[jitsi-users] Secure Jitsi on Asterisk-11


#1

Has anyone have instructions to share on how to get Jitsi to connect
to an Asterisk 11 PBX (FreePBX) using DTLS/SRTP? If you do would you
please make them available to me?

I have Jitsi connecting to our PBX from outside our network and
handling voice calls. Now I wish to encrypt the registration and
subsequent voice traffic. Our system is a gateway to the PSTN so the
encryption is never going to eb end-to-end. But Jitsi to Server is
good enough for now.

Thank you.

···

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#2

Has anyone have instructions to share on how to get Jitsi to connect
to an Asterisk 11 PBX (FreePBX) using DTLS/SRTP? If you do would you
please make them available to me?

If you insist on using DTLS: I have no idea how that works over SIP nor whether our implementation actually works with SIP and not just XMPP.

Otherwise, consider using SDES together with signaling transport over TLS. Configure your DNS so that Jitsi can perform autodetection of the server (i.e. create an SRV for _sips._tcp.example.org that points to your Asterisk on port 5061) and configure the SIP account (e.g. with provisioning) to use SDES as key exchange only and set RTP/SAVP to mandatory.

Be sure that you use libsrtp >= 1.5.0 on the server side, or Asterisk might crash.

I have Jitsi connecting to our PBX from outside our network and
handling voice calls. Now I wish to encrypt the registration and
subsequent voice traffic. Our system is a gateway to the PSTN so the
encryption is never going to eb end-to-end. But Jitsi to Server is
good enough for now.

Thank you.

Ingo


#3

Has anyone have instructions to share on how to get Jitsi to connect
to an Asterisk 11 PBX (FreePBX) using DTLS/SRTP? If you do would
youplease make them available to me?

If you insist on using DTLS: I have no idea how that works over SIP
nor whether our implementation actually works with SIP and not just
XMPP.

First thank you for your reply. I appreciate the assistance very much.

I simply do not know very much about this technology, notwithstanding
that I successfully installed and configured our Asterisk/FreePBX
system back in 2013. What I can say is that our internal hardsets,
Snom-870s for the most part, are configured to use SRTP (AES-80) and
WireShark traces seem to confirm that this is working as it should,
Voice calls are successfully completed and the packets appear to be
encrypted to and from the Asterisk server host. We connect to PSTN
from there so obviously encryption for outside calls is not possible
via that channel.

Asterisk11/FreePBX provides support for SRTP at the device level and
they have recently added the ability to enable DTLS/SRTP by device as
well. There are a number of configuration issues with this that I
have yet to solve so I may be premature in bringing this matter to
your attention. But I am desperate for some clues on how to proceed,
however tangential they may turn out to be.

Otherwise, consider using SDES together with signaling transport over
TLS. Configure your DNS so that Jitsi can perform autodetection of the
server (i.e. create an SRV for _sips._tcp.example.org that points to
your Asterisk on port 5061) and configure the SIP account (e.g. with
provisioning) to use SDES as key exchange only and set RTP/SAVP to
mandatory.

From everything I have read Asterisk11 only listens for SIP on 5060

regardless of TLS or not. Am I misinformed?

SDES/SRTP seems to be the manner in which Asterisk supports the Snom
hard-sets. I am presently trying to sort out in my mind how to enable
TLS for this. I find it hard to locate documentation from reputable
sources on this subject. And what I do find usually assumes a level
of expertise with this technology that I have yet to acquire.
Nevertheless, I am making progress and so I expect that eventually all
this will work as I require.

One question I have though is that Jitsi appears, from wireshark
observation and gateway logs, to use UDP exclusively for SIP and I
have been unable to find an option setting to change this behaviour.
How does one tell Jitsi to use TCP for SIP instead of UDP?

Be sure that you use libsrtp >= 1.5.0 on the server side, or Asterisk
might crash.

That will be a problem. The version of libsrtp shipped with the
FreePBX CentOS-6.5 based distro is 1.4.4 and it is unlikely that I
would be able to update this without breaking a lot of the system.

Thanks,

···

On Tue, February 24, 2015 06:15, Ingo Bauersachs wrote:

On Mon, February 23, 2015 17:08 (+5:00) "James B. Byrne" wrote:

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#4

Has anyone have instructions to share on how to get Jitsi to connect
to an Asterisk 11 PBX (FreePBX) using DTLS/SRTP? If you do would
youplease make them available to me?

If you insist on using DTLS: I have no idea how that works over SIP
nor whether our implementation actually works with SIP and not just
XMPP.

First thank you for your reply. I appreciate the assistance very much.

