Re: [asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?
On 7/7/19 11:55 AM, Michael Maier wrote: > On 06.07.19 at 22:16 hwilmer wrote: >> Is there an advantage to using pjsip? What's needed for easybell with pjsip? > > For easybell, I don't know of any advantage. But that's not very reliable, > because I'm using easybell for dedicated requirements only. I'm considering > chan_sip legacy. I wouldn't build any new installation on chan_sip (if there > are no technical > contradictions). > > Easybell does have a pretty fine documentation for FreePBX and pjsip: > https://www.easybell.de/nc/hilfe/ergebnis/freepbx-130124-mit-asterisk-13.html That's not for asterisk, and most documentations for asterisk are not for pjsip. > [why encryption?] > >> I consider it a requirement for when employees end up using their mobile >> phones over foreign wireless networks, which is something that would be >> virtually impossible to prevent should the asterisk server be made reachable >> from the outside. > > That's true. But don't forget to encrypt RTP at this point! This must be done > additionally. > BTW: easybell doesn't support full RTP encryption. It's supported for > outgoing calls only > (https://en.easybell.de/nc/help/questions/questions-concerning-the-telephone-connection/answer/does-easybell-support-the-data-encryption-srtp-for-voip.html). They also say that encryption is possible: https://en.easybell.de/nc/help/questions/questions-concerning-the-telephone-connection/answer/can-i-encrypt-the-telephony.html I'll have to see what their support says about this. > > That's an example for an inbound call - there isn't any support for RTP > encryption: [...] That would really suck. It is not acceptable that phone calls over the internet shouldn't be encrypted. > [...] -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] prevent invalid queue members
Hi, when using AddQueueMember() to add to a queue, it is possible to add unreachable (non-existing) peers to a queue. Such members show up marked as '... (dynamic) (Invalid) ...' when using the queue show command. Is there a way to disallow adding unreachable peers to a queue? "Unreachable", in this case, means peers that can not be called like because they aren't registered or because they do not exist. If not, is there a good way to automatically remove invalid queue members? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] unsolved: Re: solved: how to create a working certificate for using TLS?
On 7/6/19 10:40 AM, Michael Maier wrote: > On 05.07.19 at 22:02 hw wrote: >> >> openssl verify -CAfile ca.pem asterisk.pem >> asterisk.pem: OK >> >> >> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers >> to the SIP provider and there is no error message). Otherwise I'm >> getting the error message and asterisk does not register. >> >> Reading the comments in sip.conf.sample, I would assume that asterisk >> can not verify the certificate of the SIP provider. Yet >> >> >> openssl s_client -connect secure.sip.easybell.de:5061 > > You know that you don't need an own certificate to connect via tls to the ISP? No, I didn't know that. However, there are local clients connecting to asterisk using encryption, so I suppose my own certificate is required. > To be able to verify the certificate of the ISP, asterisk has to know the > local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt. How did you know I'm doing this on Centos? :) Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to make a difference, so I figured that this might be figured out automatically since 'openssl s_client ...' apparently does figure it out automatically. There is much figuring involved for the wanting of clear documentation ... Now I've set 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' on the asterisk at work, but that one didn't have issues with certificates after I made a new one. I'll try the same at home when I get back to see if it makes a difference. Is 'tlscafile' the correct option for this? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] solved: how to create a working certificate for using TLS?
On 6/26/19 1:33 PM, hwilmer wrote: > > Hi, > > how can I create a self-signed certificate for asterisk which > actually works? follow this guide: https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/ -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] how to create a working certificate for using TLS?
Hi, how can I create a self-signed certificate for asterisk which actually works? I had one that did work, and yesterday it suddenly quit working for no reason. I had to spend hours to create another one that would finally work, and it suddenly quit working today. The certificate verifies just fine with openssl verify -verbose -CAfile ca.crt asterisk.pem Yet asterisk keeps saying: tcptls.c:173 handle_tcptls_connection: Certificate did not verify: unable to get local issuer certificate no matter what I do until I set 'tlsdontverifyserver=yes' in sip.conf. Why doesn't the error message at least say which certificate it is referring to? Every time I have to deal with certificates, I hate that stuff more and more ... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users