Secure VoIP
From Taridium
(Difference between revisions)
| (22 intermediate revisions not shown) | |||
| Line 1: | Line 1: | ||
| - | + | SIP/TLS and SRTP are experimental! | |
| - | + | This will require the asterisk16 or asterisk18 packages for SIP/TLS and asterisk18 for SRTP (encrypted media). Also make sure to use the latest ipbx package release. If you would like to change your Asterisk version, you can use the [[Upgrading#Upgrading_using_the_Switch_Updater|Switch Updater]] script. | |
==Configuring SIP/TLS== | ==Configuring SIP/TLS== | ||
===Creating a Key File and CA=== | ===Creating a Key File and CA=== | ||
| + | |||
| + | You can use your CA to sign your server certificate or you can use a commercial certificate from places such as http://www.verisign.com/. | ||
$ openssl genrsa -des3 -out ca.key 4096 | $ openssl genrsa -des3 -out ca.key 4096 | ||
| Line 11: | Line 13: | ||
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt | $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt | ||
| - | Country Name (2 letter code) [GB]:US | + | '''Sample CA Cert''' |
| - | State or Province Name (full name) [Berkshire]:New York | + | |
| - | Locality Name (eg, city) [Newbury]:New York | + | Country Name (2 letter code) [GB]:US |
| - | Organization Name (eg, company) [My Company Ltd]:Taridium | + | State or Province Name (full name) [Berkshire]:New York |
| - | Organizational Unit Name (eg, section) []:engineering | + | Locality Name (eg, city) [Newbury]:New York |
| - | Common Name (eg, your name or your server's hostname) []: | + | Organization Name (eg, company) [My Company Ltd]:Taridium |
| - | Email Address []:info@taridium.com | + | Organizational Unit Name (eg, section) []:engineering |
| + | Common Name (eg, your name or your server's hostname) []:Taridium CA www.taridium.com | ||
| + | Email Address []:info@taridium.com | ||
$ openssl genrsa -out key.pem 1024 | $ openssl genrsa -out key.pem 1024 | ||
| + | |||
| + | '''Sample Certificate Signing Request''' | ||
| + | |||
$ openssl req -new -key key.pem -out req-ipbx_taridium.csr | $ openssl req -new -key key.pem -out req-ipbx_taridium.csr | ||
| + | |||
| + | Country Name (2 letter code) [GB]:US | ||
| + | State or Province Name (full name) [Berkshire]:New York | ||
| + | Locality Name (eg, city) [Newbury]:New York | ||
| + | Organization Name (eg, company) [My Company Ltd]:Taridium | ||
| + | Organizational Unit Name (eg, section) []:engineering | ||
| + | Common Name (eg, your name or your server's hostname) []:pbx.taridium.com | ||
| + | Email Address []:support@taridium.com | ||
| + | |||
| + | Please enter the following 'extra' attributes | ||
| + | to be sent with your certificate request | ||
| + | A challenge password []: | ||
| + | An optional company name []: | ||
| + | |||
| + | Make sure your common name (CN) matches your server. Some phones will check for a matching name! This also means that your phone will have to be configured with the common name. | ||
===Creating a Self-Signed Certificate=== | ===Creating a Self-Signed Certificate=== | ||
To create the self-signed certificate, do the following: | To create the self-signed certificate, do the following: | ||
| - | |||
| - | |||
$ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert | $ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert | ||
| Line 37: | Line 57: | ||
$ mv asterisk.pem /etc/asterisk/ | $ mv asterisk.pem /etc/asterisk/ | ||
$ chown asterisk:asterisk /etc/asterisk/asterisk.pem | $ chown asterisk:asterisk /etc/asterisk/asterisk.pem | ||
| + | |||
| + | ==Setting up ipbx for TLS Use== | ||
| + | |||
| + | Go to → '''Manual Editor''' → '''SIP Configuration''' → '''Edit''' and add the following parameters: | ||
| + | |||
| + | [general] | ||
| + | ... | ||
| + | tcpenable = yes | ||
| + | tcpbindaddr = xxx.xxx.xxx.xxx:5060 | ||
| + | tlsenable = yes | ||
| + | tlsbindaddr = xxx.xxx.xxx.xxx:5061 | ||
| + | tlscertfile = /etc/asterisk/asterisk.pem | ||
| + | tlsdontverifyserver = no | ||
| + | ... | ||
| + | |||
| + | Restart Asterisk: | ||
| + | |||
| + | [root@ipbx ~]# service asterisk restart | ||
| + | |||
| + | Asterisk should now be listening on port 5061. Double check the CLI by issuing a 'sip reload'. | ||
==Setting up your Device== | ==Setting up your Device== | ||
| Line 43: | Line 83: | ||
===Device Configuration=== | ===Device Configuration=== | ||
| + | |||
| + | ==== Aastra ==== | ||
| + | |||
| + | Aastra phones using TLS check for the following: | ||
| + | |||
| + | * Whether the certificate hasn't expired (make sure your NTP server is configured) | ||
| + | * Whether the CN (common name) of the certificate matches the SIP registrar and proxy | ||
| + | * Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate. | ||
| + | |||
| + | |||
| + | # Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/ | ||
| + | # Configure the '''Trusted Certificates Filename''' to be ca.crt | ||
| + | # In your Global SIP Settings select '''Advanced SIP Settings''' → '''Transport Protocol''' → '''Persistent TLS''' | ||
| + | # Make sure your proxy and registrar ports are set to 5061 | ||
| + | |||
| + | ==== Counterpath Bria for iPhone ==== | ||
| + | |||
| + | Counterpath softphones use your operating system's certificate store to verify your TLS certificates. | ||
| + | Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's certificate store. Use Internet Explorer for Windows or Safari for OS X and iOS (iPhone & iPad) operating systems. For further details on how to setup Bria see [[Bria_for_iPhone_Setup|Bria for iPhone Setup]]. | ||
Latest revision as of 15:50, 18 July 2011
SIP/TLS and SRTP are experimental!
