I’ve been looking forward to the time when Asterisk catches up with the rest of the SIP world and starts working with encrypted SIP and encrypted RTP (SIPS & SRTP respectively). Asterisk has supported it since the recent release of version 1.8 so I had to get it working.
Asterisk only supports a fairly fixed set of encryption options so you’ve got to set the phone up just right for it to work. I’d also say that SIPS & SRTP is very much new functionality in Asterisk so I’d treat it as for testing purposes only right now….although it’s looking promising.
Snom phones have supported both SIPS & SRTP for years (in fact I think they were the first IP phones on the market to do so). So if any phone can get it right it should be them, perfect to test with.
I am using the following to test with:
- Current Debian Asterisk 1.8 packages maintained by Digium on Debian Squeeze (deb http://packages.asterisk.org/deb squeeze main)
- My actual Asterisk version at the time of writing is “184.108.40.206-1digium1~squeeze”. Some older ones didn’t work.
- Snom 300 with 8.4.31 firmware. It will not work with much older versions.
I’m not going to go into the setup of Asterisk itself as there is plenty of information on this out on the Internet, not to mention quite a lot of different ways of doing it. I will just mention that I am using a self-signed SSL certificate, this means you either have to leave server verification turned off on the phone (which it is by default on this firmware version) or import your own CA into the phone. Neither of which are ideal for a real world deployment, you’d buy a server certificate from a recognised CA in that case but for testing….
The important bits in Asterisk
OK so I will mention a couple of things in the Asterisk setup… all in sip.conf
- tlsenable=yes : in general section
- domain=ast18.provu.co.uk:5061 : this is needed for it to work
- transport=tls : used in the general section or in each sip peer/friend to turn on tls for SIPS
- port=5061 : in general or each sip peer/friend. 5061 is the usual port for SIPS
- encryption=yes : turns on SRTP, if you have set this then the SIP device(s) MUST use it, it’s either on or off, not optional
There are more settings needed than this, please read the Asterisk documentation.
Snom phone setup
Everything is in identity 1, these are obviously examples only! You’ll need to put your own Registrar in etc…
- Account: sip username
- Password: sip password/secret
- Registrar: ast18.provu.co.uk
- Outbound Proxy: sips:ast18.provu.co.uk:5061
- Authentication Username: sip username
- Support Broken Registrar: on
- RTP Encryption: on (should be default…)
- SRTP Auth-tag: AES-80
- RTP/SAVP: mandatory
That should be it. As mentioned the Snom phones do not verify the server certificates by default. If you want to turn this on then go to the “Certificates” page in the phone setup and click “Activate”. But bear in mind you must either use a certificate from a known CA or import your own certificate into each phone manually. Certificates must be in DER format for this.
To confirm it’s working, look for the little lock symbol on the phone screen during calls. It should look closed when the call is secure. For further confirmation you can do a pcap trace on the phone, open this up in Wireshark and then not be able to view the SIP packets or decode the audio to anything but white-noise.
Let me know if anyone thinks it’s worth me putting together a how-to with the full Asterisk config too.