asterisk users - Mar 2015 - TLS, SRTP, Asterisk11 and Snom870s

CentOS-6.5 (FreePBX-2.6)
Asterisk-11.14.2 (FreePBX)
snom870-SIP 8.7.3.25.5

I am having a very difficult time attempting to get TLS and SRTP
working with Asterisk and anything else.  At the moment I am trying to
get TLS functioning with our Snom870 desk-sets.  And I am not having
much luck.

Since this is an extraordinarily (to me) Byzantine environemnt I am
going to ask if any of you have gotten this set-up (Asterisk11 with
Snom870s using TLS) to work and if so could you provide the details?

I have this in Asterisk sip.conf (loaded through FreePBXs
sip_general_additional.conf).

tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1

And I have this for the test device context:

[41712]
deny=0.0.0.0/0.0.0.0
secret=NearlyANastyThat
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=no
port=5060
qualify=yes
qualifyfreq=60
transport=tls,udp,tcp
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgrouppickupgroupdial=SIP/41712
mailbox=41712 at device
permit=192.168.6.0/255.255.255.0
callerid=James B Byrne <41712>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic

If I change the transport setting to TLS then I get this reported:

[2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

I cannot seem to configure the Snom870 to listen for TCP on 5060. 
There is a setting for that on the phone but it seems to have no
effect (it always returns to NO following a reboot). The Snom website
says that the option is not available in FW8.5 and later. It does not
inform one of whether that the phone listens by default or not on
FW8.5+, only that the option has no effect.

It also does not say, as far as I can find, whether Snom870s listen
for TCP at all or on what port.  One may infer that since these
devices purport to support TLS that the answer is yes and that TCP5061
is a likely candidate.  But they do not seem to come right out and say
so anywhere.

In a section devoted to the Snom370, which is a model that we do not
employ, there is reference to DNS SRV RRs.  The inference drawn from
the examples given is that these will control what ports the Snom will
listen on for which services.

We have such records in our DNS zone. They look like this:

;# Configure sip/sips service records (VOIP)
;HOST					TTL	CLASS	TYPE	ORDER	PREF	FLAGS	SERVICE		REGEXP	REPLACEMENT

					300	IN	NAPTR	50	50	"s"	"SIPS+D2T"	""
_sips._tcp.harte-lyne.ca.

					300	IN	NAPTR	90	50	"s"	"SIP+D2T"	""
_sip._tcp.harte-lyne.ca.

					300	IN	NAPTR	100	50	"s"	"SIP+D2U"	""
_sip._udp.harte-lyne.ca.

;HOST					TTL	CLASS	TYPE	ORDER	PREF	PORT	TARGET

_sips._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5061
voinet09.hamilton.harte-lyne.ca.

_sip._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5060	voinet09.hamilton.harte-lyne.ca.

_sip._udp.harte-lyne.ca.		300	IN	SRV	10	10	5060	voinet09.hamilton.harte-lyne.ca.

However, our phones are configured to use SIP accounts having the form
account at ipv4-addr.  I doubt greatly that the Snom870s will perform a
reverse DNS lookup on the provider's IPv4 to discover the forward zone
domain and thus I do not believe that SRV RRs can help us in this
instance.  They certainly do not seem to have any effect.

Asterisk seems not to distinguish between 5060 and 5061 regarless of
protocol.  I am not sure then how to proceed.  Is there a way to force
Asterisk to talk to port TCP5061 on a specific device?  Is this an
exclusive setting?

This long background is by way of asking for help.  If I have not
provided specific information that is significant to this problem then
I will do so if asked.

