Oh and one more thing regarding the default of no media encryption by default:
> Il giorno Nov 10, 2014, alle ore 12:54 AM, Ben Klang <[email protected]> > ha scritto: > > Tonight I finally got Asterisk 13 working with chan_pjsip and SIP+TLS and > RTP+DTLS. It’s 12:45am so I won’t spend a lot of time on this now, but I > wanted to share the notes I took while setting this up as I feel the > documentation is pretty lacking in this area. > > > media_encryption is not well documented in pjsip.conf > * In my case, it needed to be set to “dtls”, but I think that some endpoints > may need “srtp" > * my first-guess setting of “yes” results in a cryptic/unhelpful error on the > console, and the syntax error caused the entire endpoint to be un-useable > * dtls vs.srtp is not mentioned at all (as far asI could find) in either the > Asterisk Wiki nor the configs/sample/pjsip.conf > * The default is “no” - I had thought that SRTP and DTLS were not mutually > exclusive - are they? If not, can we set a default that permits them to be > used if requested by the endpoint? The default of “no” causes a “488 Not Acceptable Here” response, but nothing in the pjsip (pjsip set log on) or Asterisk debug logs (core set debug 5) says why it was refused. I went down a road of disabling codecs to no avail. A note that encryption was requested but not configured would have helped. > > Configuring certificates > There is no mention of the fact that endpoints need DTLS certificates > configured at all on endpoints in the Asterisk Wiki. > The Asterisk Wiki covers setting up TLS on the transport, and that mostly > worked on the first go *except* that the config key is erroneously referenced > as “privkey_file” (missing an underscore). I made a comment on the Wiki so > someone can correct this, but it appears to have been included in sample > config files for some time, so the bad info is out there: > https://duckduckgo.com/?q=asterisk+%22privkey_file%22 > <https://duckduckgo.com/?q=asterisk+%22privkey_file%22> > Also, it might be worth mentioning that TLS runs over TCP, not UDP, as I had > that wrong in my firewall on the first attempt. > > Setting certificates has to be done at least twice (transport + endpoint) > * There is no automatic setting of the DTLS CA/Cert/Privkey from the SIP+TLS > configuration for the transport. I know this would potentially be difficult > if multiple transports were set with different TLS keys, but still…this is > non-obvious. > * Can we somehow default the endpoint’s CA/Cert/Privkey to that of the > transport? If not, can we somehow associate the endpoint with the transport > so it doesn’t have to be configured twice? > > The pjsip configuration keys are subtly different for SIP+TLS on the > transport vs. RTP+DTLS on the endpoint. Examples: > > cert_file =X ; transport > dtls_cert_file = X ; endpoint > ; dtls_ prefix, weird but ok - srtp doesn’t appear to have a corresponding > setting, so do we even need the prefix? > > priv_key_file = X ; transport > dtls_private_key = X ; endpoint > ; priv_key_file vs. private_key? > > ca_list_file =X ; transport > dtls_ca_file = X ; endpoint > ; _list or not? > > I’m not familiar with Sorcery. I know that Asterisk 13 is out meaning these > config settings are set in stone for the next couple of years. But could we > create aliases that were more consistent, just to preserve some peoples’ hair? > > But the good news is: it does work! :) > > /BAK/ > -- > Ben Klang > Principal/Technology Strategist, Mojo Lingo > [email protected] <mailto:[email protected]> > +1.404.475.4841 > > Mojo Lingo -- Voice applications that work like magic > http://mojolingo.com <http://mojolingo.com/> > Twitter: @MojoLingo > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-dev mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-dev
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-dev mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-dev
