[jitsi-dev] TLS configuration with Jitsi?


#1

Hi,

I've been playing around with TLS, sRTP and ZRTP on a project I'm working on and in the process, I was able to confirm ZRTP works with the Acrobits Groundwire for IOS application. That's great! Now I have a working testbed for ZRTP. By the way, Jitsi works very well in this regard because the setup time for the key exchange is not too significant and it gives the user good visual and audible indication of the connection status.

However, I have not been as successful trying to get TLS to work. In the latest nightly builds for OS X, the sRTP works pretty well and have not experienced any issues there.

In the other applications (i.e., Blink Pro, Bria for IOS, and Groundwire for IOS) and phones (e.g., Yealink, Polycom, Cisco), I selected the TLS transport, sRTP media, and set the proxy and registrar ports to 5061 and they all worked without issue.

I should mention that I generated a certificate for the server and the clients, and all of them including Jitsi imported the client certificate, and use it for authentication, with no issues.

Is there a guide someplace for configuring TLS?

Thanks.

marc.

···

_______________________
sip:marc@plan9tele.com (mailto:marc@mocet.com)
tel:+1-949-514-8999


#2

Hey Marc

I've been playing around with TLS, sRTP and ZRTP on a project I'm working on
and in the process, I was able to confirm ZRTP works with the Acrobits
Groundwire for IOS application. That's great! Now I have a working testbed
for ZRTP. By the way, Jitsi works very well in this regard because the setup
time for the key exchange is not too significant and it gives the user good
visual and audible indication of the connection status.

Great, good to hear :slight_smile:

However, I have not been as successful trying to get TLS to work. In the
latest nightly builds for OS X, the sRTP works pretty well and have not
experienced any issues there.

In the other applications (i.e., Blink Pro, Bria for IOS, and Groundwire for
IOS) and phones (e.g., Yealink, Polycom, Cisco), I selected the TLS
transport, sRTP media, and set the proxy and registrar ports to 5061 and they
all worked without issue.

I should mention that I generated a certificate for the server and the
clients, and all of them including Jitsi imported the client certificate, and
use it for authentication, with no issues.

Could you please describe a bit more detailed what you are trying to achieve with TLS, your setup and attach Jitsi's logs?

Is there a guide someplace for configuring TLS?

No, unfortunately not. It's on my todo-list to create a help page on our Website.

For TLS connections to the server, select TLS as preferred transport and the corresponding port in the properties of the SIP account (on the Connection page).
If you want to use client certificates, you must create a Client Certificate Profile (Tools->Options->Advanced->TLS Configuration) and select the created profile in the account's Connection page.

While TLS connections in general should be absolutely no problem. The usage of client certificates however is a relatively new feature and might have some issues left.

Thanks.
marc.

Regards,
Ingo


#3

Hi, Ingo:

See comments inline….

Thanks.

marc.

···

_______________________
sip:marc@plan9tele.com (mailto:marc@mocet.com)
tel:+1-949-514-8999

On Monday, January 2, 2012 at 12:11 PM, Bauersachs Ingo wrote:

Hey Marc

> I've been playing around with TLS, sRTP and ZRTP on a project I'm working on
> and in the process, I was able to confirm ZRTP works with the Acrobits
> Groundwire for IOS application. That's great! Now I have a working testbed
> for ZRTP. By the way, Jitsi works very well in this regard because the setup
> time for the key exchange is not too significant and it gives the user good
> visual and audible indication of the connection status.
>

Great, good to hear :slight_smile:

> However, I have not been as successful trying to get TLS to work. In the
> latest nightly builds for OS X, the sRTP works pretty well and have not
> experienced any issues there.
>
> In the other applications (i.e., Blink Pro, Bria for IOS, and Groundwire for
> IOS) and phones (e.g., Yealink, Polycom, Cisco), I selected the TLS
> transport, sRTP media, and set the proxy and registrar ports to 5061 and they
> all worked without issue.
>
> I should mention that I generated a certificate for the server and the
> clients, and all of them including Jitsi imported the client certificate, and
> use it for authentication, with no issues.
>

Could you please describe a bit more detailed what you are trying to achieve with TLS, your setup and attach Jitsi's logs?

