At VoIP Telecom Argentina we provide connected phone solutions for our customers. We use services like Twilio, Skype, Google, but in some cases, we need to customize our infrastructure and use good old bare metal asterisk server to answer our customers needs.
Many years ago, when you used SIP and RTP (the protocol for the voice data), you could just “forget” to implement encryption. In many use cases, you used it inside some private networks, and it wasn’t gonna be a problem (at least a manageable problem).
But now we’re in 2022 and as 2019 (and 2018) showed, you just can’t do that anymore…
Being able to hack voice communications will be gold for attackers and can lead to elaborate social engineering scams.
In this article we will focus on how to connect “clients“ (like hard phones, soft phones) to an asterisk server which will be handling communication.
So where do we start ?
First the SSL Certificate
We will be using Let’s Encrypt and certbot to create the certificate.
With certbot you have several options (or challenges) to authenticate your certificate (DNS Challenge, HTTP Challenge, etc…).
I am pretty sure that you will be able to generate a cert without a more detailed explanation from me, using the challenge that suits you best.
So, let’s assume that we have a cert using the default settings of certbot with the domain secure.asterisk.example.
If you used the default conf of certbot, you will have 4 files located in /etc/letsencrypt/live/secure.asterisk.example :
cert.pem
chain.pem
fullchain.pem
privkey.pem
Your guess is that it will be enough ? Well yes and no, we will need a few adjustments :)
Asterisk (well the SIP stack) need the cert in another format: you need to have a file (.pem) with the content of the private key and the full chain.
Let’s call it asterisk.pem
cat privkey.pem > asterisk.pem cat fullchain.pem >> asterisk.pem
There you go :) We have all the files we need.
Now, the SIP configuration
General Section
SIP (Session Initiation Protocol) is the protocol which handle sessions connections between peers (Providers, Phones, etc…).
You have two ways of using SIP in asterisk, one with the PJSIP stack or the old SIP stack.
In here, we will be using the SIP stack as we ran into random crashes using the PJSIP stack in some rare cases involving SIP peers. But you will be able to “transpose” the settings with the PJSIP stack.
Open sip.conf and add this into the [general] section:
tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile={{asteriskPemCertPath}} tlscafile={{fullchainPath}} tlscipher=ALL tlsclientmethod=ALL
Notice the variables {{asteriskPemCertPath}} and {{fullchainPath}}, you may have recognize a template syntax (Twig ? actually it’s nunjucks ;)).
You have to replace these with the path of the certificate files from earlier and you’re good to go ;)
Peers Section
Now that you [general] section is properly configured, you can use 2 new properties on each of your SIP peers to enable SSL:
transport=tls encryption=yes
Ok hard part is over, now we have SIP using SSL so no one can know what number we dialed or who’s calling us, but they can still hear what we say…
So let’s configure a secure RTP
To enable secure RTP (SRTP) just make sure you have loaded the SRTP module in modules.conf.
load => res_srtp.so
This module may or may not be present in your asterisk depending how you build it / installed it (package manager, or built from sources).
If you need to build asterisk from sources, just make sure to add ` — with-srtp` parameter to ./configure and enable it with menuselect with the ` — enable res_srtp` option
make menuselect.makeopts ./menuselect/menuselect --enable res_srtp menuselect.makeopts
And that’s it !
Comments