I simply do not know very much about this technology, notwithstanding
that I successfully installed and configured our Asterisk/FreePBX
system back in 2013. What I can say is that our internal hardsets,
Snom-870s for the most part, are configured to use SRTP (AES-80) and
WireShark traces seem to confirm that this is working as it should,
Voice calls are successfully completed and the packets appear to be
encrypted to and from the Asterisk server host. We connect to PSTN
from there so obviously encryption for outside calls is not possible
via that channel.

This is similar to what we do, however we use Jitsi exclusively and have no
hard phones.

Asterisk11/FreePBX provides support for SRTP at the device level and
they have recently added the ability to enable DTLS/SRTP by device as
well. There are a number of configuration issues with this that I
have yet to solve so I may be premature in bringing this matter to
your attention. But I am desperate for some clues on how to proceed,
however tangential they may turn out to be.

I've seen that DTLS is present in Asterisk, but I haven't noticed it in
FreePBX yet. For an internal system however I see no advantage from DTLS
over SDES. Lyubomir might have some more clues on how to use DTLS with SIP.

Otherwise, consider using SDES together with signaling transport over
TLS. Configure your DNS so that Jitsi can perform autodetection of the
server (i.e. create an SRV for _sips._tcp.example.org that points to
your Asterisk on port 5061) and configure the SIP account (e.g. with
provisioning) to use SDES as key exchange only and set RTP/SAVP to
mandatory.

From everything I have read Asterisk11 only listens for SIP on 5060
regardless of TLS or not. Am I misinformed?

That depends on how you configure your Asterisk. 5060 is the default for
plain UDP and TCP, 5061 is the default for TLS. We have all our devices
(sip.conf) configured to use port 5061 and forced SRTP.

SDES/SRTP seems to be the manner in which Asterisk supports the Snom
hard-sets. I am presently trying to sort out in my mind how to enable
TLS for this. I find it hard to locate documentation from reputable
sources on this subject. And what I do find usually assumes a level
of expertise with this technology that I have yet to acquire.
Nevertheless, I am making progress and so I expect that eventually all
this will work as I require.

https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport

One question I have though is that Jitsi appears, from wireshark
observation and gateway logs, to use UDP exclusively for SIP and I
have been unable to find an option setting to change this behaviour.
How does one tell Jitsi to use TCP for SIP instead of UDP?

Be sure that you use libsrtp >= 1.5.0 on the server side, or Asterisk
might crash.

That will be a problem. The version of libsrtp shipped with the
FreePBX CentOS-6.5 based distro is 1.4.4 and it is unlikely that I
would be able to update this without breaking a lot of the system.

Well, unless you're willing to either update to 1.5 or patch Asterisk then
you'll most likely run into crashes sooner or later
(https://issues.asterisk.org/jira/browse/ASTERISK-24570 unfortunately locked
to Digium and me). Also be sure to use at least Asterisk 11.12 or you'll
have TLS connection drops
(https://issues.asterisk.org/jira/browse/ASTERISK-18345).

Thanks,

Ingo

···

On Tue, February 24, 2015 06:15, Ingo Bauersachs wrote:

On Mon, February 23, 2015 17:08 (+5:00) "James B. Byrne" wrote:


#5

I've seen that DTLS is present in Asterisk, but I haven't noticed
it in FreePBX yet. For an internal system however I see no
advantage from DTLS over SDES. Lyubomir might have some more clues
on how to use DTLS with SIP.

Switches for DTLS were added in FreePBX-12

From everything I have read Asterisk11 only listens for SIP on 5060
regardless of TLS or not. Am I misinformed?

That depends on how you configure your Asterisk. 5060 is the
default for plain UDP and TCP, 5061 is the default for TLS.
We have all our devices (sip.conf) configured to use port 5061
and forced SRTP.

I have read contradictory instructions on this from various sources.
I infer then that it should be possible to listen on both ports but
that Asterisk ships with 5060 as the default for everything. I will
investigate further the configuration options respecting this matter.

One question I have though is that Jitsi appears, from wireshark
observation and gateway logs, to use UDP exclusively for SIP and I
have been unable to find an option setting to change this behaviour.
How does one tell Jitsi to use TCP for SIP instead of UDP?

Is there a Jitsi option to force Jitsi to use TCP on 5060 or is TCP
implicit with TLS and is only used with port 5061 and only when TLS is
enabled in Jitsi?

Be sure that you use libsrtp >= 1.5.0 on the server side, or
Asterisk might crash.

That will be a problem. The version of libsrtp shipped with the
FreePBX CentOS-6.5 based distro is 1.4.4 and it is unlikely that I
would be able to update this without breaking a lot of the system.