I was trying to setup a few phones in my office to work with Jitsi. Basic calling when configured with either TCP or UDP works fine. When I enable optional support for SAVP (e.g., sRTP), that works too. So I thought I would go one step further and try and get TLS working too. I have an Intertex IX78 that I use as my proxy and registrar. I created a self-signed certificate for it then created a certificate bundle to use in the phones. I wound up having to export client certificates for the phones (Yealink T22P and Polycom IP331) because they did not support bundles. However, I was really pleasantly surprised that Jitsi worked nicely with the bundle in the advanced TLS setup. Then, I changed the transport settings to TLS and the port used to 5061 and tried to reregister. It would not work.

> Is there a guide someplace for configuring TLS?

No, unfortunately not. It's on my todo-list to create a help page on our Website.

For TLS connections to the server, select TLS as preferred transport and the corresponding port in the properties of the SIP account (on the Connection page).
If you want to use client certificates, you must create a Client Certificate Profile (Tools->Options->Advanced->TLS Configuration) and select the created profile in the account's Connection page.

While TLS connections in general should be absolutely no problem. The usage of client certificates however is a relatively new feature and might have some issues left.

That might be the issue.

> Thanks.
> marc.
>

Regards,
Ingo


#4

Hey

Could you please describe a bit more detailed what you are trying to
achieve with TLS, your setup and attach Jitsi's logs?

I was trying to setup a few phones in my office to work with Jitsi. Basic
calling when configured with either TCP or UDP works fine. When I enable
optional support for SAVP (e.g., sRTP), that works too. So I thought I would
go one step further and try and get TLS working too. I have an Intertex IX78
that I use as my proxy and registrar. I created a self-signed certificate for
it then created a certificate bundle to use in the phones. I wound up having
to export client certificates for the phones (Yealink T22P and Polycom IP331)
because they did not support bundles. However, I was really pleasantly
surprised that Jitsi worked nicely with the bundle in the advanced TLS setup.
Then, I changed the transport settings to TLS and the port used to 5061 and
tried to reregister. It would not work.

Did you select the created profile in the SIP account settings? I created some screenshots how a profile with a .pfx-File and the selection in the SIP account.

Could you also please send me your logs [1] so I can investigate why the logon fails? You can send them directly to me if you don't want to see them on the mailing list.

Regards,
Ingo

[1] http://jitsi.org/index.php/Documentation/FAQ#logs


#5

And here are the screenshots... :slight_smile:

Ingo

···

-----Original Message-----
From: Bauersachs Ingo [mailto:ingo.bauersachs@fhnw.ch]
Sent: Dienstag, 3. Januar 2012 22:39
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: TLS configuration with Jitsi?
Hey

Could you please describe a bit more detailed what you are trying to
achieve with TLS, your setup and attach Jitsi's logs?

I was trying to setup a few phones in my office to work with Jitsi.
Basic calling when configured with either TCP or UDP works fine. When I
enable optional support for SAVP (e.g., sRTP), that works too. So I
thought I would go one step further and try and get TLS working too. I
have an Intertex IX78 that I use as my proxy and registrar. I created a
self-signed certificate for it then created a certificate bundle to use
in the phones. I wound up having to export client certificates for the
phones (Yealink T22P and Polycom IP331) because they did not support
bundles. However, I was really pleasantly surprised that Jitsi worked
nicely with the bundle in the advanced TLS setup. Then, I changed the
transport settings to TLS and the port used to 5061 and tried to
reregister. It would not work.

Did you select the created profile in the SIP account settings? I
created some screenshots how a profile with a .pfx-File and the
selection in the SIP account.

Could you also please send me your logs [1] so I can investigate why the
logon fails? You can send them directly to me if you don't want to see them
on the mailing list.

