[jitsi-users] TLS and SRTP between Asterisk 11 and Jitsi


#1

Does anyone have the precise list of the critical options that have to
be set in Asterisk 11 to enable TLS and SRTP with Jitsi? I have
exhausted the possibilities of which I am aware so I presume that
there exist some setting or settings of which I have no knowledge.

I can connect Jitsi to our Asterisk box with no encryption and it
works fine. I cannot get SRTP to work at all.

Sincerely,

···

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#2

Does anyone have the precise list of the critical options that have to
be set in Asterisk 11 to enable TLS and SRTP with Jitsi? I have
exhausted the possibilities of which I am aware so I presume that
there exist some setting or settings of which I have no knowledge.

I can give you some snippets from our sip.conf:

[general]
bindaddr=0.0.0.0
tlsenable=yes
tlscertfile=/etc/asterisk/keys/your-cert.pem
tlscipher=HIGH
tlsclientmethod=tlsv1

[1007]
deny=0.0.0.0/0.0.0.0
secret=blabla
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=yes
port=5061
qualify=yes
qualifyfreq=60
transport=tls
avpf=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/1007
mailbox=1007@default
permit=0.0.0.0/0.0.0.0
callerid=User 1007 <1007>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic

I can connect Jitsi to our Asterisk box with no encryption and it
works fine. I cannot get SRTP to work at all.

In Jitsi, enable SDES only and set SAVP to mandatory.

Note that the .pem file needs to contain the private key, the certificate and it's chain in the same file, e.g.
-----BEGIN PRIVATE KEY-----
MIIE...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIF... (cert that belongs to the key above)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF... (intermediate cert that signed the one above)
-----END CERTIFICATE-----
(And possibly more until all intermediates are listed)

Sincerely,

HTH,
Ingo


#3

First, thank you for the assistance.

we run a private PKI CA. I have munged the Root, and host
certificates in the order: root-ca, issuer-ca, host into a single file
named ca.harte-lyne.hamilton.asterisk-jitsi.pem. I also have appended
the host private key to that file. The result I have placed into
/etc/asterisk/keys. I set the ownership to asterisk:asterisk and the
mode to 755 which, inexplicable as it is to me, is exactly what
FreePBX generated keys and support files are created as.

To the best of my ability (I must use FreePBX to generate the
contexts) I have made our system conform with the configurations you
provided:

[general]
; These files will all be included in the [general] context
;
#include sip_general_additional.conf

These entries are from sip_general_additional.conf:

faxdetect=no
vmexten=*97
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
useragent=FPBX-12.0.43(11.14.2)
disallow=all
allow=ulaw
allow=alaw
allow=gsm
tcpenable=yes
tlsenable=yes
tlscertfile=/etc/asterisk/keys/ca.harte-lyne.hamilton.asterisk-jitsi.pem
tlsdontverifyserver=yes
tlscipher=ALL
tlsclientmethod=tlsv1
callevents=yes
rtpstart=10000
rtpend=20000
jbenable=no
defaultexpiry=120
minexpiry=60
notifyringing=yes
allowguest=yes
srvlookup=no
maxexpiry=3600

This is the device configuration for Jitsi softphone running on linux
(CentOS-6.6) and connected to the same internal network segment as the
Asterisk server.

<---
[90021]
deny=0.0.0.0/0.0.0.0
secret=youknow
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=auto_force_rport,auto_comedia
port=5061
qualify=yes
qualifyfreq=60
transport=tls,udp,tcp
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/90021
mailbox=90021@device
permit=0.0.0.0/0.0.0.0
callerid=Softphone encryption test device <90021>
callcounter=yes
faxdetect=no
cc_monitor_policy=generic
--->

When I set transport=tls then I cannot register the phone. With the
configuration above I can register but when I try to send a call then
I see this:

<---
Connected to Asterisk 11.14.2 currently running on voinet09 (pid = 15369)
    -- Unregistered SIP '90021'
[2015-03-11 09:53:18] WARNING[4047]: tcptls.c:673
handle_tcptls_connection: FILE * open failed!
[2015-03-11 09:53:18] WARNING[4047]: tcptls.c:673
handle_tcptls_connection: FILE * open failed!
[2015-03-11 09:53:18] WARNING[1253]: chan_sip.c:16903 register_verify:
peer '90021' HAS NOT USED (OR SWITCHED TO) TLS in favor of 'TCP' (but
this was allowed in sip.conf)!
[2015-03-11 09:53:18] WARNING[1253]: chan_sip.c:16903 register_verify:
peer '90021' HAS NOT USED (OR SWITCHED TO) TLS in favor of 'TCP' (but
this was allowed in sip.conf)!
    -- Registered SIP '90021' at 216.185.71.44:41922
  == Using SIP RTP TOS bits 184
  == Using SIP RTP CoS mark 5
[2015-03-11 09:53:36] WARNING[1253][C-00001496]: chan_sip.c:10392
process_sdp: Rejecting secure video stream without encryption details:
video 5018 RTP/SAVP 105 99
[2015-03-11 09:53:36] WARNING[1253][C-00001496]: chan_sip.c:10392
process_sdp: Rejecting secure video stream without encryption details:
video 5018 RTP/SAVP 105 99
--->

Two questions immediately come to mind:

1. How does one turn off the video stream in Jitsi when connecting to
our Asterisk server?

More importantly however I speculate is:

2. What does "tcptls.c:673 handle_tcptls_connection: FILE * open
failed!" indicate?

The Jitsi log files for this session are attached.

