Secure outgoing calls (TLS)

General discussions about Asterisk.

Moderators: Moderator, Support

Secure outgoing calls (TLS)

Postby foxer69 » Thu Apr 25, 2013 3:14 pm

I have some questions about asterisk and TLS.
I have asterisk with enable TLS with this settings:
Code: Select all
#and all this stuff

If I'm not mistaken, this mean secure between asterisk and sip clients.
My questions is:
1. How could I secure outgoing call to another asterisk???Something like this:
Code: Select all
exten => 111,1,Dial(SIP/1000@Server_b)

2. Is it possible just with Server_a registering to Server_b?? Like this: ( ... +Transport)

3. When I uses ENUM, how to secure outgoing calls to unknown voip servers???
Posts: 24
Joined: Mon Mar 26, 2012 3:17 pm

Re: Secure outgoing calls (TLS)

Postby jpsharp » Wed May 01, 2013 8:04 pm

There's two layers of security available.

TLS secures the signalling portion of SIP. Registration, call processing/progress, and other SIP messages. It *DOES NOT* secure the voice path.

If you want to encrypt voice, you need to use either SRTP or ZRTP to encrypt the voice packets along with TLS to secure the messaging path. You must secure the messaging path via TLS first before attempting SRTP/ZRTP otherwise the keys exchanged to encrypt the voice path are exchanged in cleartext. Kind of pointless.

You can use TLS/SRTP to any endpoint that supports it, either Asterisk or an end user with a crypto-friendly softphone.

Once you have TLS/SRTP installed, it is up to you to configure how you want Asterisk to handle encryption. You can have SIP peers/users to one of 3 options: "Never use encryption", "Offer to use encryption, but proceed anyway if encryption cannot be negotiated", and "Do not connect unless an encrypted session can be negotiated".
Posts: 126
Joined: Tue Sep 16, 2008 4:29 pm

Re: Secure outgoing calls (TLS)

Postby ambiorixg12 » Sun May 05, 2013 12:31 am

Great explanation jpsharp , good contribution. Keep it up!
Posts: 967
Joined: Sun Mar 04, 2007 9:32 pm
Location: Dominican Republic

Re: Secure outgoing calls (TLS)

Postby david55 » Sun May 05, 2013 4:01 am

If you want security to an unknown party, you are both going to have to have their certificate signed by a trusted third party, otherwise you are vulnerable to man in the middle attacks. At most this guarantees that you are talking to the phone number you tried to dial. Checking the organisation is that intended probably requires retrieving the actual certificate, something that I suspect is not that easy.

A lot of TLS applications either only authenticate one way, or don't carry out all the checks. I'm not sure how well behaved Asterisk is.
Moves Like Spencer
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Return to Asterisk General

Who is online

Users browsing this forum: No registered users and 1 guest