FOOD FOR THOUGHT TLS with GVSIP? Anybody get working?

[BostonDan]

I have set up Ward Mundy's Incredible PBX on a Raspberry Pi with 4 google-voice lines (3 voice and 1 fax line) and can get the devices (I use User and Devices) connected. However I have had a few issues that seem to be bugs

1) If I set up softphones (Zoiper) with a sip channel, I can get TLS that seems to work (the connection indicates secure), yet I only have 1-way audio and the channel disconnects after about 10-15 seconds.
2) If I set up the softphones with a pjsip channel, I cannot get TLS to work. I keep getting an error "unable to validate certificate (503)".

however, if I create a softphone with a pjsip device connection and no TLS encryption, I have 2-way audio and all seems good.

I am generating my certificates using letsencrypt and I have a dynamic dns pointing to my raspberry pi. The letsencrypt certificates seem valid, as I have been able to use them on the incrediblepbx gui used for administration of the PBX, and after accepting the certificate into my certificate stores, the device connects without any https errors/concerns. These are the same credentials that seems to work for a short time using sip connections.

I really would like to get my connections secured with TLS. Has anybody been able to secure a connection?

Any assistance is greatly appreciated.

Cheers,
B.D.

 

[wardmundy]

Only way to solve this is to look at the actual traffic and see what's coming unglued. Don't know for sure, but I suspect there is an issue with the new OpenSSL version. Not much you can do about it at this juncture if you want to use GVSIP.

 

[BostonDan]

Thanks Ward. I've been trying to do just that, but with limited time I thought I would throw it up on the message board to see if anybody else had an issue with it.

Will investigate further with packet inspection and asterisk verbosity mode.

Cheers,
B.D.

 

[chris_c_]

Thanks Ward. I've been trying to do just that, but with limited time I thought I would throw it up on the message board to see if anybody else had an issue with it.

Will investigate further with packet inspection and asterisk verbosity mode.

Cheers,
B.D.

Here's the step by step How To encrypt your calls (between the endpoints/devices and the PBX). [1]
It looks like you're part of the way to your goal, you have the Lets Encrypt cert and fully qualified domain name.
You need to get SRTP on (encrypt the audio each way) and TLS on (encrypt the SIP signalling over TCP) or DTLS (encrypted SIP over UDP). [2]
[1] https://wiki.freepbx.org/display/PHON/TLS+and+SRTP
[2] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

 

[restamp]

At some point TLS and SRTP started working here for me, although I don't know exactly what caused them to do so, but I have some suspicions. Let's try to narrow it down. For those having problems:

1. Are you using chan_sip or pj_sip? (I only have experience with PJsip.)

2. Are you seeing "SSL routines-tls_post_process_client_hello-no shared cipher" messages in your Asterisk logs?

3. What platform are you running on? (OpenVZ? Virtualbox? Intel HW? Arm HW? etc.)

4. What OS and what version of OpenSSL?

5. Which PAIF package are you using? (13-13?)

 

[restamp]

OK. With the help of James McMuffin, I think I have a handle on what's going on with the "no shared cipher" messages. For some reason NAF created his own TLS transport, in pjsip_custom.conf, which he calls transport_tls. This works for GVsip, but it is not complete. It is lacking at least a "cert_file", "priv_key_file", and "method" in addition to what's already there. (No cert file means no defined ciphers.) This is taken care of automagically by FreePBX if you go to Settings > Asterisk SIP Settings > Chan PJSIP Settings and fill in the applicable fields. (Of course you also have to turn PJSIP TLS on, and you must have an up-to-date Cert in /etc/asterisk/keys.) I'm not certain, but it appears the NAF code (or GV) might rely on the PJSIP TLS port being 5061, so I hesitate to change this.

What I did on my system to get TLS and SRTP working was:

1. In pjsip_custom.conf, I commented out the [transport_tls] context, (And, you might as well comment out [global], too, as it was already defined in pjsip.conf, so the 2nd attempt just errors out. You should probably add the keep_alive_interval to pjsip.conf.)

