[LocalSets] exten => 101,1,GoSub(Dial-prefer-sRTP,s,1(test)) exten => test,1,GoSub(Dial-prefer-sRTP,s,1(test)) exten => 105,1,GoSub(Dial-prefer-sRTP,s,1(malcolm)) exten => malcolm,1,GoSub(Dial-prefer-sRTP,s,1(malcolm)) ; order of codecs does not matter here; order of sip.conf allow is used exten => 200,1,NoOp() same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) exten => 201,1,Set(SIP_CODEC=alaw) same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) exten => 202,1,Set(SIP_CODEC=g722) same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) exten => 203,1,Set(SIP_CODEC=gsm) same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) ; G.729A, any other Annex are not supported exten => 204,1,Set(SIP_CODEC=g729) same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) ; iLBC 30, any other rate not supported exten => 205,1,Set(SIP_CODEC=ilbc) ; same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) exten => 206,1,Set(SIP_CODEC=ulaw) same => n,Answer(800) same => n,Playback(hello-world) same => n,Playback(demo-moreinfo) same => n,Goto(1) exten => 600,1,Set(SIP_CODEC=ilbc,g729,gsm,g722,alaw,ulaw) same => n,Answer(800) same => n,Playback(demo-echotest) same => n,Echo same => n,Playback(demo-echodone) same => n,Hangup() ; extension h(angup) exten => h,1,Hangup() ; extensions i(nvalid) and t(imeout) exten => e,1,Hangup() ; dus.net ; A) call phone number if no ENUM ; B) call dus.net internally ; copied from Asterisk - The Definitive Guide, 4th Edition, page 313 exten => _+Z.,1,NoOp() same => n,Set(__DYNAMIC_FEATURES=saySecurity#testFeature) same => n,Set(myFilteredExtension=${FILTER(0-9,${EXTEN})}) same => n,Set(myLookupExtension=${ENUMLOOKUP(${myFilteredExtension},sip,,1,e164.arpa)}) same => n,GotoIf($[${EXISTS(${myLookupExtension})}]?buildSIP-URI) same => n,Set(myLookupExtension=${ENUMLOOKUP(${myFilteredExtension},sip,,1,e164.org)}) same => n,GotoIf($[${EXISTS(${myLookupExtension})}]?buildSIP-URI) same => n,Set(CHANNEL(secure_bridge_signaling)=1) same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Set(SIP_CODEC=ilbc,alaw,ulaw) ; hack to avoid non-audio connections same => n,Dial(SIP/+${myFilteredExtension}@DUStel) same => n,Hangup() same => n(buildSIP-URI),NoOp() same => n,Set(SIPDOMAIN=${CUT(myLookupExtension,@,2)}) same => n,Set(myLookupExtension=${CUT(myLookupExtension,@,1)}) same => n,Goto(${myLookupExtension},1) same => n,Hangup() exten => _000387.,1,NoOp() same => n,Set(__DYNAMIC_FEATURES=saySecurity#testFeature) same => n,Set(CHANNEL(secure_bridge_signaling)=1) same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Dial(SIP/${FILTER(0-9,${EXTEN})}@DUStel) ; SIP URI ; we ignore DNS-NAPTR and directly go for TLS via DNS-SRV ; we ignore wrong DNS-SRV like _sips._tls or _sip._tls; and go for _sips._tcp ; rationale 1: Asterisk does not support those via Dial natively. ; rationale 2: if I extract the server address from the SRV lookup manually, we ; connect to the wrong server address (hostname matching of certificate might fail) ; the dialplan checks, if we lost any TLS connection because of this not-handling and gives a note ; if DNS-SRV is missing for TLS, we probe port 5061 ; best-practice rule because too many domains have no or missing DNS-SRV ; if TLS is not available but TCP *requires* sRTP, we jump to UDP ; TCP+sRTP does not give any added security, because the key is transferred via SIP/SDP (SDES) ; and SDP is not encrypted in TCP. This case is a server misconfiguration, therefore we proceed with UDP. ; if DNS-SRV is missing for TCP, we go for UDP ; probing port 5060 would make this script more complex, but a call not more secure exten => _[0-9a-zA-Z].,1,NoOp() same => n,GotoIf($["${CHECKSIPDOMAIN(${SIPDOMAIN})}" = ""]?continue) ; requires autodomain in sip.conf same => n,Congestion() same => n(continue),NoOp() same => n,Verbose(0, SIP URI dialing .) same => n,Set(__DYNAMIC_FEATURES=saySecurity#testFeature) same => n,Set(myFilteredExtension=${EXTEN}) same => n,Set(myID=${SRVQUERY(_sips._tcp.${SIPDOMAIN})}) same => n,GotoIf($["${myID}" = ""]?dialOverTLSnoSRV) same => n,Set(CHANNEL(secure_bridge_signaling)=1) same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Dial(SIP/${myFilteredExtension}::::tls@${SIPDOMAIN}) ; TLS, DNS-SRV: yes, sRTP: yes same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?dialOverTLSnoSRTP) same => n,GotoIf($["${HANGUPCAUSE}" = "127"]?dialOverTLSnoSRTP) same => n,GotoIf($["${HANGUPCAUSE}" = "18"]?dialOverTCP) same => n,Hangup() same => n(dialOverTLSnoSRTP),NoOp() same => n,Set(CHANNEL(secure_bridge_signaling)=1) same => n,Set(CHANNEL(secure_bridge_media)=0) same => n,Dial(SIP/${myFilteredExtension}::::tls@${SIPDOMAIN}) ; TLS, DNS-SRV: yes, sRTP: no same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?dialOverTCP) same => n,GotoIf($["${HANGUPCAUSE}" = "18"]?dialOverTCP) same => n,Hangup() same => n(dialOverTLSnoSRV),NoOp() same => n,Set(myID=${SHELL(nc -z -w3 ${SIPDOMAIN} 5061\; echo $?)