What I am attempting has to be possible.  Somehow.  And somebody must
have already accomplished this. Somewhere.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Am 03.03.2015 um 18:16 schrieb James B. Byrne:
> CentOS-6.5 (FreePBX-2.6)
> Asterisk-11.14.2 (FreePBX)
> snom870-SIP 8.7.3.25.5
>
> I am having a very difficult time attempting to get TLS and SRTP
> working with Asterisk and anything else.  At the moment I am trying to
> get TLS functioning with our Snom870 desk-sets.  And I am not having
> much luck.
>
> Since this is an extraordinarily (to me) Byzantine environemnt I am
> going to ask if any of you have gotten this set-up (Asterisk11 with
> Snom870s using TLS) to work and if so could you provide the details?
>
> I have this in Asterisk sip.conf (loaded through FreePBXs
> sip_general_additional.conf).
>
> tcpenable=yes
> tlsenable=yes
> tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
> tlscafile=/etc/pki/tls/certs/ca-bundle.crt
> tlsdontverifyserver=yes
> tlscipher=ALL
> tlsclientmethod=tlsv1
>
> And I have this for the test device context:
>
> [41712]
> deny=0.0.0.0/0.0.0.0
> secret=NearlyANastyThat
> dtmfmode=rfc2833
> canreinvite=no
> context=from-internal
> host=dynamic
> trustrpid=yes
> sendrpid=no
> type=friend
> nat=no
> port=5060
> qualify=yes
> qualifyfreq=60
> transport=tls,udp,tcp
> avpf=no
> force_avp=no
> icesupport=no
> encryption=yes
> callgroup> pickupgroup> dial=SIP/41712
> mailbox=41712 at device
> permit=192.168.6.0/255.255.255.0
> callerid=James B Byrne <41712>
> callcounter=yes
> faxdetect=no
> cc_monitor_policy=generic
>
> If I change the transport setting to TLS then I get this reported:
>
> [2015-03-03 11:10:08] ERROR[22244]: tcptls.c:875
> ast_tcptls_client_start: Unable to connect SIP socket to
> 192.168.6.112:5060: Connection refused
>
> I cannot seem to configure the Snom870 to listen for TCP on 5060.
> There is a setting for that on the phone but it seems to have no
> effect (it always returns to NO following a reboot). The Snom website
> says that the option is not available in FW8.5 and later. It does not
> inform one of whether that the phone listens by default or not on
> FW8.5+, only that the option has no effect.
>
> It also does not say, as far as I can find, whether Snom870s listen
> for TCP at all or on what port.  One may infer that since these
> devices purport to support TLS that the answer is yes and that TCP5061
> is a likely candidate.  But they do not seem to come right out and say
> so anywhere.
>
> In a section devoted to the Snom370, which is a model that we do not
> employ, there is reference to DNS SRV RRs.  The inference drawn from
> the examples given is that these will control what ports the Snom will
> listen on for which services.
>
> We have such records in our DNS zone. They look like this:
>
> ;# Configure sip/sips service records (VOIP)
> ;HOST					TTL	CLASS	TYPE	ORDER	PREF	FLAGS	SERVICE		REGEXP	REPLACEMENT
>
> 					300	IN	NAPTR	50	50	"s"	"SIPS+D2T"	""
_sips._tcp.harte-lyne.ca.
>
> 					300	IN	NAPTR	90	50	"s"	"SIP+D2T"	""
_sip._tcp.harte-lyne.ca.
>
> 					300	IN	NAPTR	100	50	"s"	"SIP+D2U"	""
_sip._udp.harte-lyne.ca.
>
> ;HOST					TTL	CLASS	TYPE	ORDER	PREF	PORT	TARGET
>
> _sips._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5061
voinet09.hamilton.harte-lyne.ca.
>
> _sip._tcp.harte-lyne.ca.		300	IN	SRV	10	10	5060
voinet09.hamilton.harte-lyne.ca.
>
> _sip._udp.harte-lyne.ca.		300	IN	SRV	10	10	5060
voinet09.hamilton.harte-lyne.ca.
>
> However, our phones are configured to use SIP accounts having the form
> account at ipv4-addr.  I doubt greatly that the Snom870s will perform a
> reverse DNS lookup on the provider's IPv4 to discover the forward zone
> domain and thus I do not believe that SRV RRs can help us in this
> instance.  They certainly do not seem to have any effect.
>
> Asterisk seems not to distinguish between 5060 and 5061 regarless of
> protocol.  I am not sure then how to proceed.  Is there a way to force
> Asterisk to talk to port TCP5061 on a specific device?  Is this an
> exclusive setting?
>
> This long background is by way of asking for help.  If I have not
> provided specific information that is significant to this problem then
> I will do so if asked.
>
> What I am attempting has to be possible.  Somehow.  And somebody must
> have already accomplished this. Somewhere.
>
Forget about the reverse DNS stuff for the moment.

Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work?

Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag.

Then try the rest.

jg

These are the sip settings on our installion.

Global Settings:
----------------
  UDP Bindaddress:        0.0.0.0:5060
  TCP SIP Bindaddress:    0.0.0.0:5060
  TLS SIP Bindaddress:    (null)
  Videosupport:           No
  Textsupport:            No
  Ignore SDP sess. ver.:  No
  AutoCreate Peer:        Off
  Match Auth Username:    No
  Allow unknown access:   Yes
  Allow subscriptions:    Yes
  Allow overlap dialing:  Yes
  Allow promisc. redir:   No
  Enable call counters:   No
  SIP domain support:     No
  Realm. auth:            No
  Our auth realm          asterisk
  Use domains as realms:  No
  Call to non-local dom.: Yes
  URI user is phone no:   No
  Always auth rejects:    Yes
  Direct RTP setup:       No
  User Agent:             FPBX-12.0.40(11.14.2)
  SDP Session Name:       Asterisk PBX 11.14.2
  SDP Owner Name:         root
  Reg. context:           (not set)
  Regexten on Qualify:    No
  Trust RPID:             No
  Send RPID:              No
  Legacy userfield parse: No
  Send Diversion:         Yes
  Caller ID:              Unknown
  From: Domain:
  Record SIP history:     Off
  Call Events:            On
  Auth. Failure Events:   Off
  T.38 support:           No
  T.38 EC mode:           Unknown
  T.38 MaxDtgrm:          4294967295
  SIP realtime:           Disabled
  Qualify Freq :          60000 ms
  Q.850 Reason header:    No
  Store SIP_CAUSE:        No

Network QoS Settings:
---------------------------
  IP ToS SIP:             CS3
  IP ToS RTP audio:       EF
  IP ToS RTP video:       AF41
  IP ToS RTP text:        CS0
  802.1p CoS SIP:         4
  802.1p CoS RTP audio:   5
  802.1p CoS RTP video:   6
  802.1p CoS RTP text:    5
  Jitterbuffer enabled:   No

Network Settings:
---------------------------
  SIP address remapping:  Enabled using externaddr
  Externhost:             <none>
  Externaddr:             216.185.71.9:0
  Externrefresh:          10
  Localnet:               216.185.71.0/255.255.255.0
                          192.168.6.0/255.255.255.0
                          192.168.209.0/255.255.255.0
                          192.168.216.0/255.255.255.0
                          192.168.71.0/255.255.255.0

Global Signalling Settings:
---------------------------
  Codecs:                 (gsm|ulaw|alaw)
  Codec Order:            ulaw:20,alaw:20,gsm:20
  Relax DTMF:             No
  RFC2833 Compensation:   No
  Symmetric RTP:          Yes
  Compact SIP headers:    No
  RTP Keepalive:          0 (Disabled)
  RTP Timeout:            30
  RTP Hold Timeout:       300
  MWI NOTIFY mime type:   application/simple-message-summary
  DNS SRV lookup:         No
  Pedantic SIP support:   Yes
  Reg. min duration       60 secs
  Reg. max duration:      3600 secs
  Reg. default duration:  120 secs
  Sub. min duration       60 secs
  Sub. max duration:      3600 secs
  Outbound reg. timeout:  20 secs
  Outbound reg. attempts: 0
  Outbound reg. retry 403:0
  Notify ringing state:   Yes
    Include CID:          No
  Notify hold state:      Yes
  SIP Transfer mode:      open
  Max Call Bitrate:       384 kbps
  Auto-Framing:           No
  Outb. proxy:            <not set>
  Session Timers:         Accept
  Session Refresher:      uas
  Session Expires:        1800 secs
  Session Min-SE:         90 secs
  Timer T1:               500
  Timer T1 minimum:       100
  Timer B:                32000
  No premature media:     Yes
  Max forwards:           70