2. I turned on [0.0.0.0-tls] after doing everything I mentioned in the first paragraph above, making sure its bind port was 5061. Note that now [0.0.0.0-tls] shows up in pjsip.transports.conf with the Certs you specified above. I don't think the other ports matter for our purposes here, but I elected to make the PJSIP UDP/TCP port 5060 and the chan_sip ports 5160 and 5161.

3. If you have any GVSIP lines already active, make sure they use transport [0.0.0.0-tls] instead of [transport_tls]. (" grep transport_tls /etc/asterisk/* " -- they should only appear in pjsip_custom.conf; just edit the file and change them manually. Also make note that if you add any GVSIP trunks later, you'll have to update these as well.)

4. fwconsole restart

I believe that's all I had to do. At this point, TLS and SRTP started working for me. YMMV, but give it a try.

 

[dziny]

I'm not certain, but it appears the NAF code (or GV) might rely on the PJSIP TLS port being 5061, so I hesitate to change this.

Nope, it was the first thing I've changed since I'm using the port 5061 with TLS on chan_sip. GVSIP works fine with any other alternative port.

 

[BostonDan]

@restamp,

That is helping where I don't get an internal error that quickly hangs up from my softphone anymore, so that is definitely on the right steps.

I am using Zoiper softphone for my devices, and as I said in my initial post, the calls go through fine on UDP.

I have TLS set up with tlsv1. I have also tried it with ssl v2/v3 and set the encryption accordingly on asterisk.

I am getting an error when I try to connect that says

"
Unsupported crypto suite: AES_256_CM_HMAC_SHA1_80
Unsupported crypto suite: AES_256_CM_HMAC_SHA1_32
Unsupported crypto suite: AES_192_CM_HMAC_SHA1_80
Unsupported crypto suite: AES_192_CM_HMAC_SHA1_32
"

and then asterisk hangs up the call.

EDIT: When I try openssl s_client -connect <myasteriskserver>:5061 -tls1

I see it return
Protocol : TLSv1.0
Cipher : ECDHE-RSA-AES256-GCM-SHA384\

So it looks like it can use TLSv1, which is what is wanted, but asterisk still gives me the unsupported crypto suite.

So frustrating at this point, but I definitely would like to implement encryption whenever possible.

Cheers,
B.D.

 

[restamp]

I'm no expert on the crypto stuff, nor am I familiar with Asterisk on the Raspberry Pi (which I believe you are running), but here's a couple things I'd look at in your situation:

1. Under CentOS, I see Ward sets "CFLAGS='-DENABLE_SRTP_AES_256 -DENABLE_SRTP_AES_GCM'" during the configuration phase. Is this done on the Pi? If not, perhaps Ward could comment on whether this is necessary on the Pi. (Yes, I realize this appears to be SRTP enabling instead of TLS.)

2. I don't use letsencrypt for my servers, I generate a self-signed cert, which is fine for situations where I am the only one using it. You might try creating a self-signed cert using the FreePBX Admin > Cert Management page and testing with what it produces to see if it makes any difference.

 

[wardmundy]

Nope, it was the first thing I've changed since I'm using the port 5061 with TLS on chan_sip. GVSIP works fine with any other alternative port.

This seems to be the easiest solution to keep us from stepping on the FreePBX setup for PJSIP extensions. We'll simply adjust the installer to use port 5062 which will keep GVSIP in its own separate orbit. Nothing else has to be changed.

[transport_tls]
type=transport
protocol=tls
bind=0.0.0.0:5062

 

[wardmundy]

I'm no expert on the crypto stuff, nor am I familiar with Asterisk on the Raspberry Pi (which I believe you are running), but here's a couple things I'd look at in your situation:

1. Under CentOS, I see Ward sets "CFLAGS='-DENABLE_SRTP_AES_256 -DENABLE_SRTP_AES_GCM'" during the configuration phase. Is this done on the Pi? If not, perhaps Ward could comment on whether this is necessary on the Pi. (Yes, I realize this appears to be SRTP enabling instead of TLS.)

We build Asterisk on the RasPi exactly the same way.

