with Asterisk and anything else. At the moment I am trying to
get TLS functioning with our Snom870 desk-sets. And I am not having
much luck.

Since this is an extraordinarily (to me) Byzantine environemnt I am
going to ask if any of you have gotten this set-up (Asterisk11 with
Snom870s using TLS) to work and if so could you provide the details?

I have this in Asterisk sip.conf (loaded through FreePBXs
sip_general_additional.conf).

tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1

And I have this for the test device context:

[41712]
deny=0.0.0.0/0.0.0.0
secret=NearlyANastyThat
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=no
port=5060
qualify=yes
qualifyfreq=60
transport=tls,udp,tcp
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/41712
mailbox=41712@device
permit=192.168.6.0/255.255.255.0
callerid=James B Byrne <41712>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic

If I change the transport setting to TLS then I get this reported:

[2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

I cannot seem to configure the Snom870 to listen for TCP on 5060.
There is a setting for that on the phone but it seems to have no
effect (it always returns to NO following a reboot). The Snom website
says that the option is not available in FW8.5 and later. It does not
inform one of whether that the phone listens by default or not on
FW8.5+, only that the option has no effect.

It also does not say, as far as I can find, whether Snom870s listen
for TCP at all or on what port. One may infer that since these
devices purport to support TLS that the answer is yes and that TCP5061
is a likely candidate. But they do not seem to come right out and say
so anywhere.

In a section devoted to the Snom370, which is a model that we do not
employ, there is reference to DNS SRV RRs. The inference drawn from
the examples given is that these will control what ports the Snom will
listen on for which services.

We have such records in our DNS zone. They look like this:

;# Configure sip/sips service records (VOIP)
;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT

300 IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.harte-lyne.ca.

300 IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.harte-lyne.ca.

300 IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.harte-lyne.ca.

;HOST TTL CLASS TYPE ORDER PREF PORT TARGET

_sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca.

_sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.

_sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.

However, our phones are configured to use SIP accounts having the form
account@ipv4-addr. I doubt greatly that the Snom870s will perform a
reverse DNS lookup on the provider's IPv4 to discover the forward zone
domain and thus I do not believe that SRV RRs can help us in this
instance. They certainly do not seem to have any effect.

Asterisk seems not to distinguish between 5060 and 5061 regarless of
protocol. I am not sure then how to proceed. Is there a way to force
Asterisk to talk to port TCP5061 on a specific device? Is this an
exclusive setting?

This long background is by way of asking for help. If I have not
provided specific information that is significant to this problem then
I will do so if asked.

What I am attempting has to be possible. Somehow. And somebody must
have already accomplished this. Somewhere.

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[webaccounts173 at jgoe...]

Am 03.03.2015 um 18:16 schrieb James B. Byrne:

[byrnejb at harte-lyne.ca]

These are the sip settings on our installion.

Global Settings:
----------------
UDP Bindaddress: 0.0.0.0:5060
TCP SIP Bindaddress: 0.0.0.0:5060
TLS SIP Bindaddress: (null)
Videosupport: No
Textsupport: No
Ignore SDP sess. ver.: No
AutoCreate Peer: Off
Match Auth Username: No
Allow unknown access: Yes
Allow subscriptions: Yes
Allow overlap dialing: Yes
Allow promisc. redir: No
Enable call counters: No
SIP domain support: No
Realm. auth: No
Our auth realm asterisk
Use domains as realms: No
Call to non-local dom.: Yes
URI user is phone no: No
Always auth rejects: Yes
Direct RTP setup: No
User Agent: FPBX-12.0.40(11.14.2)
SDP Session Name: Asterisk PBX 11.14.2
SDP Owner Name: root
Reg. context: (not set)
Regexten on Qualify: No
Trust RPID: No
Send RPID: No
Legacy userfield parse: No
Send Diversion: Yes
Caller ID: Unknown
From: Domain:
Record SIP history: Off
Call Events: On
Auth. Failure Events: Off
T.38 support: No
T.38 EC mode: Unknown
T.38 MaxDtgrm: 4294967295
SIP realtime: Disabled
Qualify Freq : 60000 ms
Q.850 Reason header: No
Store SIP_CAUSE: No

Network QoS Settings:
---------------------------
IP ToS SIP: CS3
IP ToS RTP audio: EF
IP ToS RTP video: AF41
IP ToS RTP text: CS0
802.1p CoS SIP: 4
802.1p CoS RTP audio: 5
802.1p CoS RTP video: 6
802.1p CoS RTP text: 5
Jitterbuffer enabled: No

Network Settings:
---------------------------
SIP address remapping: Enabled using externaddr
Externhost: <none>
Externaddr: 216.185.71.9:0
Externrefresh: 10
Localnet: 216.185.71.0/255.255.255.0
192.168.6.0/255.255.255.0
192.168.209.0/255.255.255.0
192.168.216.0/255.255.255.0
192.168.71.0/255.255.255.0

