Use TLS transport with asterisk PBX

+2 votes

update: the configuration is working now, see my red comments below.

hello community,

i am trying to add TLS transport to my SIP environment, which contains:

voip.example.com     asterisk 1:13.1.0~dfsg-1.1
zoiper.example.com  zoiper 3.6.25251 32bit (Library revision: 25476)

the certificates for the asterisk server and the zoiper workstation has been generated by startssl.com. both certificates are using intermediate certificates.

for the asterisk server i have concatenated the certificate and the intermediate certificate into one file. and i have added the following configuration to my sip.conf for TLS transport:

[general]
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/ssl/certs/voip.example.com.pem
tlsprivatekey=/etc/ssl/private/voip.example.com.key

[123456]
transport=tls

on the zoiper workstation i have changed the following parameters:

preferences -> accounts -> general -> domain: voip.example.com
preferences -> accounts -> general -> username: 123456
preferences -> accounts -> general -> password: topsecret
preferences -> accounts -> advanced -> use TLS transport (and enable the "use rport" checkbox)
preferences -> advanced -> security -> Load domain certificate: enable (and select your cert file in PEM format)
preferences -> advanced -> security -> protocol suite: TLS v1

the certificate for zoiper needs to be in PEM format and concatenated as:

  1. server certificate
  2. server certificate key
  3. intermediate certificate

thanks in advance and greetings

-mog

asked Nov 26, 2015 in Windows by mog (200 points)  
edited Dec 3, 2015 by mog
share

Hello,

could you please provide us with more info about the issue: Do you see any error messages?

hello katina,

thanks for your fast response.

i might be wrong, but before i can provide you with a usefull error message i would need to have configured TLS within the zoiper software. right now i have only enabled TLS for the connection to the asterisk server but not for the connection to the zoiper client, because i have no idea where i should add the certificate and how it needs to be concatenated.

here is the full debug log. the last line of the log (and only the last line) appears right after i tried to call the zoiper phone.


2015-11-26 13:15:35: Log file started, Zoiper  for Windows 32bit, version 3.6.25251, library 25476.
2015-11-26 13:15:35: Diagnostic options. Set audio debug.
2015-11-26 13:15:35: General options. Add to firewall.
2015-11-26 13:15:35: General options. Register protocol handlers.
2015-11-26 13:15:35: General options. Intergate AddressBook plugin.
2015-11-26 13:15:35: Network options. Set media DSCP.
2015-11-26 13:15:35: Network options. Set signalling DSCP. This should not work here!
2015-11-26 13:15:35: SIP options. Set disable certificate verification.
2015-11-26 13:15:35: SIP options. Set TLS certificate file.
2015-11-26 13:15:35: SIP options. Init TLS.
2015-11-26 13:15:35: Error initializing TLS
2015-11-26 13:15:35: RTP options. Set use random port.
2015-11-26 13:15:35: RTP options. Set port.
2015-11-26 13:15:35: RTP options. Set session name.
2015-11-26 13:15:35: RTP options. Set user name.
2015-11-26 13:15:35: RTP options. Set URL.
2015-11-26 13:15:35: RTP options. Set email.
2015-11-26 13:15:35: Added codec = 0x1
2015-11-26 13:15:35: Added codec = 0x18
2015-11-26 13:15:35: Added codec = 0x6
2015-11-26 13:15:35: Added codec = 0x0
2015-11-26 13:15:35: Added codec = 0x1b
2015-11-26 13:15:35: Added codec = 0x1c
2015-11-26 13:15:35: Added codec = 0x1f
2015-11-26 13:15:35: Added codec = 0x1e
2015-11-26 13:15:35: Codec options applied. UserControl = 0x0
2015-11-26 13:15:35: Network options. Set media DSCP.
2015-11-26 13:15:35: Network options. Set signalling DSCP. This should not work here!
2015-11-26 13:15:35: Audio options. Set auto mic selection.
2015-11-26 13:15:35: Audio options. Set auto gain control.
2015-11-26 13:15:35: Audio options. Set noise suppression.
2015-11-26 13:15:35: Selected input audio device = Mikrofon (Realtek High Definiti
2015-11-26 13:15:35: Selected output audio device = Lautsprecher (Realtek High Defi
2015-11-26 13:15:35: Selected ring audio device = Lautsprecher (Realtek High Defi
2015-11-26 13:15:35: Audio options. Set mic boost.
2015-11-26 13:15:35: Audio options. Set echo cancellation.
2015-11-26 13:15:35: Audio options. Set external devices.
2015-11-26 13:15:35: Video options. Set video options.
2015-11-26 13:15:35: Fax options. Set enabled.
2015-11-26 13:15:35: Creating account. Account = 123456@voip.example.com
2015-11-26 13:15:35: Creating SIP account. Account = 123456@voip.example.com, 123456@voip.example.com
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set TrasportType.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set Signalling and KPML.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set SRTPType.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set authentication username.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set registered state to NOT_REGISTERED.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set RPORT.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set registered state to NOT_REGISTERED.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set Force RFC3264.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set registered state to NOT_REGISTERED.
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set registered state to NOT_REGISTERED.
2015-11-26 13:15:35: Added codec = 0x1. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x18. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x6. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x0. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x1b. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x1c. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x1f. UserControl = 0x4192b90
2015-11-26 13:15:35: Added codec = 0x1e. UserControl = 0x4192b90
2015-11-26 13:15:35: Codec options applied. UserControl = 0x4192b90
2015-11-26 13:15:35: Account = 123456@voip.example.com. Set registered state to NOT_REGISTERED.
2015-11-26 13:15:35: Added ZRTP hash algorithm
2015-11-26 13:15:35: Added ZRTP hash algorithm
2015-11-26 13:15:35: ZRTP hash algorithm options applied. UserControl = 0x4192b90
2015-11-26 13:15:35: Added ZRTP cipher algorithm
2015-11-26 13:15:35: ZRTP cipher algorithm options applied. UserControl = 0x4192b90
2015-11-26 13:15:35: Added ZRTP auth tag
2015-11-26 13:15:35: Added ZRTP auth tag
2015-11-26 13:15:35: ZRTP auth tag options applied. UserControl = 0x4192b90
2015-11-26 13:15:35: Added ZRTP key agreement method
2015-11-26 13:15:35: Added ZRTP key agreement method
2015-11-26 13:15:35: Added ZRTP key agreement method
2015-11-26 13:15:35: Added ZRTP key agreement method
2015-11-26 13:15:35: ZRTP key agreement method options applied. UserControl = 0x4192b90
2015-11-26 13:15:35: Added ZRTP SAS encoding
2015-11-26 13:15:35: Added ZRTP SAS encoding
2015-11-26 13:15:35: ZRTP SAS encoding options applied. UserControl = 0x4192b90
2015-11-26 13:15:35: TLS client options applied
2015-11-26 13:15:35: Account registering. Account = 123456@voip.example.com
2015-11-26 13:15:35: Application : Register Audio output device notification succeeded
2015-11-26 13:15:35: Application : Register Audio input device notification succeeded
2015-11-26 13:15:35: Interprocess token - Zoiper_socket
2015-11-26 13:15:35: Account file : Loading account file "AutoAccount.xml"
2015-11-26 13:15:35: Account '123456@voip.example.com' registered (SIP), new voice messages: 0, old voice messages: 0.
2015-11-26 13:15:36: Check for updates: empty response from server.
2015-11-26 13:16:06: Account '123456@voip.example.com' registered (SIP), new voice messages: 0, old voice messages: 0.