 

[BostonDan]

This seems to be the easiest solution to keep us from stepping on the FreePBX setup for PJSIP extensions. We'll simply adjust the installer to use port 5062 which will keep GVSIP in its own separate orbit. Nothing else has to be changed.

[transport_tls]
type=transport
protocol=tls
bind=0.0.0.0:5062

Ward,

I am finding with Zoiper that if I use any code to define [transport_tls], regardless of the binding address: port, Zoiper softphone cannot register correctly. When I comment out the [transport_tls] in pjsip_custom.conf, the device registers correctly, but I still have the issue of the unsupported crypto which prevents incoming and outgoing calls.

The replacing gvsip transport=transport_tls with transport=0.0.0.0-tls does not seem to harm the connection for my phones connected to an ATA (different device #s from the Zoiper softphones, so these are essential two devices hung off the same user).

this is very frustrating, but I appreciate all the responses that have led me a portion down the correct path to getting this to work. Time to go fiddle some more.



Cheers,
B.D.

 

[BostonDan]

Ok, I finally got this working by re-downloading and re-compiling Asterisk with gvsip and all is good. I don't know what was wrong but I got TLS working and now have secure calls. Thanks Ward and restamp.

Cheers,
B.D.

 

[jamesmcmuffin]

@BostonDan Whats your setup i am having issues with my TLS over PJSIP.

One issue is where my transport shuts down after 5 seconds i just don't see what could be taking this down. I use a Sonicwall Firewall I have tried to take the firewall out of my network to see if the problem was because of my firewall. but there was no change i got the continued to transport shutdown. I believe its because of a TCP Transport Idle Time but i cannot find where the timer file would be located. so i just need some extra advice.

What was the thing that fixed TLS for you?? I've been trying for days!

 

[BostonDan]

@BostonDan Whats your setup i am having issues with my TLS over PJSIP.

One issue is where my transport shuts down after 5 seconds i just don't see what could be taking this down. I use a Sonicwall Firewall I have tried to take the firewall out of my network to see if the problem was because of my firewall. but there was no change i got the continued to transport shutdown. I believe its because of a TCP Transport Idle Time but i cannot find where the timer file would be located. so i just need some extra advice.

What was the thing that fixed TLS for you?? I've been trying for days!

I had to reinstall the Asterisk 13.0.22 completely (rebuild it). Once that was done, everything worked (TLS with SIP).

Not sure why you're losing your transport after 5 seconds....

Cheers,
B.D.

 

[jamesmcmuffin]

I had to reinstall the Asterisk 13.0.22 completely (rebuild it). Once that was done, everything worked (TLS with SIP).

Not sure why you're losing your transport after 5 seconds....

Cheers,
B.D.

Thank you for your reply.

Yes me neither! but i had got it working after switching to CHANSIP and resetting all of my settings.

Do you use PJSIP or CHANSIP? @BostonDan

 

[BostonDan]

Thank you for your reply.

Yes me neither! but i had got it working after switching to CHANSIP and resetting all of my settings.

Do you use PJSIP or CHANSIP? @BostonDan

I use CHANSIP.

I have also recently discovered that my outgoing calls from a softphone that is EXTERNAL to my home network drops after 5-30 seconds. I am going to start a new topic, but the short is that incoming calls work fine, and calls originating INTERNAL to my network work fine. I am learning a lot, but it is frustrating!

Cheers,
B.D.

 

[BostonDan]

Ok,. I figured out one thing - the fact that GVSIP is using transport_tls does not seem to allow other registrations of tls PJSIP connections. When I set my extension to PJSIP and put in the tls transport (transport is saved as [0.0.0.0-tls] this does not show up under the asterisk CLI if I type "pjsip show transports" or "pjsip list transports", which only lists the udp [0.0.0.0-5065] and tls [transport_tls] and does not load the [0.0.0.0-tls] setting. I am using tls for chansip for these extensions, but this had led to the calls dropping after a few seconds (5-35 seconds) on the extension if my calls are originating from a softphone that is external to my network. Incoming calls to my softphone external to my home network (where the PIAF raspberry pi is housed) work fine (or at least up to 5-10 minutes which is the length of my longest call).

I have some sleuthing to do this weekend.

Cheers,
B.D.