The repo for building the website at encryptthe.net.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

1.9 KiB

For more information: https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport

The recommended cipher list for tlscipher:

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

There are issues, like voip.ms does not support PFS, so if you’re connecting to voip.ms, you need to add: AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA to the cipher list.

Getting verification of the remote server is a little tricky. For example, FreeBSD 11’s ca_root_nss package puts a single file in /usr/local/share/certs/ca-root-nss.crt. This is not the format the asterisk needs it to be in. To make things work, first split the file out into individual PEM files, using:

awk 'BEGIN {c=0} /^Certificate:/{c++; p=1} p==1 { fname="cert." c ".pem"; print > fname} /END CERT/ {p = 0 }' < ca-root-nss.crt

Then you can hash them, using OpenSSL’s c_rehash ..

After doing the above, you can point tlscapath to this directory, and remote server should verify fine.

Error messages: Certificate did not verify: unable to get local issuer certificate This means that you didn’t setup thetlscapath properly. Follow the above instructions.

Problem setting up ssl connection: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher This likely means that the list of ciphers in tlscipher does not match the server. To figure out what cipher might be missing, you can use testssl.sh with the -e option, e.g. testssl.sh -e hostname:5061, to figure out what ciphers are supported.