[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-users
Subject: Re: [asterisk-users] Questions about sRTP
From: Matthew Jordan <mjordan () digium ! com>
Date: 2013-06-21 1:57:30
Message-ID: CAN2PU+7bagahHEWHgPqJrjn34JggWt3x0DeCPohQMaRAB0O0qw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On Thu, Jun 20, 2013 at 5:10 PM, Mike Diehl <mdiehlenator@gmail.com> wrote:
>
>
> On Thu, Jun 20, 2013 at 2:05 PM, Joshua Colp <jcolp@digium.com> wrote:
>
>> Mike Diehl wrote:
>>
>>> Hi all,
>>>
>>> I'm getting ready to setup SIP/TLS and SRTP. But I have a few
>>> questions. The first one is that I was reading an article at:
>>>
>>> https://supportforums.cisco.com/docs/DOC-15381
>>>
>>> That indicated that Asterisk doesn't support TLS as an OPTIONAL
>>> transport. It's either all or nothing. Specifically, this is what it
>>> said:
>>>
>>
>> Your statement is incorrect. Asterisk supports TLS as an optional
>> signaling transport (although if you do SDES SRTP without it then someone
>> can snoop on your keys and ultimately decrypt your media).
>>
>> What it does not support is optional *SRTP*. If a device requests SRTP
>> and it's not possible, the call will fail.
>>
>>
> So then, is it safe to say that Asterisk will ALLOW a secure phone call,
> but the client hast to REQUEST it?
>
> I understand that requesting SRTP without SIP/TLS is evil; I just
> misunderstood what I was reading.
>
> I'm also thinking that the AGI script I use to route calls can check if
> either leg of a call comes from or goes to port 5061 and play a sound file
> to indicate that the cal is 'secure.' Does this seem reasonable?
>
>
You can query a channel using the CHANNEL function (
https://wiki.asterisk.org/wiki/display/AST/Function_CHANNEL) to see if the
channel currently supports secure communication, and you can request that
the outbound channel be made secure using the same function.
An example of doing this is on the wiki:
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics
--
Matthew Jordan
Digium, Inc. | Engineering Manager
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
Check us out at: http://digium.com & http://asterisk.org
[Attachment #5 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Jun 20, \
2013 at 5:10 PM, Mike Diehl <span dir="ltr"><<a \
href="mailto:mdiehlenator@gmail.com" \
target="_blank">mdiehlenator@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><br><br><div \
class="gmail_quote"><div class="im"><div style="margin-left:40px"> On Thu, Jun 20, \
2013 at 2:05 PM, Joshua Colp <span dir="ltr"><<a href="mailto:jcolp@digium.com" \
target="_blank">jcolp@digium.com</a>></span> wrote:<br></div> <blockquote \
class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div \
style="margin-left:40px">Mike Diehl wrote:<br> <blockquote class="gmail_quote" \
style="margin:0px 0px 0px \
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi all,<br>
<br>
I'm getting ready to setup SIP/TLS and SRTP. But I have a few<br>
questions. The first one is that I was reading an article at:<br>
<br>
<a href="https://supportforums.cisco.com/docs/DOC-15381" \
target="_blank">https://supportforums.cisco.com/docs/DOC-15381</a><br> <br>
That indicated that Asterisk doesn't support TLS as an OPTIONAL<br>
transport. It's either all or nothing. Specifically, this is what it said:<br>
</blockquote>
<br></div><div style="margin-left:40px">
Your statement is incorrect. Asterisk supports TLS as an optional signaling transport \
(although if you do SDES SRTP without it then someone can snoop on your keys and \
ultimately decrypt your media).<br> <br>
What it does not support is optional *SRTP*. If a device requests SRTP and it's \
not possible, the call will fail.<br></div> <br></blockquote><div> \
</div></div><div>So then, is it safe to say that Asterisk will ALLOW a secure phone \
call, but the client hast to REQUEST it? <br><br>I understand that requesting SRTP \
without SIP/TLS is evil; I just misunderstood what I was reading. <br>
<br>I'm also thinking that the AGI script I use to route calls can check if \
either leg of a call comes from or goes to port 5061 and play a sound file to \
indicate that the cal is 'secure.' Does this seem reasonable?<br>
<br></div></div></blockquote><div><br></div><div style>You can query a channel using \
the CHANNEL function (<a \
href="https://wiki.asterisk.org/wiki/display/AST/Function_CHANNEL">https://wiki.asterisk.org/wiki/display/AST/Function_CHANNEL</a>) \
to see if the channel currently supports secure communication, and you can request \
that the outbound channel be made secure using the same function.</div> <div \
style><br></div><div style>An example of doing this is on the wiki:</div><div \
style><br></div><div style><a \
href="https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics">https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics</a><br>
</div><div style> </div></div>-- <br><div dir="ltr"><div>Matthew \
Jordan<br></div><div>Digium, Inc. | Engineering Manager</div><div>445 Jan Davis Drive \
NW - Huntsville, AL 35806 - USA</div><div>Check us out at: <a \
href="http://digium.com" target="_blank">http://digium.com</a> & <a \
href="http://asterisk.org" target="_blank">http://asterisk.org</a></div> </div>
</div></div>
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic