TLS, sRTP For Asterisk

[ 테스트 환경]
- kernel : 2.6.36
- srtp-1.4.2.tgz
- asterisk-1.8.5.0.tar.gz
- dahdi-linux-complete-2.5.0+2.5.0.tar.gz
- libpri-1.4.12.tar.gz
- OpenSSL-1.0.0d.tar.gz ( 이 문서 작성 당시에 yum 을 통해 설치하면 OpenSSL 0.9.8e-fips-rhel5 이 설치 되는데, 하필 ECC 가 지원되지 않아 1.0.0d 를 사용한다 )
- PhonerLite 1.91

[ Asterisk ]
- key 생성

mkdir /etc/asterisk/keys
- Server 측 인증파일 생성
./ast_tls_cert -C pointermans.dyndns.org -O "Arisys" -d /etc/asterisk/keys
- Client 측 인증파일 생성
./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C pointermans.dyndns.org -O "Arisys" -d /etc/asterisk/keys -o 1000


- sip.conf
[general]
context=default                 ; Default context for incoming calls
srtpcapable=yes
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1 ;none of the others seem to work with Blink as the client

[1000]
type=peer
context=main
host=dynamic
disallow=all
allow=ulaw
allow=alaw
secret=1000
transport=tls
nat=yes
encryption=yes
canreinvite=no

[1001]
type=peer
context=main
host=dynamic
disallow=all
allow=ulaw
allow=alaw
secret=1001
transport=tls
nat=yes
encryption=yes
canreinvite=no

- extensions.conf

[main]
exten => _XXXX,1,NOOP(SRTP TEST CALL)
exten => _XXXX,n,Set(_SIPSRTP_CRYPTO=enable)
exten => _XXXX,n,DIAL(SIP/${EXTEN})



[ PhonerLite ]
최근 테스트 해본 Softphone 중에 최고!
아래와 같이 설정

[ 결과 ]
- SRTP 만 적용한 SIP Message Flow

- SRTP 음원 : Play 해 봐야 들을 수 없당

- TLS 와 SRTP 가 모두 적용 된 INVITE Method

<--- SIP read from TLS:192.168.1.129:59240 --->
INVITE sip:1001@pointermans.dyndns.org;transport=tls SIP/2.0
Via: SIP/2.0/TLS 192.168.1.129:59240;branch=z9hG4bK008a4625d4cbe011a013005056c00001;rport;alias
From: "1000" <sip:1000@pointermans.dyndns.org>;tag=3955497885
To: <sip:1001@pointermans.dyndns.org;transport=tls>
Call-ID: 008A4625-D4CB-E011-A012-005056C00001@192.168.1.129
CSeq: 108 INVITE
Contact: <sip:1000@192.168.1.129:59240;transport=tls>
Content-Type: application/sdp
Allow: INVITE, OPTIONS, ACK, BYE, CANCEL, INFO, NOTIFY, MESSAGE, UPDATE
Max-Forwards: 70
Supported: 100rel, replaces, from-change
User-Agent: SIPPER for PhonerLite
P-Preferred-Identity: <sip:1000@pointermans.dyndns.org>
Content-Length: 347

v=0
o=- 2733979642 0 IN IP4 192.168.1.129
s=SIPPER for PhonerLite
c=IN IP4 192.168.1.129
t=0 0
m=audio 61911 RTP/SAVP 8 0 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:qvfRcmB5uE0WrXOcRuBV0KgzE3CSl6N9On/gvutN
a=encryption:optional
a=sendrecv

[ 기타 ]
/main/tcptls.c -> ast_tls_read_conf 은 아래 파일에서 사용 됨
/channels/chan_sip.c
/main/http.c
/main/manager.c

[ 참고사이트 ]
일단 설치는 여기 참고 : http://www.technicalhowto.com/opensource/asterisk/installing.html

이놈이 핵심 : http://www.openssl.org/

http://astrecipes.net/index.php?n=398

http://www.remiphilippe.fr/2011/01/16/asterisk-srtp-with-1-8/

http://www.voip-info.org/wiki/view/Asterisk+SRTP

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

http://srtp.sourceforge.net/srtp.html