This will require the asterisk16 or asterisk18 packages for SIP/TLS and asterisk18 for SRTP (encrypted media). Also make sure to use the latest ipbx package release. If you would like to change your Asterisk version, you can use the Switch Updater script.
Contents |
Configuring SIP/TLS
Creating a Key File and CA
You can use your CA to sign your server certificate or you can use a commercial certificate from places such as http://www.verisign.com/.
$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Sample CA Cert
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:New York Organization Name (eg, company) [My Company Ltd]:Taridium Organizational Unit Name (eg, section) []:engineering Common Name (eg, your name or your server's hostname) []:Taridium CA www.taridium.com Email Address []:info@taridium.com
$ openssl genrsa -out key.pem 1024
Sample Certificate Signing Request
$ openssl req -new -key key.pem -out req-ipbx_taridium.csr
Country Name (2 letter code) [GB]:US State or Province Name (full name) [Berkshire]:New York Locality Name (eg, city) [Newbury]:New York Organization Name (eg, company) [My Company Ltd]:Taridium Organizational Unit Name (eg, section) []:engineering Common Name (eg, your name or your server's hostname) []:pbx.taridium.com Email Address []:support@taridium.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Make sure your common name (CN) matches your server. Some phones will check for a matching name! This also means that your phone will have to be configured with the common name.
Creating a Self-Signed Certificate
To create the self-signed certificate, do the following:
$ openssl x509 -req -days 365 -in req-ipbx_taridium.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-ipbx.cert
Installing the Certificate
$ cat key.pem > asterisk.pem $ cat cert-ipbx.cert >> asterisk.pem
$ mv asterisk.pem /etc/asterisk/ $ chown asterisk:asterisk /etc/asterisk/asterisk.pem
Setting up ipbx for TLS Use
Go to → Manual Editor → SIP Configuration → Edit and add the following parameters:
[general] ... tcpenable = yes tcpbindaddr = xxx.xxx.xxx.xxx:5060 tlsenable = yes tlsbindaddr = xxx.xxx.xxx.xxx:5061 tlscertfile = /etc/asterisk/asterisk.pem tlsdontverifyserver = no ...
Restart Asterisk:
[root@ipbx ~]# service asterisk restart
Asterisk should now be listening on port 5061. Double check the CLI by issuing a 'sip reload'.
Setting up your Device
ipbx Configuration
Device Configuration
Aastra
Aastra phones using TLS check for the following:
- Whether the certificate hasn't expired (make sure your NTP server is configured)
- Whether the CN (common name) of the certificate matches the SIP registrar and proxy
- Whether the certificate has been signed by a trusted entity. In the above case we have created our own CA certificate. See instructions below on how to place your CA certificate.
- Place the ca.crt file in your Aastra provisioning directory (on ipbx this is usually /var/www/html/prov)/
- Configure the Trusted Certificates Filename to be ca.crt
- In your Global SIP Settings select Advanced SIP Settings → Transport Protocol → Persistent TLS
- Make sure your proxy and registrar ports are set to 5061
Counterpath Bria for iPhone
Counterpath softphones use your operating system's certificate store to verify your TLS certificates. Place the ca.crt file on a webserver and load it using your browser to store it in our operatings system's certificate store. Use Internet Explorer for Windows or Safari for OS X and iOS (iPhone & iPad) operating systems. For further details on how to setup Bria see Bria for iPhone Setup.
