SIPS on Asterisk – SIP security with TLS

Posted on May 30, 2010

As you probably know, VoIP is split into big pieces, the signaling (SIP) and the bearer (payload). SIP is required to setup, terminate, authenticate calls but it doesn’t actually transport the voice, the bearer does.

Why am I talking about that now?
We’re starting to play with crypto here and I want to make clear what we will be encrypting. In this article I’m only talking about encrypting the signaling part (SIP), I’ll do another article on encrypting the payload (called sRTP) but it requires another version of Asterisk until 1.8 comes out. This means than even once we enable SIP/TLS people will still be able to decode your voice stream with tools like vomit.

By default Asterisk will use UDP for the devices, the problem is that with SIP/UDP everything is sent clear text and there is no reliability mechanism. Enabling TLS will open up the port 5061/TCP which will add the TCP reliability control to the connection (and the crypto TLS brings).
We have 4 big steps to enable this (and only 2 if you have a certificate from a root CA like verisign)

  • Creating our Certificate Authority
  • Creating our Server Certificate
  • Preparing the certificate for Asterisk
  • Configuring Asterisk

If you already have your certificate you only to start reading from part “Preparing the certificate for Asterisk”. Now let’s get started!

[ad#Google Adsense] Creating our Certificate Authority
We’ll first create our Certificate Authority to handle our certificates so we can import one CA Root on phones and computers (this will make the change of domain names much easier, you won’t have to go on all devices)

[email protected]:/etc/cert# openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
.......................++
...............................++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
[email protected]:/etc/cert#
[email protected]:/etc/cert#
[email protected]:/etc/cert# openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:IDF
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Remi Philippe - www.remiphilippe.fr
Organizational Unit Name (eg, section) []:VoIP
Common Name (eg, YOUR name) []:Remi Philippe - www.remiphilippe.fr CA
Email Address []:[email protected]
[email protected]:/etc/cert#
[email protected]:/etc/cert#
[email protected]:/etc/cert# ls
ca.crt	ca.key
[email protected]:/etc/cert#

We now have created a Certificate Authority (CA). We need to install this CA on the phones and computers that will be connecting to the SIP server.

On a Mac you just need to double click on the .crt file and choose “Always Trust” (Toujours Approuver)

Creating our server certificate
Next step is to create the certificate for our server

[email protected]:/etc/cert# openssl genrsa -out key.pem 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
...++++++
e is 65537 (0x10001)
[email protected]:/etc/cert# openssl req -new -key key.pem -out req-sip_remiphilippe_fr.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:IDF
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Remi Philippe - www.remiphilippe.fr
Organizational Unit Name (eg, section) []:VoIP
Common Name (eg, YOUR name) []:sip.remiphilippe.fr
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[email protected]:/etc/cert#
[email protected]:/etc/cert#
[email protected]:/etc/cert#
[email protected]:/etc/cert# openssl x509 -req -days 365 -in req-sip_remiphilippe_fr.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_remiphilippe_fr.crt
Signature ok
subject=/C=FR/ST=IDF/L=Paris/O=Remi Philippe - www.remiphilippe.fr/OU=VoIP/CN=sip.remiphilippe.fr/[email protected]
Getting CA Private Key
Enter pass phrase for ca.key:
[email protected]:/etc/cert#

Preparing the certificate for Asterisk

In the doc/siptls.txt file there is a line that is very important

tlscertfile=</path/to/certificate>
	The server's certificate file. Should include the key and
	certificate.  This is mandatory if your going to run a TLS server.

“The server’s certificate file. Should include the key and certificate.” this is really important because by default the .pem or .crt file will only include the certificate.

Example structure for a certificate file

-----BEGIN CERTIFICATE-----
MIIDvDCCAyWgAwIBAgIJAPMabsMiJJQPMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
[...]
CfITDxcJBZfeXIPZP52+8FSMlm5985uMvao+emlIUGk11rY61Amxr387grDvgOaI
-----END CERTIFICATE-----

Example structure for a key file

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCqRw0jpQFn+f+lnDZiZzCRca9ojgu2brO+Q56jnqorvCIlYFC0
[...]
FT65O46u6Vmp1gPbNklOEg7TtZUtfacPY2PyeP4KoHaG
-----END RSA PRIVATE KEY-----

This can easily be done through a concatenation using cat

[email protected]:/etc/asterisk/cert# cat ../../cert/key.pem > asterisk.pem
[email protected]:/etc/asterisk/cert# cat ../../cert/cert-sip_remiphilippe_fr.crt >> asterisk.pem

The resulting file looks like this

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCqRw0jpQFn+f+lnDZiZzCRca9ojgu2brO+Q56jnqorvCIlYFC0
[...]
FT65O46u6Vmp1gPbNklOEg7TtZUtfacPY2PyeP4KoHaG
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDvDCCAyWgAwIBAgIJAPMabsMiJJQPMA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
[...]
CfITDxcJBZfeXIPZP52+8FSMlm5985uMvao+emlIUGk11rY61Amxr387grDvgOaI
-----END CERTIFICATE-----

At this point we have finished all the certificate stuff, we have create a certificate asterisk.pem stored in /etc/asterisk/cert that has the correct format for SIP TLS. We can now move on and configure Asterisk.

[ad#Google Adsense]

Configuring Asterisk
The TLS configuration is quite straightforward, we need 4 options to get this started.
First we need to complete the sip.conf to add the following options in the [global] section.

