[asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
Hi all, We're testing TLS and SRTP on Asterisk 1.8.10.0 and have it working with a commerical (not self-sign) AlphaSSL wildcard (GlobalSign) using Blink Lite 1.6.2 as per https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial We've tested with Bria on an iPhone and that doesn't recognised the commercial CA (GlobalSign Root CA). On a Yealink 28P with V60/V61 is registers over TLS, but can't do SRTP. Yealink are working on this and are testing against one of our dev servers. My question is someone (Digium) must have this working against Polycom (which is a requirement for this project) with commercial certs since that's their partner of choice? This is our relevant setup: tlsenable=yes tlsbindaddr=0.0.0.0 tcpbindaddr=0.0.0.0 tcpenable=yes transport=tcp,udp,tls tlscertfile=/etc/asterisk/ssl/test_wildcard_cert.pem tlscafile=/etc/asterisk/ssl/AlphaSSLroot.crt tlscipher=ALL tlsclientmethod=tlsv1 This file has the cert and key in it: test_wildcard_cert.pem is as per: http://www.alphassl.com/support/install-ssl/apache.html and AlphaSSLroot.crt is as per: http://www.alphassl.com/support/install-root/apache.html We haven't tested Snom or Aastra yet. Thanks, Gavin. -- http://www.suretecsystems.com/services/openldap/ http://www.surevoip.co.uk -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
On 03/08/2012 09:32 AM, Gavin Henry wrote: Hi all, We're testing TLS and SRTP on Asterisk 1.8.10.0 and have it working with a commerical (not self-sign) AlphaSSL wildcard (GlobalSign) using Blink Lite 1.6.2 as per https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial We've tested with Bria on an iPhone and that doesn't recognised the commercial CA (GlobalSign Root CA). On a Yealink 28P with V60/V61 is registers over TLS, but can't do SRTP. Yealink are working on this and are testing against one of our dev servers. My question is someone (Digium) must have this working against Polycom (which is a requirement for this project) with commercial certs since that's their partner of choice? I don't believe we've done any interop testing with Polycom phones since TLS and SRTP support were added to Asterisk. Most (possibly all) of the interop testing was done with Asterisk Business Edition, the last version of which was based on Asterisk 1.4. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
My question is someone (Digium) must have this working against Polycom (which is a requirement for this project) with commercial certs since that's their partner of choice? I don't believe we've done any interop testing with Polycom phones since TLS and SRTP support were added to Asterisk. Most (possibly all) of the interop testing was done with Asterisk Business Edition, the last version of which was based on Asterisk 1.4. Ah, this makes sense now. So as of today the status of TLS and SRTP in anything other than 1.4.X is unknown? -- http://www.suretecsystems.com/services/openldap/ http://www.surevoip.co.uk -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
On 03/08/2012 10:34 AM, Gavin Henry wrote: My question is someone (Digium) must have this working against Polycom (which is a requirement for this project) with commercial certs since that's their partner of choice? I don't believe we've done any interop testing with Polycom phones since TLS and SRTP support were added to Asterisk. Most (possibly all) of the interop testing was done with Asterisk Business Edition, the last version of which was based on Asterisk 1.4. Ah, this makes sense now. So as of today the status of TLS and SRTP in anything other than 1.4.X is unknown? Umm... no :-) Asterisk 1.4 did not have support for SRTP or SIP/TLS. Thus, neither of these were tested with Polycom phones the last time we did interop testing with those phones. The status of SIP/TLS and SRTP support in the Asterisk releases that have them are not 'unknown'; they are there and expected to be working. I was just pointing out that Digium has not specifically tested Polycom phones for interop with these features, and certainly has not specifically tested usage of TLS certificates issued by any particular CA. -- Kevin P. Fleming Digium, Inc. | Director of Software Technologies Jabber: kflem...@digium.com | SIP: kpflem...@digium.com | Skype: kpfleming 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
Ah, this makes sense now. So as of today the status of TLS and SRTP in anything other than 1.4.X is unknown? Umm... no :-) OK, sorry :-) Asterisk 1.4 did not have support for SRTP or SIP/TLS. Thus, neither of these were tested with Polycom phones the last time we did interop testing with those phones. Ah, I forgot when it was added. The status of SIP/TLS and SRTP support in the Asterisk releases that have them are not 'unknown'; they are there and expected to be working. I was just pointing out that Digium has not specifically tested Polycom phones for interop with these features, and certainly has not specifically tested usage of TLS certificates issued by any particular CA. Has anyone on the list? -- http://www.suretecsystems.com/services/openldap/ http://www.surevoip.co.uk -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
AFAIK, it works in the 1.8 and 10.X branches (I have used it in 10.0.2) There was a known issue with some certificates that used multiple levels IIRC. -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gavin Henry Sent: Thursday, March 08, 2012 10:50 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP? Ah, this makes sense now. So as of today the status of TLS and SRTP in anything other than 1.4.X is unknown? Umm... no :-) OK, sorry :-) Asterisk 1.4 did not have support for SRTP or SIP/TLS. Thus, neither of these were tested with Polycom phones the last time we did interop testing with those phones. Ah, I forgot when it was added. The status of SIP/TLS and SRTP support in the Asterisk releases that have them are not 'unknown'; they are there and expected to be working. I was just pointing out that Digium has not specifically tested Polycom phones for interop with these features, and certainly has not specifically tested usage of TLS certificates issued by any particular CA. Has anyone on the list? -- http://www.suretecsystems.com/services/openldap/ http://www.surevoip.co.uk -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Commercial SSL certs on Asterisk 1.8.10.0 with Polycom phones for encrypted calls using TLS and SRTP?
On Thu, 2012-03-08 at 16:50 +, Gavin Henry wrote: Ah, this makes sense now. So as of today the status of TLS and SRTP in anything other than 1.4.X is unknown? Umm... no :-) OK, sorry :-) Asterisk 1.4 did not have support for SRTP or SIP/TLS. Thus, neither of these were tested with Polycom phones the last time we did interop testing with those phones. Ah, I forgot when it was added. afaicr, it was in 1.6.2 The status of SIP/TLS and SRTP support in the Asterisk releases that have them are not 'unknown'; they are there and expected to be working. I was just pointing out that Digium has not specifically tested Polycom phones for interop with these features, and certainly has not specifically tested usage of TLS certificates issued by any particular CA. btw, commercial certs are not so special. Somewhere in the chain (root-ca), there is a self-signed cert. You can make such chain yourself, root-ca - sub-ca - sub-ca and finally a server+client cert. Or, you can get a free cert from cacert.org hw -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users