VoIP: SIP-over-TLS and sRTP: Digium Asterisk chan_pjsip

Asterisk is an open-source project. The company Digium provides the infrastructure to contribute, although it competes with products like Switchvox. In Asterisk, that company considers everything, even non-functional features like software usability, software security, and documentation, as best-effort. A graphical frontend exists: Sangoma FreePBX. Asterisk combines several technologies via a single core engine. To access that core, every technology with its own protocol gets its own channel driver. VoIP/SIP got two channels drivers, the older chan_sip and the newer chan_pjsip. However, if you want the latest, consider SignalWire FreeSWITCH …

Although Asterisk is a Back-to-Back User Agent (B2BUA), the example below shows just one back = client side, the external registration at a provider. The sever side gets activated via a TLS transport with cert_file and priv_key_file.

Last tested version

13.38.0 (Parameter Guide)

Configuration

pjsip.conf: [global]
type = global
keep_alive_interval = 0 ; seconds, TCP-PSH as keep-alive mechanism

[my_registration]
type = registration
outbound_auth = my_auth
client_uri = sip:user@host
contact_user = user
server_uri = sip:host\;transport=tls
line = yes ; required for "endpoint"
endpoint = my_endpoint ; link required for "qualify_frequency"

[my_transport_template](!)
type = transport
protocol = tls
ca_list_path = /etc/ssl/certs/
verify_server = yes
method = sslv23
cos = 3
tos = cs5

[my_transport_v4](my_transport_template)
bind = 0.0.0.0

[my_transport_v6](my_transport_template)
bind = [::]

[my_auth]
type = auth
password = password
username = user

[my_endpoint]
type = endpoint
from_domain = host
from_user = user
media_encryption = sdes
media_encryption_optimistic = yes
aors = my_aor ; link required for "qualify_frequency"
cos_audio = 5
cos_video = 4
tos_audio = ef
tos_video = af41

[my_aor]
type = aor
contact = sip:user@host
qualify_frequency = 0 ; seconds, SIP-OPTION as keep-alive mechanism

which is RTP/AVP with crypto
In the example above, you have to replace user (five times), password, and host (four times). And yes, all those settings are for one client connection.

Software Bugs

DNS-NAPTR: missing, see ASTERISK-29111
IP Port Source: not the actual port but the port of bind (default 5061) in the SIP headers Via and Contact, see ASTERISK-29190
Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead

Security

Responsible Disclosure: via E-mail
Firmware Update: missing Automation
Newsletter via mailing list

back to the other phones.