[global]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/cert/asterisk.pem

Once this is done we need to configure our peers to use TLS, this is done through the transport option

;transport=udp,tcp   ; This sets the default transport type to udp for outgoing, and will
;                    ; accept both tcp and udp. The default transport type is only used for
;                    ; outbound messages until a Registration takes place.  During the
;                    ; peer Registration the transport type may change to another supported
;                    ; type if the peer requests so.

In our case we will allow only TLS transport.

[100]
transport=tls

And we’re done!

TLS vs UDP seen by Wireshark

To show the difference I captured traces with Wireshark of the exact same sequence (a login followed by a phone call) in UDP and in TLS.
UDP connection

TLS connection


14 Replies to "SIPS on Asterisk - SIP security with TLS"

  • Remi Philippe | Building a home PBX with Asterisk
    May 30, 2010 (18:43)
    Reply

    […] SIPS on Asterisk – SIP security with TLS […]

  • Les tweets qui mentionnent Remi Philippe | SIPS on Asterisk – SIP security with TLS -- Topsy.com
    May 30, 2010 (19:08)
    Reply

    […] Ce billet était mentionné sur Twitter par VoIP Monks, Rémi Philippe. Rémi Philippe a dit: RT @remiphilippe SIPS on Asterisk – SIP security with TLS http://bit.ly/b8e5yQ #in […]

  • Remi Philippe | Asterisk sRTP installation and configuration
    June 4, 2010 (20:14)
    Reply

    […] First we need to configure the TLS part which I won’t re-explain here as there is already a post dedicated to that – http://www.remiphilippe.fr/2010/05/30/sips-on-asterisk-sip-security-with-tls/. […]

  • Hans Witvliet
    November 11, 2010 (09:13)
    Reply

    Hi Remi, nice article.

    I wonder wether ou ever tried to do two factor authentication:
    using a softphone with a smartcard+pin to register on a asterisk server?

    • Remi Philippe
      January 12, 2011 (14:00)
      Reply

      Hi Hans,
      Never tried, I'm not sure if asterisk (or even SIP) supports a certificate based authentication. Over that it may be quite difficult to implement as this could only work via softphone (never heard of a SIP phone supporting smartcards).

      If you find any information I'd be curious to see how this could be done.

      Rémi

      • nguyễn bá thi
        October 10, 2011 (17:11)
        Reply

        hi , Remi . how to use softphone ? can you make video ? thanks.

  • mike
    January 7, 2011 (21:09)
    Reply

    I can´t register my extenion:

    ASterisk*CLI>
    == Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    [Jan 7 14:57:07] WARNING[2844]: tcptls.c:218 handle_tcptls_connection: FILE * open failed!
    == Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

    Who can help me!

    • Remi Philippe
      January 12, 2011 (13:58)
      Reply

      Hi Mike,
      you clearly have a certificate issue here, you should recheck the certificate creation part, and the certificate paths.

      Rémi

  • Base
    May 8, 2011 (21:49)
    Reply

    Hello Remi,

    Very nice blog, both interesting and informing.
    Is this TLS tutorial complete?
    I did all the steps but eyebeam wont register.

    I generated certificates and configured sip.conf.
    When I do netstat -na|grep 5061 I see asterisk is listening to the port.
    Asterisk shows SSL certificate ok.
    I installed the certificate authority on the client pc.
    I set eyebeam to make tls calls.
    Wireshark shows that TLS handshake is ok: everything is same as the TLS wireshark image you have posted except that it stops at where it shows 7052 in your image and my wireshark shows an encrypted alert and a bye message [FIN,ACK].
    eyeBeam gives Registration Error: 408 – Request Timeout

    Any idea of how to solve it?

    Thanks a lot mate.

  • Trunks
    March 19, 2012 (11:19)
    Reply

    Hi, I tried to configure my Asterisk with TLS with your instructions but I have an error. With a wireshark's traces, I have the message :
    TLSv1 Alert encrypted
    However, when I generated a certificat, I put my computer's name as hostname and in Asterisk, I have the message
    certificat ok.

    Could you help me.

  • Trunks
    March 22, 2012 (19:10)
    Reply

    Hi Rémi,
    I tried to configure TLS with asterisk based on your description but I have an error. With wireshark's trace, I have :
    TLSv1 Alert message.
    Could you know how can I do?

  • juan
    December 11, 2013 (17:33)
    Reply

    This is my problem == Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
    [2013-12-11 11:33:25] WARNING[28350]: tcptls.c:261 handle_tcptls_connection: FILE * open failed!

  • elham
    March 11, 2014 (08:36)
    Reply

    hi, thanks for your great traing
    a have two problems.one for certificate and the other one is for client
    I don’t understand which certificate shoud upload in IP Phone or softphone and is it which we just generated with asterisk with your first command?
    the other one is that when I upload ca.key or key.pem in softphone and choose tls az porotocol neither of them works, and they just unregister the softphone and say that it can not find my elastix server
    please guide me how to solve these problems

  • Andrey
    October 27, 2014 (16:49)
    Reply

    Hi, Remi.
    I have a questions. Where do clients take the session keys? How is the created SRTP flow and why do my SRTP flow follows through Asterisk!? Why it is created not directly through two clients!?
    Thx!!!


Got something to say?

Some html is OK