SIP TLS SRTP Asterisk
см. также Asterisk настройка TLS SRTP для PJSIP
mkdir /etc/asterisk/keys
cd /usr/src/asterisk-13*/contrib/scripts/
./ast_tls_cert -C pbx.asterisk-pbx.ru -O "asterisk-pbx.ru" -d /etc/asterisk/keys
- -C domain или IP адрес)
- -O name
- -d directory (/etc/asterisk/keys)
No config file specified, creating '/etc/asterisk/keys/tmp.cfg' You can use this config file to create additional certs without re-entering the information for the fields in the certificate Creating CA key /etc/asterisk/keys/ca.key Generating RSA private key, 4096 bit long modulus ..++ ........................................................................................................................++ e is 65537 (0x10001) Enter pass phrase for /etc/asterisk/keys/ca.key: Verifying - Enter pass phrase for /etc/asterisk/keys/ca.key: Creating CA certificate /etc/asterisk/keys/ca.crt Enter pass phrase for /etc/asterisk/keys/ca.key: Creating certificate /etc/asterisk/keys/asterisk.key Generating RSA private key, 1024 bit long modulus .++++++ .........++++++ e is 65537 (0x10001) Creating signing request /etc/asterisk/keys/asterisk.csr Creating certificate /etc/asterisk/keys/asterisk.crt Signature ok subject=/CN=192.168.251.253/O=bk Getting CA Private Key Enter pass phrase for /etc/asterisk/keys/ca.key: Combining key and crt into /etc/asterisk/keys/asterisk.pem
Задать пароль и повторить три раза.
*CLI> module load res_srtp.so Loaded res_srtp.so Loaded res_srtp.so => (Secure RTP (SRTP))
*CLI> module show like srtp Module Description Use Count Status Support Level res_srtp.so Secure RTP (SRTP) 0 Running core 1 modules loaded
modules.conf
load = res_srtp.so
*CLI> sip reload Reloading SIP == Parsing '/etc/asterisk/sip.conf': Found == Using SIP TOS bits 96 == Using SIP CoS mark 4 == TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled == TLS/SSL certificate ok
sip.conf
[general] tcpenable=yes bindaddr=0.0.0.0 tlsenable=yes tlsbindaddr=0.0.0.0:5061 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1 tlsdontverifyserver=yes
[siptrunk]
- encryption=yes
- transport=tls
[general] register => tls://SIPTRUNK:PASSWORD@123.123.123.123:5061 [SIPTRUNK] type=friend context=from-TLSTRUNK host=123.123.123.123 port=5061 secret=PASSWORD dtmfmode=rfc2833 disallow=all allow=alaw fromdomain=123.123.123.123 insecure=port,invite qualify=yes canreinvite=no encryption=yes transport=tls