Global Signalling Settings:
---------------------------
Codecs: (gsm|ulaw|alaw)
Codec Order: ulaw:20,alaw:20,gsm:20
Relax DTMF: No
RFC2833 Compensation: No
Symmetric RTP: Yes
Compact SIP headers: No
RTP Keepalive: 0 (Disabled)
RTP Timeout: 30
RTP Hold Timeout: 300
MWI NOTIFY mime type: application/simple-message-summary
DNS SRV lookup: No
Pedantic SIP support: Yes
Reg. min duration 60 secs
Reg. max duration: 3600 secs
Reg. default duration: 120 secs
Sub. min duration 60 secs
Sub. max duration: 3600 secs
Outbound reg. timeout: 20 secs
Outbound reg. attempts: 0
Outbound reg. retry 403:0
Notify ringing state: Yes
Include CID: No
Notify hold state: Yes
SIP Transfer mode: open
Max Call Bitrate: 384 kbps
Auto-Framing: No
Outb. proxy: <not set>
Session Timers: Accept
Session Refresher: uas
Session Expires: 1800 secs
Session Min-SE: 90 secs
Timer T1: 500
Timer T1 minimum: 100
Timer B: 32000
No premature media: Yes
Max forwards: 70

Default Settings:
-----------------
Allowed transports: UDP
Outbound transport: UDP
Context: from-sip-external
Record on feature: automon
Record off feature: automon
Force rport: Yes
DTMF: rfc2833
Qualify: 0
Keepalive: 0
Use ClientCode: No
Progress inband: Never
Language:
Tone zone: <Not set>
MOH Interpret: default
MOH Suggest:
Voice Mail Extension: *97

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[cloos at jhcloos.com]

[byrnejb at harte-lyne.ca]

On Tue, March 3, 2015 13:19, jg wrote:

[byrnejb at harte-lyne.ca]

On Tue, March 3, 2015 13:37, James Cloos wrote:

[byrnejb at harte-lyne.ca]

I reconfigured sip.conf to have these settings:

tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1
tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key
tcpbindaddr=0.0.0.0/0.0.0.0:5061
tlsbindaddr=0.0.0.0/0.0.0.0:5061

Following amportal a r I see this:


[2015-03-03 16:26:48] ERROR[17130]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

This is what sip show settings reveals:


Global Settings:
----------------
UDP Bindaddress: 0.0.0.0:5060
TCP SIP Bindaddress: 0.0.0.0:5060
TLS SIP Bindaddress: 0.0.0.0:5061


Is it just me or is there something odd about specifying a TCP port
and then having it ignored?



--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[cloos at jhcloos.com]

Other things to consider:

The transport config, which can be in [general] or in a peer's [] block.
if you want tls-only, use transport=tls
it also accepts tcp, udp or a comma-separated list.
if given a list, it tries them in order

If you need ast to register over tls, use something like this:

register => tls://username:xxxxxx@sip-tls-proxy.example.org

(copied from the example sip.conf).

Set tlsbindaddr to the address to which to bind(2) the tls socket.
tlsbindaddr=0.0.0.0 is typical in ipv4-only configs.

-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users

[byrnejb at harte-lyne.ca]

On Tue, March 3, 2015 16:34, James Cloos wrote:

[byrnejb at harte-lyne.ca]

This seems to me to be getting down to some sort of problem with
configuring the Snom-870.

when I register the device 41712 (set up for transport=tls only) then
I see this in the SIP trace:


Sent to udp:192.168.6.9:5060 at 4/3/2015 09:07:36:813 (836 bytes):

REGISTER sip:voinet09.internal.hamilton.harte-lyne.ca:5061 SIP/2.0
Via: SIP/2.0/UDP 192.168.6.112:5060;branch=z9hG4bK-udx92poqese6;rport
From: "James B Byrne"
<sip:41712@voinet09.internal.hamilton.harte-lyne.ca:5061>;tag=frgaimnglp
To: "James B Byrne"
<sip:41712@voinet09.internal.hamilton.harte-lyne.ca:5061>
Call-ID: 710000004941-gk6y4evf6dci
CSeq: 482 REGISTER
Max-Forwards: 70
Contact:
<sip:41712@192.168.6.112:5060;line=0p8zx4sh>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:ad1349a7-e08d-411b-83b0-000413281B56>";audio;mobility="fixed";duplex="full";description="snom870";actor="principal";events="dialog";methods="INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
User-Agent: snom870/8.7.3.25.5
Allow-Events: dialog
X-Real-IP: 192.168.6.112
Supported: path, gruu
Expires: 3600
Content-Length: 0


The SNOM-870 is sending registration via UDP and not by TLS. Is that
how things are supposed to work? If only TLS is enabled in Asterisk
for that peer then evidently the peer cannot register. But is
registration supposed to be done via TLS? If so then how does one
configure the Snom to do so?

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users