Trixbox + TLS + SRTP

**fouz** · 08/07/2011, 12h35

Salut

je veux securiser mon VOIP à l'aide du TLS et SRTP , j'utilise un server Elastix (version beta) avec asterisk 1.8 et pour les sophtfot j'utiluse les phonerlite (beta9.1).

j'arrive a faire des appells entre les phonerlite avec UDP mais lorsque je passe au TLS ça fonctione plus .

voila ma démarche :

j'ai installé le fichier res_srtp à l'aide de ce doc ( http://www.remiphilippe.fr/2011/01/1...srtp-with-1-8/ )

dans sip.conf j'ai ajouté :

[general]

tlsenable=yes
tlsbindaddr=192.168.3.126:5061
tlsprivatekey=/usr/lib/openssl/pki/server.key
tlscertfile=/usr/lib/openssl/pki/server.pem
tlscafile=/usr/lib/openssl/pki/ca.pem
tlscipher=ALL
tlsclientmethod=tlsv1

dans extensions.conf:

[internal]
exten => 10X,1,Set(_SIP_SRTP_SDES=1)
exten => 10X,2,Set(_SIPSRTP=1)
exten => 10X,3,Set(_SIPSRTP_CRYPTO=enable)
exten => 10X,4,Dial(SIP/${EXTEN})

exten => 100,1,Dial(SIP/100)
exten => 101,1,Dial(SIP/101)
exten => 102,1,Dial(SIP/102)
exten => _9.,1,Dial(SIP/${EXTEN:1}@XXXXXX)

mes extensions sont :

[100]
deny=0.0.0.0/0.0.0.0
secret=100
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=no
port=5061
encryption=yes
transport=tls,udp
qualify=yes
callgroup=
pickupgroup=
dial=SIP/100
mailbox=100@device
permit=0.0.0.0/0.0.0.0
callerid=device <100>
callcounter=yes
faxdetect=no

[101]
deny=0.0.0.0/0.0.0.0
secret=101
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
type=friend
nat=yes
port=5061
encryption=yes
transport=tls,udp
qualify=yes
callgroup=
pickupgroup=
dial=SIP/101
mailbox=101@device
permit=0.0.0.0/0.0.0.0
callerid=device <101>
callcounter=yes
faxdetect=no

pour le debug du phonerlite :

10:26:33,187: Connect Request: 30 00 01 00 02 80 0C 00 01 00 00 00 01 00 04 80 31 30 31 05 00 80 31 30 30 00 00 09 01 00 01 00 00 00 00 00 00 00 00 02 91 81 05 00 00 00 00 00
10:26:33,187: Connect Request: 100 to 101
10:26:33,196: Connect Confirm: 0E 00 01 00 02 81 0C 00 01 01 00 00 00 00
10:26:33,196: Connect Confirm
-------------------------------------------
10:26:33,212: R: open UDP port (RTP): 5062

-------------------------------------------
10:26:33,213: R: open UDP port (RTCP): 5063

-------------------------------------------
10:26:33,215: T: 192.168.3.126:5061 (TLS)
INVITE sip:101@192.168.3.126;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.3.123:51252;branch=z9hG4bK8092796bbaa7e011 b7f6005056c00001;rport;alias
From: "PhonerLite" <sip:100@192.168.3.126>;tag=2777164675
To: <sip:101@192.168.3.126;transport=tls>
Call-ID: 8092796B-BAA7-E011-B7F5-005056C00001@192.168.3.123
CSeq: 7 INVITE
Contact: <sip:100@192.168.3.123:51252;transport=tls>
Content-Type: application/sdp
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Max-Forwards: 70
Supported: 100rel, replaces, from-change
User-Agent: SIPPER for PhonerLite
P-Preferred-Identity: <sip:100@192.168.3.126>
Content-Length: 504

v=0
o=- 789765595 0 IN IP4 192.168.3.123
s=SIPPER for PhonerLite
c=IN IP4 192.168.3.123
t=0 0
m=audio 5062 RTP/SAVP 8 0 2 3 97 110 111 9 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:2 G726-32/8000
a=rtpmap:3 GSM/8000
a=rtpmap:97 iLBC/8000
a=rtpmap:110 speex/8000
a=rtpmap:111 speex/16000
a=rtpmap:9 G722/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:QAjWTzwlL3KmBZ30sAXL3cB/Ja/GtbKAXW1ipbcx
a=encryption:optional
a=sendrecv

-------------------------------------------
10:26:33,227: R: 192.168.3.126:5061 (TLS)
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 192.168.3.123:51252;branch=z9hG4bK80a6184abaa7e011 b7f3005056c00001;alias;received=192.168.3.123;rpor t=51252
From: "PhonerLite" <sip:100@192.168.3.126>;tag=290672552
To: <sip:100@192.168.3.126>;tag=as5bf2d662
Call-ID: 8079E748-BAA7-E011-B7F0-005056C00001@192.168.3.123
CSeq: 5 SUBSCRIBE
Server: FPBX-2.8.0(1.8.4)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="20bcf4b5", stale=true
Content-Length: 0

10:27:05,239: Disconnect Indication: 0E 00 01 00 04 82 60 00 01 01 00 00 92 38
10:27:05,240: Disconnect Indication: 18:No user responding
10:27:05,243: Disconnect Response: 0C 00 01 00 04 83 60 00 01 01 00 00
10:27:05,243: Disconnect Response
-------------------------------------------
10:27:05,240: T: 192.168.3.123:5061 (TLS)
ACK sip:101@192.168.3.123:5061;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.3.123:51252;branch=z9hG4bK80628c7ebaa7e011 b7f7005056c00001;rport;alias
From: "PhonerLite" <sip:100@192.168.3.126>;tag=2777164675
To: <sip:101@192.168.3.126;transport=tls>;tag=80628c7e baa7e011b7f6005056c00001
Call-ID: 8092796B-BAA7-E011-B7F5-005056C00001@192.168.3.123
CSeq: 7 ACK
Contact: <sip:100@192.168.3.123:51252;transport=tls>
Max-Forwards: 70
Content-Length: 0

-------------------------------------------
10:27:05,247: R: close UDP port (RTP): 5062

-------------------------------------------
10:27:05,247: R: close UDP port (RTCP): 5063

-------------------------------------------
10:27:05,309: R: 192.168.3.126:5061 (TLS)
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.3.123:51252;branch=z9hG4bK80a6184abaa7e011 b7f4005056c00001;alias;received=192.168.3.123;rpor t=51252
From: "PhonerLite" <sip:100@192.168.3.126>;tag=290672552
To: <sip:100@192.168.3.126>;tag=as5bf2d662
Call-ID: 8079E748-BAA7-E011-B7F0-005056C00001@192.168.3.123
CSeq: 6 SUBSCRIBE
Server: FPBX-2.8.0(1.8.4)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Expires: 1800
Contact: <sip:100@192.168.3.126:5061;transport=TLS>;expires =1800
Content-Length: 0

merci d'avance

Discussion: Trixbox + TLS + SRTP

Outils de la discussion

Rechercher dans la discussion

Affichage

Vue hybride

phonerlite TLS probleme

Règles de messages