Well, unless you're willing to either update to 1.5 or patch
Asterisk then you'll most likely run into crashes sooner or later
(https://issues.asterisk.org/jira/browse/ASTERISK-24570
unfortunately locked to Digium and me). Also be sure to use at
least Asterisk 11.12 or you'll have TLS connection drops
(https://issues.asterisk.org/jira/browse/ASTERISK-18345).

We are currently running Asterisk-11.14.2. I cannot at the moment
locate a package for libsrtp-1.5+ specifically for RHEL6/CentOS6. Lots
of packages for Fedora22 but nothing earlier.

···

On Tue, February 24, 2015 10:02, Ingo Bauersachs wrote:

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#6

Switches for DTLS were added in FreePBX-12

We're still on 11.x. I either missed the announcement that 12 is out of RC
or there are some other dependencies. I've removed DTLS support in Asterisk
because it interfered with regular SDES (we had strange log entries which
disappeared after disabling it).

Is there a Jitsi option to force Jitsi to use TCP on 5060 or is TCP
implicit with TLS and is only used with port 5061 and only when TLS is
enabled in Jitsi?

By default, Jitsi performs autodiscovery with NAPTR and SRV records.

_sips._tcp.example.org (for TLS)
_sip._tcp.example.org (for TCP)
_sip._udp.example.org (for UDP)

If these are not found, you can manually configure the proxy hostname, port
and the protocol in the account options.

We are currently running Asterisk-11.14.2. I cannot at the moment
locate a package for libsrtp-1.5+ specifically for RHEL6/CentOS6. Lots
of packages for Fedora22 but nothing earlier.

You can give it a try and see if it works for you with 1.4.4+x. If you get a
crash in srtp_unprotect_rtcp though you'll know why.

Ingo


#7

Switches for DTLS were added in FreePBX-12

We're still on 11.x. I either missed the announcement that 12 is out
of RC or there are some other dependencies. I've removed DTLS support
in Asterisk because it interfered with regular SDES (we had strange
log entries which disappeared after disabling it).

Does this refer to Asterisk in trunk for future official release or
for your own builds only?

Is there a Jitsi option to force Jitsi to use TCP on 5060 or is TCP
implicit with TLS and is only used with port 5061 and only when TLS
is enabled in Jitsi?

By default, Jitsi performs autodiscovery with NAPTR and SRV records.

_sips._tcp.example.org (for TLS)
_sip._tcp.example.org (for TCP)
_sip._udp.example.org (for UDP)

Is this what you are suggesting?

example.com. IN A a.b.c.d

;# Configure sip/sips service records (VOIP)
    IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.example.com.
    IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.example.com.
    IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.example.com.

_sip._tcp IN SRV 10 10 5060 voip.internal.example.com.
_sip._udp IN SRV 10 10 5060 voip.internal.example.com.
_sips._tcp IN SRV 10 10 5061 voip.internal.example.com.

voip.internal.example.com. IN A e.f.g.h

···

On Tue, February 24, 2015 11:51, Ingo Bauersachs wrote:

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#8

We're still on 11.x. I either missed the announcement that 12 is out
of RC or there are some other dependencies. I've removed DTLS support
in Asterisk because it interfered with regular SDES (we had strange
log entries which disappeared after disabling it).

Does this refer to Asterisk in trunk for future official release or
for your own builds only?

We build Asterisk 11.x from officially released source tarballs, so this
applies to what we've built. Except for the mentioned disabling of DTLS,
distribution builds of 11.x should only differ in terms of config options
though.

Is there a Jitsi option to force Jitsi to use TCP on 5060 or is TCP
implicit with TLS and is only used with port 5061 and only when TLS
is enabled in Jitsi?

By default, Jitsi performs autodiscovery with NAPTR and SRV records.

_sips._tcp.example.org (for TLS)
_sip._tcp.example.org (for TCP)
_sip._udp.example.org (for UDP)

Is this what you are suggesting?

Yes, exactly.

example.com. IN A a.b.c.d

;# Configure sip/sips service records (VOIP) IN NAPTR 50

50 "s"

"SIPS+D2T" "" _sips._tcp.example.com. IN NAPTR 90

50 "s"

"SIP+D2T" "" _sip._tcp.example.com. IN NAPTR 100

50 "s"

"SIP+D2U" "" _sip._udp.example.com.

_sip._tcp IN SRV 10 10 5060 voip.internal.example.com.
_sip._udp IN SRV 10 10 5060 voip.internal.example.com.
_sips._tcp IN SRV 10 10 5061 voip.internal.example.com.

voip.internal.example.com. IN A e.f.g.h

Ingo