greetings
-mog

i made some more investigations. below are the outputs of ssl connections to my PBX and to my Zoiper phone. the output of the PBX seems to be ok, but the Zoiper phone is not responding with valid certificates.

openssl s_client -connect voip.example.com:5061

CONNECTED(00000003)
depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority
verify return:1
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA
verify return:1
depth=0 C = DE, CN = voip.example.com, emailAddress = postmaster@example.com
verify return:1
---
Certificate chain
 0 s:/C=DE/CN=voip.example.com/emailAddress=postmaster@example.com
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---


openssl s_client -connect ds9.example.com:5061
CONNECTED(00000003)
140267883742864:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 315 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---

i have enabled additional settings:

preferences -> advanced -> network -> sip options -> port: 5060 (disabled random ports)
preferences -> advanced -> security -> Load domain certificate: enable

i have tried a certificate with PEM format concatenated in the order:

  1. server certificate
  2. server certificate key
  3. intermediate certificate

this did not work. then i tried:

  1. server certificate
  2. server certificate key
  3. intermediate certificate
  4. ca certificate

no valid SSL response from zoiper phone either.

is there nobody out there that could hint me to the right settings or documentation how to enable TLS transport on the zoiper phone software?

Hello,

Please check if you are using Zoiper 3.6 for Windows and update to the latest one which is 3.9

http://www.zoiper.com/en/voip-softphone/download/zoiper3/for/windows

As for the certificate - The accepted CA cert format is PEM, could be many CA certs in the same file. You need to add it in Preferences-Advanced-Security-Extra CA certificates.

hello anton,

thanks for the suggestion to upgrade to the latest version. i missed that one ;-)

regarding the certificate, i have not been searching for CA certificate configuration, i am using a certificate from an official CA, but i got the problems already sorted out.

thanks for your help and greetings


Please log in or register to answer this question.

Welcome!
Ask your questions and receive answers from other members of the Zoiper Community.

Did you check our Help Section?

You are a Zoiper Biz or Premium customer? If so, click HERE to get premium support.
Top users 08/2019
  1. Tsetso.Zdravkov

    26240 Points

  2. Ivan

    18370 Points

  3. Joachim

    11490 Points

  4. Anton

    3950 Points

Latest tweets