Regards,
Ingo

[1] http://jitsi.org/index.php/Documentation/FAQ#logs


#6

Hi, Ingo:

After looking at your screenshots, I realized that I set the ports for both the proxy and outbound proxy to 5061. By leaving the proxy blank, and keeping 5061 in the outbound proxy field, the rest of the setup including the certificates worked as is.

By the way, I think Jitsi is great! My list of things I would like to see it support is pretty small at the moment. I know you are working on an Android version. That would be cool. But more useful to me would be SMS and SIMPLE IM.

Thanks!

marc.

···

_______________________
sip:marc@plan9tele.com (mailto:marc@mocet.com)
tel:+1-949-514-8999

On Tuesday, January 3, 2012 at 3:39 PM, Bauersachs Ingo wrote:

And here are the screenshots... :slight_smile:

Ingo

> -----Original Message-----
> From: Bauersachs Ingo [mailto:ingo.bauersachs@fhnw.ch]
> Sent: Dienstag, 3. Januar 2012 22:39
> To: dev@jitsi.java.net (mailto:dev@jitsi.java.net)
> Subject: [jitsi-dev] Re: TLS configuration with Jitsi?
> Hey
>
> > > Could you please describe a bit more detailed what you are trying to
> > > achieve with TLS, your setup and attach Jitsi's logs?
> > >
> >
> >
> > I was trying to setup a few phones in my office to work with Jitsi.
> > Basic calling when configured with either TCP or UDP works fine. When I
> > enable optional support for SAVP (e.g., sRTP), that works too. So I
> > thought I would go one step further and try and get TLS working too. I
> > have an Intertex IX78 that I use as my proxy and registrar. I created a
> > self-signed certificate for it then created a certificate bundle to use
> > in the phones. I wound up having to export client certificates for the
> > phones (Yealink T22P and Polycom IP331) because they did not support
> > bundles. However, I was really pleasantly surprised that Jitsi worked
> > nicely with the bundle in the advanced TLS setup. Then, I changed the
> > transport settings to TLS and the port used to 5061 and tried to
> > reregister. It would not work.
> >
>
>
> Did you select the created profile in the SIP account settings? I
> created some screenshots how a profile with a .pfx-File and the
> selection in the SIP account.
>
> Could you also please send me your logs [1] so I can investigate why the
> logon fails? You can send them directly to me if you don't want to see them
> on the mailing list.
>
> Regards,
> Ingo
>
> [1] http://jitsi.org/index.php/Documentation/FAQ#logs

Attachments:
- account.png

- cert-profile.png


#7

Hey Marc,

Hi, Ingo:
After looking at your screenshots, I realized that I set the ports for

both

the proxy and outbound proxy to 5061. By leaving the proxy blank, and
keeping 5061 in the outbound proxy field, the rest of the setup including
the certificates worked as is.
By the way, I think Jitsi is great!

Thanks for your kind words! One quick question?

My list of things I would like to see it support is pretty small at the

moment.

I know you are working on an Android version. That would be cool. But

more

useful to me would be SMS and SIMPLE IM.

What exactly do you mean by SMS?

Emil

Thanks!
marc.
_______________________
sip:marc@plan9tele.com
tel:+1-949-514-8999

And here are the screenshots... :slight_smile:
Ingo

From: Bauersachs Ingo [mailto:ingo.bauersachs@fhnw.ch]
Sent: Dienstag, 3. Januar 2012 22:39
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: TLS configuration with Jitsi?
Hey

Could you please describe a bit more detailed what you are trying to
achieve with TLS, your setup and attach Jitsi's logs?

I was trying to setup a few phones in my office to work with Jitsi.
Basic calling when configured with either TCP or UDP works fine. When I
enable optional support for SAVP (e.g., sRTP), that works too. So I
thought I would go one step further and try and get TLS working too. I
have an Intertex IX78 that I use as my proxy and registrar. I created a
self-signed certificate for it then created a certificate bundle to use
in the phones. I wound up having to export client certificates for the
phones (Yealink T22P and Polycom IP331) because they did not support
bundles. However, I was really pleasantly surprised that Jitsi worked
nicely with the bundle in the advanced TLS setup. Then, I changed the
transport settings to TLS and the port used to 5061 and tried to
reregister. It would not work.