2015-03-11@10.08.35-logs.zip (406 KB)

···

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#4

First, thank you for the assistance.

we run a private PKI CA. I have munged the Root, and host
certificates in the order: root-ca, issuer-ca, host into a single file
named ca.harte-lyne.hamilton.asterisk-jitsi.pem. I also have appended
the host private key to that file. The result I have placed into
/etc/asterisk/keys.

This sounds wrong. As mentioned before, place the private key first, then
Asterisk's certificate, then any intermediates in their respective order.
The intermediates are not crucial to start with, Jitsi will simply show a
warning if it cannot verify the chain up to a trusted root. Make sure you
can connect to Asterisk over SSL, e.g. use "openssl s_client -connect
your-asterisk.example.org:5061". It should connect and show the certificate
chain.

If a connection with OpenSSL works but not with Jitsi, then it might be an
SSL version negotiation problem. Try setting tlscipher=HIGH, and see if you
can disable SSLv3 in your client's Java (if your distribution hasn't already
taken care of that). At last capture the TLS session setup with tcpdump and
take a look at it with Wireshark (CLIENT_HELLO, SERVER_HELLO and
CHANGE_CIPHERSPEC).

I set the ownership to asterisk:asterisk and the
mode to 755 which, inexplicable as it is to me, is exactly what
FreePBX generated keys and support files are created as.

We have it at 775 here, but even 440 should be fine. I doubt this makes a
difference.

To the best of my ability (I must use FreePBX to generate the contexts)
I have made our system conform with the configurations you provided:

We use FreePBX too, although as I previously mentioned, still version 11.
The excerpt was from various files generated by FreePBX that are relevant.

[general]
...

Two questions immediately come to mind:

1. How does one turn off the video stream in Jitsi when connecting to
our Asterisk server?

Video is disabled when you disable all video codecs in the SIP account's
codecs.

More importantly however I speculate is:

2. What does "tcptls.c:673 handle_tcptls_connection: FILE * open
failed!" indicate?

No idea.

The Jitsi log files for this session are attached.

Ingo


#5

I would like to thank Ingo for the kind and patient assistance he
provided. I was really close to giving up on this.

For anyone else that runs into this situation this is what was keeping
me from getting an SRTP connection with asterisk 11:

[2015-03-11 13:44:34] WARNING[22725][C-000015e5]: chan_sip.c:10392
process_sdp: Rejecting secure video stream without encryption details:
video 5014 RTP/SAVP 105 99

Which is caused by keeping the default video codec enabled in Jitsi
for the device account. To fix this requires that under the Encodings
tab for the device account in question one must check the <Override
global encoding settings> box and uncheck all of the Video codecs.
Evidently on a stock install of Jitsi for Linux the Video codec H264
is enabled for all accounts. That also may be (probably) true for the
Windows and OSX versions as well.

So thumbnail sketch for future searchers.

On Jitsi set the account and provider as usual. Then on the Security
tab enable encryption, select SDES only, check at least the AES80
cciper suite and select 'Mandatory (offer and accept only RTP/SAVP)'
in the RTP/SAVP indication selection box. Then on the encodings tab
deslect all video codec and enable global override. In the Global
Options tab set the SIP settings to:

SIP client port: 5060
SIP client secure port: 5061
Enabled SSL?TLS protocols == ALL, excepting SSLV2Hello and SSLv3

On Asterisk:

[general]
. . .
disallow=all
allow=ulaw
allow=alaw
allow=gsm
tcpenable=yes
tlsenable=yes
tlscertfile=/path/to/combined/key/and certificate/chain/file
tlsdontverifyserver=yes
tlscipher=HIGH
tlsclientmethod=tlsv1
. . .

[account id or number]
deny=0.0.0.0/0.0.0.0
secret=whatever
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
sendrpid=no
type=friend
nat=auto_force_rport,auto_comedia
port=5061
qualify=yes
qualifyfreq=60
transport=tls
avpf=no
force_avp=no
icesupport=no
encryption=yes
callgroup=
pickupgroup=
dial=SIP/90021
mailbox=90021@device
permit=0.0.0.0/0.0.0.0
callerid=Whatever You Call yourself
callcounter=yes
faxdetect=no
cc_monitor_policy=generic

I also set the DNS NAPTR/SRV RRs for our domain as suggested earlier.
These permit us calls to device@harte-lyne.ca rather than having to
specify the exact host or IP address associated with the Asterisk
server. They are shown below for completeness (sorry about the wrap).

;# Configure sip/sips service records (VOIP)
;HOST TTL CLASS TYPE ORDER PREF FLAGS SERVICE REGEXP REPLACEMENT

    300 IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.harte-lyne.ca.

    300 IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.harte-lyne.ca.

    300 IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.harte-lyne.ca.

;HOST TTL CLASS TYPE ORDER PREF PORT TARGET

_sips._tcp.harte-lyne.ca. 300 IN SRV 10 10 5061 voinet09.hamilton.harte-lyne.ca.

_sip._tcp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.

_sip._udp.harte-lyne.ca. 300 IN SRV 10 10 5060 voinet09.hamilton.harte-lyne.ca.

With all that in place then you should be good to go.

Again, many thanks for the help.

···

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3


#6

P.S.

If you see this sort of message in your Asterisk trace:

[2015-03-11 10:50:03] WARNING[8385]: tcptls.c:673
handle_tcptls_connection: FILE * open failed!

It means that your Asterisk PKI certificates and keys are screwed up
somehow.

···

--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3