blob: 3a54bf09546a227ba1b02784f381efbc8e48a6ff (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
Asterisk SIP/TLS Transport
==========================
When using TLS the client will typically check the validity of the
certificate chain. So that means you either need a certificate that is
signed by one of the larger CAs, or if you use a self signed certificate
you must install a copy of your CA on the client.
So far this code has been test with:
Asterisk as client and server (TLS and TCP)
Polycom Soundpoint IP Phones (TLS and TCP)
Polycom phones require that the host (ip or hostname) that is
configured match the 'common name' in the certificate
Minisip Softphone (TLS and TCP)
Cisco IOS Gateways (TCP only)
SNOM 360 (TLS only)
Zoiper Biz Softphone (TLS and TCP)
sip.conf options
----------------
tlsenable=[yes|no]
Enable TLS server, default is no
tlsbindaddr=<ip address>
Specify IP address to bind TLS server to, default is 0.0.0.0
tlscertfile=</path/to/certificate>
The server's certificate file. Should include the key and
certificate. This is mandatory if your going to run a TLS server.
tlscafile=</path/to/certificate>
If the server your connecting to uses a self signed certificate
you should have their certificate installed here so the code can
verify the authenticity of their certificate.
tlscadir=</path/to/ca/dir>
A directory full of CA certificates. The files must be named with
the CA subject name hash value.
(see man SSL_CTX_load_verify_locations for more info)
tlsdontverifyserver=[yes|no]
If set to yes, don't verify the servers certificate when acting as
a client. If you don't have the server's CA certificate you can
set this and it will connect without requiring tlscafile to be set.
Default is no.
tlscipher=<SSL cipher string>
A string specifying which SSL ciphers to use or not use
Sample config
-------------
Here are the relevant bits of config for setting up TLS between 2
asterisk servers. With server_a registering to server_b
On server_a:
[general]
tlsenable=yes
tlscertfgile=/etc/asterisk/asterisk.pem
tlscafile=/etc/ssl/ca.pem ; This is the CA file used to generate both certificates
register => tls://100:test@192.168.0.100:5061
[101]
type=friend
context=internal
host=192.168.0.100 ; The host should be either IP or hostname and should
; match the 'common name' field in the servers certificate
secret=test
dtmfmode=rfc2833
disallow=all
allow=ulaw
transport=tls
port=5061
On server_b:
[general]
tlsenable=yes
tlscertfgile=/etc/asterisk/asterisk.pem
[100]
type=friend
context=internal
host=dynamic
secret=test
dtmfmode=rfc2833
disallow=all
allow=ulaw
;You can specify transport= and port=5061 for TLS, but its not necessary in
;the server configuration, any type of SIP transport will work
;transport=tls
;port=5061
|