Did you select the created profile in the SIP account settings? I
created some screenshots how a profile with a .pfx-File and the
selection in the SIP account.
Could you also please send me your logs [1] so I can investigate why the
logon fails? You can send them directly to me if you don't want to see

them

···

On Wednesday, January 4, 2012, Marc Abrams <marca56@gmail.com> wrote:

On Tuesday, January 3, 2012 at 3:39 PM, Bauersachs Ingo wrote:
-----Original Message-----
on the mailing list.
Regards,
Ingo
[1] http://jitsi.org/index.php/Documentation/FAQ#logs

Attachments:
- account.png
- cert-profile.png

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31


#8

Ingo:

There are a few ways to do this, but the way Freeswitch is implementing it pretty cool: http://wiki.freeswitch.org/wiki/Mod_sms

The interesting thing is there are a few service providers out there, like 2600hz.com, who are based and Freeswitch and will be implementing mod_sms for carriers. I know it's on the list at 2600hz.

Thanks.

···

_______________________
sip:marc@plan9tele.com (mailto:marc@mocet.com)
tel:+1-949-514-8999

On Tuesday, January 3, 2012 at 11:40 PM, Emil Ivov wrote:

Hey Marc,

On Wednesday, January 4, 2012, Marc Abrams <marca56@gmail.com (mailto:marca56@gmail.com)> wrote:
> Hi, Ingo:
> After looking at your screenshots, I realized that I set the ports for both
> the proxy and outbound proxy to 5061. By leaving the proxy blank, and
> keeping 5061 in the outbound proxy field, the rest of the setup including
> the certificates worked as is.
> By the way, I think Jitsi is great!

Thanks for your kind words! One quick question?

> My list of things I would like to see it support is pretty small at the moment.
> I know you are working on an Android version. That would be cool. But more
> useful to me would be SMS and SIMPLE IM.

What exactly do you mean by SMS?

Emil

>
> Thanks!
> marc.
> _______________________
> sip:marc@plan9tele.com (mailto:sip%3Amarc@plan9tele.com)
> tel:+1-949-514-8999
>
> On Tuesday, January 3, 2012 at 3:39 PM, Bauersachs Ingo wrote:
>
> And here are the screenshots... :slight_smile:
> Ingo
>
> -----Original Message-----
> From: Bauersachs Ingo [mailto:ingo.bauersachs@fhnw.ch]
> Sent: Dienstag, 3. Januar 2012 22:39
> To: dev@jitsi.java.net (mailto:dev@jitsi.java.net)
> Subject: [jitsi-dev] Re: TLS configuration with Jitsi?
> Hey
>
> Could you please describe a bit more detailed what you are trying to
> achieve with TLS, your setup and attach Jitsi's logs?
>
> I was trying to setup a few phones in my office to work with Jitsi.
> Basic calling when configured with either TCP or UDP works fine. When I
> enable optional support for SAVP (e.g., sRTP), that works too. So I
> thought I would go one step further and try and get TLS working too. I
> have an Intertex IX78 that I use as my proxy and registrar. I created a
> self-signed certificate for it then created a certificate bundle to use
> in the phones. I wound up having to export client certificates for the
> phones (Yealink T22P and Polycom IP331) because they did not support
> bundles. However, I was really pleasantly surprised that Jitsi worked
> nicely with the bundle in the advanced TLS setup. Then, I changed the
> transport settings to TLS and the port used to 5061 and tried to
> reregister. It would not work.
>
> Did you select the created profile in the SIP account settings? I
> created some screenshots how a profile with a .pfx-File and the
> selection in the SIP account.
> Could you also please send me your logs [1] so I can investigate why the
> logon fails? You can send them directly to me if you don't want to see them
> on the mailing list.
> Regards,
> Ingo
> [1] http://jitsi.org/index.php/Documentation/FAQ#logs
>
> Attachments:
> - account.png
> - cert-profile.png
>

