[SR-Users] Kamailio, Asterisk with TLS+SRTP

Roberto Fichera kernel at tekno-soft.it
Mon Jan 14 19:21:17 CET 2013 

On 01/14/2013 04:05 PM, Klaus Darilion wrote:
> First, you should test TLS with RTP (first make sure that TLS works, then enable SRTP).

I was able to partially fix the TLS problem, now I can do at least

openssl s_client -connect kamailio_ip:5061 -tls1

and get the corresponding answer.

I had to add the listen=tcp: line and adjust the iptables accordingly

listen=udp:10.50.X.X:5060 advertise kamailio_ip:5060
listen=tcp:10.50.X.X:5060 advertise kamailio_ip:5060
listen=tls:10.50.X.X:5061 advertise kamailio_ip:5061

> Seconds, it seems like an Asterisk problem, thus may get better answers on the Asterisk mailing lists.

I'll try to ask them

>
> regards
> Klaus
>
> On 14.01.2013 11:23, Roberto Fichera wrote:
>> Hi All,
>>
>> I would setup a configuration where Kamailio authenticate asterisk SIP trunk using TLS and SRTP.
>> At moment I was able to configure everything, including RTTProxy since most of the asterisks v1.8.19.1
>> are behind NAT. So far so good it works pretty good using standard authentication and the call goes straight
>> between asterisks. But as soon as I move my configuration for both kamailio & asterisk to TLS+SRTP I'm
>> not able to authenticate asterisk SIP trunks. Especially asterisk seems insisting to use the port 5060 even if
>> I requested the TLS on 5061.
>>
>> kamailio v3.3.3 tls.cfg is configured as:
>>
>> [server:default]
>> method = TLSv1
>> verify_certificate = no
>> require_certificate = no
>> private_key = /etc/pki/tls/private/server.key
>> certificate = /etc/pki/tls/certs/server.pem
>> ca_list = /etc/pki/tls/certs/ca-bundle.crt
>> #crl = //etc/kamailio/crl.pem
>>
>> # This is the default client domain, settings
>> # in this domain will be used for all outgoing
>> # TLS connections that do not match any other
>> # client domain in this configuration file.
>> # We require that servers present valid certificate.
>> #
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>>
>> So my asterisk conf is the following:
>>
>> [general]
>>
>> tlsenable=yes
>> tlsbindaddr=0.0.0.0
>> tlscertfile=/etc/asterisk/5002.pem
>> tlscafile=/etc/asterisk/ca-bundle.crt
>> tlscipher=ALL
>> tlsclientmethod=tlsv1
>> tlsdontverifyserver=yes
>> transport=tls,udp
>> ....
>> .....
>>
>> and the SIP trunk is configured as
>>
>> [kamailio]
>> type=peer
>> insecure=invite,port
>> nat=yes
>> disallow=all
>> allow=ulaw
>> host=kamailio_ip
>> outboundproxy=tls://kamailio_ip
>> port=5061
>> defaultuser=5002
>> fromuser = 5002
>> fromdomain =mydomain
>> secret=5002
>> qualify=yes
>> dtmfmode=rfc2833
>> context=default
>> callbackextension=5002
>> directmedia=nonat
>> sendrpid=yes
>>
>> transport=tls
>> encryption=yes
>>
>> register => tls://5002:5002@kamailio_ip:5061/5002
>>
>> I still get error like:
>>
>> Jan 14 10:45:12] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
>> only use 'TLS'! ending call.
>> [Jan 14 10:45:12] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
>> 5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
>> [Jan 14 10:45:32] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
>> only use 'TLS'! ending call.
>> [Jan 14 10:45:32] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
>> 5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
>> [Jan 14 10:45:52] ERROR[5244]: chan_sip.c:5600 create_addr_from_peer: 'UDP' is not a valid transport for 'dicenet'. we
>> only use 'TLS'! ending call.
>> [Jan 14 10:45:52] WARNING[5244]: chan_sip.c:13722 transmit_register: Probably a DNS error for registration to
>> 5002 at kamailio_ip, trying REGISTER again (after 20 seconds)
>> [Jan 14 10:46:07] ERROR[7041]: tcptls.c:444 ast_tcptls_client_start: Unable to connect SIP socket to kamailio_ip:5060:
>> Connection timed out
>>
>> Does anyone can suggest me something to read, try, check?
>>
>> Best regards.
>> Roberto Fichera.
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>

More information about the sr-users mailing list