95 lines
2.7 KiB
Plaintext
95 lines
2.7 KiB
Plaintext
Asterisk SIP/TLS Transport
|
|
==========================
|
|
|
|
When using TLS the client will typically check the validity of the
|
|
certificate chain. So that means you either need a certificate that is
|
|
signed by one of the larger CAs, or if you use a self signed certificate
|
|
you must install a copy of your CA on the client.
|
|
|
|
So far this code has been test with:
|
|
Asterisk as client and server (TLS and TCP)
|
|
Polycom Soundpoint IP Phones (TLS and TCP)
|
|
Polycom phones require that the host (ip or hostname) that is
|
|
configured match the 'common name' in the certificate
|
|
Minisip Softphone (TLS and TCP)
|
|
Cisco IOS Gateways (TCP only)
|
|
SNOM 360 (TLS only)
|
|
Zoiper Biz Softphone (TLS and TCP)
|
|
|
|
|
|
sip.conf options
|
|
----------------
|
|
tlsenable=[yes|no]
|
|
Enable TLS server, default is no
|
|
|
|
tlsbindaddr=<ip address>
|
|
Specify IP address to bind TLS server to, default is 0.0.0.0
|
|
|
|
tlscertfile=</path/to/certificate>
|
|
The server's certificate file. Should include the key and
|
|
certificate. This is mandatory if your going to run a TLS server.
|
|
|
|
tlscafile=</path/to/certificate>
|
|
If the server your connecting to uses a self signed certificate
|
|
you should have their certificate installed here so the code can
|
|
verify the authenticity of their certificate.
|
|
|
|
tlscadir=</path/to/ca/dir>
|
|
A directory full of CA certificates. The files must be named with
|
|
the CA subject name hash value.
|
|
(see man SSL_CTX_load_verify_locations for more info)
|
|
|
|
tlsdontverifyserver=[yes|no]
|
|
If set to yes, don't verify the servers certificate when acting as
|
|
a client. If you don't have the server's CA certificate you can
|
|
set this and it will connect without requiring tlscafile to be set.
|
|
Default is no.
|
|
|
|
tlscipher=<SSL cipher string>
|
|
A string specifying which SSL ciphers to use or not use
|
|
|
|
|
|
Sample config
|
|
-------------
|
|
|
|
Here are the relevant bits of config for setting up TLS between 2
|
|
asterisk servers. With server_a registering to server_b
|
|
|
|
On server_a:
|
|
[general]
|
|
tlsenable=yes
|
|
tlscertfgile=/etc/asterisk/asterisk.pem
|
|
tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both certificates
|
|
register => tls://100:test@192.168.0.100:5061
|
|
|
|
[101]
|
|
type=friend
|
|
context=internal
|
|
host=192.168.0.100 ; The host should be either IP or hostname and should
|
|
; match the 'common name' field in the servers certificate
|
|
secret=test
|
|
dtmfmode=rfc2833
|
|
disallow=all
|
|
allow=ulaw
|
|
transport=tls
|
|
port=5061
|
|
|
|
On server_b:
|
|
[general]
|
|
tlsenable=yes
|
|
tlscertfgile=/etc/asterisk/asterisk.pem
|
|
|
|
[100]
|
|
type=friend
|
|
context=internal
|
|
host=dynamic
|
|
secret=test
|
|
dtmfmode=rfc2833
|
|
disallow=all
|
|
allow=ulaw
|
|
;You can specify transport= and port=5061 for TLS, but its not necessary in
|
|
;the server configuration, any type of SIP transport will work
|
|
;transport=tls
|
|
;port=5061
|
|
|