Asterisk is an open-source project. The company Digium provides the infrastructure to contribute, although it competes with products like Switchvox. In Asterisk, that company considers everything, even non-functional features like software usability, software security, and documentation, as best-effort. Asterisk combines several technologies via a single core engine. To access that core, every technology with its own protocol gets its own channel driver. VoIP/SIP got two channels drivers, the older chan_sip and the newer chan_pjsip …
Although Asterisk is a Back-to-Back User Agent (B2BUA), the example below shows just one back = client side, the external registration at a provider. For the server side, set tlsenable = yes and tlscertfile.
| sip.conf: | [general] ; optional stuff: bindaddr = [::] session-timers=originate tos_video = af41 tos_audio = ef tos_sip = cs5 tlscipher = DEFAULT@SECLEVEL=2 ; mandatory stuff: tlscapath = /etc/ssl/certs/ register => tls://user:password@host/user encryption = yes which is RTP/SAVP RTP/SAVP, 488, RTP/AVP is possible via Set(CHANNEL(secure_bridge_media)=0) in the extensions.conf In the example above, you have to replace user (two times), password, and host. |
| DNS-NAPTR: | missing |
| SIP Keep-Alive: | no way found to send keep-alive packets as client, see ASTERISK-22750 Mitigation: lower the TCP keep-alive timeout system-wide, for example, in UNIX via sudo sysctl -w net.ipv4.tcp_keepalive_time=295 |
| IP Port Source: | not the actual port but the port of tlsbindaddr (default 5061) in the SIP headers Via and Contact, see ASTERISK-29190 Mitigation: unknown; service has to ignore it and re-use the TCP based connection instead |
| Responsible Disclosure: | via E-mail |
| Firmware Update: | missing Automation Newsletter via mailing list |