Default Settings:
-----------------
  Allowed transports:     UDP
  Outbound transport:     UDP
  Context:                from-sip-external
  Record on feature:      automon
  Record off feature:     automon
  Force rport:            Yes
  DTMF:                   rfc2833
  Qualify:                0
  Keepalive:              0
  Use ClientCode:         No
  Progress inband:        Never
  Language:
  Tone zone:              <Not set>
  MOH Interpret:          default
  MOH Suggest:
  Voice Mail Extension:   *97

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

>>>>> "JBB" == James B Byrne <byrnejb at
harte-lyne.ca> writes:
JBB> tcpenable=yes
JBB> tlsenable=yes
JBB> tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
JBB> tlscafile=/etc/pki/tls/certs/ca-bundle.crt
JBB> tlsdontverifyserver=yes
JBB> tlscipher=ALL
JBB> tlsclientmethod=tlsv1

You are missing the tls key.

The config name is tlsprivatekey; set that to the filename of your tls
key, akin to how tlscertfile is set.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

On Tue, March 3, 2015 13:19, jg wrote:
> Forget about the reverse DNS stuff for the moment.
>
> Do simple SIP accounts (without SRTP/SRTP and deny/permit stuff) work?
>
> Enable SRTP, but you likely need the AES-80 fro SRTP Auth-tag.
>
> Then try the rest.
>
> jg
>
The Snom870s and our Asterisk FreePBX are communicating with each
other and have been for the past two years.  The Snoms are configured
for AES-80 and SRTP is enabled on the FreePBX device entry. We have a
working PBX system.  I am trying to secure it.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On Tue, March 3, 2015 13:37, James Cloos wrote:
>>>>>> "JBB" == James B Byrne <byrnejb at
harte-lyne.ca> writes:
>
> JBB> tcpenable=yes
> JBB> tlsenable=yes
> JBB> tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt
> JBB> tlscafile=/etc/pki/tls/certs/ca-bundle.crt
> JBB> tlsdontverifyserver=yes
> JBB> tlscipher=ALL
> JBB> tlsclientmethod=tlsv1
>
> You are missing the tls key.
>
> The config name is tlsprivatekey; set that to the filename of your tls
> key, akin to how tlscertfile is set.
>
> -JimC
Thank you.  The settings in sip_general_additional.conf are now:

tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1
tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key


However, issuing 'amportal a r' still results in this error:



[2015-03-03 15:40:42] ERROR[13681]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

I reconfigured sip.conf to have these settings:

tcpenable=yes
tlsenable=yes
tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem
tlscafile=/etc/pki/tls/certs/ca-bundle.crt
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1
tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key
tcpbindaddr=0.0.0.0/0.0.0.0:5061
tlsbindaddr=0.0.0.0/0.0.0.0:5061

Following amportal a r I see this:


[2015-03-03 16:26:48] ERROR[17130]: tcptls.c:875
ast_tcptls_client_start: Unable to connect SIP socket to
192.168.6.112:5060: Connection refused

This is what sip show settings reveals:


Global Settings:
----------------
  UDP Bindaddress:        0.0.0.0:5060
  TCP SIP Bindaddress:    0.0.0.0:5060
  TLS SIP Bindaddress:    0.0.0.0:5061


Is it just me or is there something odd about specifying a TCP port
and then having it ignored?



-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3