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org (mailto:emcho@jitsi.org) PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31


#9

Ingo:

That was Emil actually :slight_smile:

There are a few ways to do this,

We have done this for some of our customers in BlueJimp, but it has always
been a matter of implementing a custom solution for a specific service. I
am not currently aware of an IETF spec or even a single non-standard but
popular mechanism (like SIP INFO for DTMF) that allows to do this.

but the way Freeswitch is implementing it pretty cool:

http://wiki.freeswitch.org/wiki/Mod_sms

I might be missing something but this page doesn't seem to define a generic
way for a client, like Jitsi, to send SMS messages. It does enable server
admins to do so and, if I understand correctly, it is up to these admins to
write the glue code.

If these interfaces are built as a bridge between SIP NESSAGE requests and
the SMS feature, for example, then there would be nothing for Jitsi to
support.

Cheers,
Emil

The interesting thing is there are a few service providers out there,

like 2600hz.com, who are based and Freeswitch and will be implementing
mod_sms for carriers. I know it's on the list at 2600hz.

Thanks.
_______________________
sip:marc@plan9tele.com
tel:+1-949-514-8999

Hey Marc,

Hi, Ingo:
After looking at your screenshots, I realized that I set the ports for

both

the proxy and outbound proxy to 5061. By leaving the proxy blank, and
keeping 5061 in the outbound proxy field, the rest of the setup including
the certificates worked as is.
By the way, I think Jitsi is great!

Thanks for your kind words! One quick question?

My list of things I would like to see it support is pretty small at the

moment.

I know you are working on an Android version. That would be cool. But

more

useful to me would be SMS and SIMPLE IM.

What exactly do you mean by SMS?

Emil

Thanks!
marc.
_______________________
sip:marc@plan9tele.com
tel:+1-949-514-8999

And here are the screenshots... :slight_smile:
Ingo

From: Bauersachs Ingo [mailto:ingo.bauersachs@fhnw.ch]
Sent: Dienstag, 3. Januar 2012 22:39
To: dev@jitsi.java.net
Subject: [jitsi-dev] Re: TLS configuration with Jitsi?
Hey

Could you please describe a bit more detailed what you are trying to
achieve with TLS, your setup and attach Jitsi's logs?

I was trying to setup a few phones in my office to work with Jitsi.
Basic calling when configured with either TCP or UDP works fine. When I
enable optional support for SAVP (e.g., sRTP), that works too. So I
thought I would go one step further and try and get TLS working too. I
have an Intertex IX78 that I use as my proxy and registrar. I created a
self-signed certificate for it then created a certificate bundle to use
in the phones. I wound up having to export client certificates for the
phones (Yealink T22P and Polycom IP331) because they did not support
bundles. However, I was really pleasantly surprised that Jitsi worked
nicely with the bundle in the advanced TLS setup. Then, I changed the
transport settings to TLS and the port used to 5061 and tried to
reregister. It would not work.

Did you select the created profile in the SIP account settings? I
created some screenshots how a profile with a .pfx-File and the
selection in the SIP account.
Could you also please send me your logs [1] so I can investigate why the
logon fails? You can send them directly to me if you don't want to see

them

···

On Wednesday, January 4, 2012, Marc Abrams <marca56@gmail.com> wrote:

On Tuesday, January 3, 2012 at 11:40 PM, Emil Ivov wrote:
On Wednesday, January 4, 2012, Marc Abrams <marca56@gmail.com> wrote:

On Tuesday, January 3, 2012 at 3:39 PM, Bauersachs Ingo wrote:
-----Original Message-----
on the mailing list.
Regards,
Ingo
[1] http://jitsi.org/index.php/Documentation/FAQ#logs

Attachments:
- account.png
- cert-profile.png

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31