}) same => n,Set(myID=${FILTER(0-1,${myID})}) same => n,GotoIf($["${myID}" = "1"]?dialOverTCP) same => n,Set(CHANNEL(secure_bridge_signaling)=1) same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Dial(SIP/${myFilteredExtension}::::tls@${SIPDOMAIN}:5061) ; TLS, DNS-SRV: no, sRTP: yes same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?dialOverTLSnoSRVnoSRTP) same => n,GotoIf($["${HANGUPCAUSE}" = "127"]?dialOverTLSnoSRVnoSRTP) same => n,GotoIf($["${HANGUPCAUSE}" = "18"]?dialOverTCP) same => n,Hangup() same => n(dialOverTLSnoSRVnoSRTP),NoOp() same => n,Set(CHANNEL(secure_bridge_signaling)=1) same => n,Set(CHANNEL(secure_bridge_media)=0) same => n,Dial(SIP/${myFilteredExtension}::::tls@${SIPDOMAIN}:5061) ; TLS, DNS-SRV: no, sRTP: no same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?dialOverTCP) same => n,GotoIf($["${HANGUPCAUSE}" = "18"]?dialOverTCP) same => n,Hangup() same => n(dialOverTCP),NoOp() same => n,Set(myID=${SRVQUERY(_sips._tls.${SIPDOMAIN})}) same => n,ExecIf($[${EXISTS(${myID})}]?Verbose(0, NOTICE TLS could have been reached via _sips._tls.${SIPDOMAIN})) same => n,Set(myID=${SRVQUERY(_sip._tls.${SIPDOMAIN})}) same => n,ExecIf($[${EXISTS(${myID})}]?Verbose(0, NOTICE TLS could have been reached via _sip._tls.${SIPDOMAIN})) same => n,Set(myID=${SRVQUERY(_sip._tcp.${SIPDOMAIN})}) same => n,GotoIf($["${myID}" = ""]?dialOverUDP) same => n,Set(CHANNEL(secure_bridge_signaling)=0) same => n,Set(CHANNEL(secure_bridge_media)=0) same => n,Dial(SIP/${myFilteredExtension}::::tcp@${SIPDOMAIN}) ; TCP, DNS-SRV: yes same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?dialOverUDP) same => n,GotoIf($["${HANGUPCAUSE}" = "18"]?dialOverUDP) same => n,Hangup() same => n(dialOverUDP),NoOp() same => n,Set(CHANNEL(secure_bridge_signaling)=0) same => n,Set(CHANNEL(secure_bridge_media)=0) same => n,Dial(SIP/${myFilteredExtension}@${SIPDOMAIN}) ; UDP, DNS-SRV: preferred same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?dialVeryLast) same => n,Hangup() same => n(dialVeryLast),NoOp() same => n,Set(CHANNEL(secure_bridge_signaling)=0) same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Dial(SIP/${myFilteredExtension}@${SIPDOMAIN}) ; UDP, DNS-SRV: preferred, sRTP yes same => n,Hangup() [macro-say-security] ; calls with Asterisk as TLS client (remote call) exten => s,1,Playback(silence/1) ; wait a second, user turns phone to head same => n,Playback(security) ; DIALEDPEERNAME is not set on both parties, therefore we use BRIDGEPEER same => n,SayNumber(${IMPORT(${BRIDGEPEER},CHANNEL(secure_bridge_signaling_verify_class))}) same => n,Playback(status) same => n,SayNumber(${IMPORT(${BRIDGEPEER},CHANNEL(secure_bridge_signaling_verify_result))}) same => n,Playback(by) [macro-say-secure] ; calls within Asterisk (local call) exten => s,1,Playback(silence/1) ; wait a second, user turns phone to head same => n,GotoIf($["${CHANNEL(secure_signaling)}" != "1"]?unsecure) same => n,GotoIf($["${CHANNEL(secure_media)}" != "1"]?unsecure) same => n,GotoIf($["${IMPORT(${BRIDGEPEER},CHANNEL(secure_signaling))}" != "1"]?unsecure) same => n,GotoIf($["${IMPORT(${BRIDGEPEER},CHANNEL(secure_media))}" != "1"]?unsecure) same => n(secure),NoOp() same => n,Playback(call) same => n,Playback(is) same => n,Playback(ha/secure) same => n,Goto(break) same => n(unsecure),NoOp() same => n,Playback(security) same => n,Playback(is) same => n,Playback(off) same => n,Goto(break) same => n(break),NoOp() [Print-SIP-Hangup-Cause] ; for debugging various SIP clients exten => s,1,NoOp() same => n,GotoIf($[${LEN("${HANGUPCAUSE_KEYS()}")} = "0"]?hop:list) same => n(list),NoOp() same => n,Verbose(0, ${ARG1}@${SIPDOMAIN} said: "${HANGUPCAUSE(${HANGUPCAUSE_KEYS()},tech)}, Asterisk ${HANGUPCAUSE}") same => n(hop),Return() [Dial-prefer-sRTP] ; requires TLS for sRTP because some clients give ; status 'media encrypted' even via UDP or TCP. We ; do not want to give false indications. If you are ; a fan of security-by-obscurity, comment the first ; 'secure_bridge_signaling' line. Then sRTP is ; OK not only via TLS, but UDP and TCP, as well. exten => s,1,NoOp() same => n,GotoIf($["${CHECKSIPDOMAIN(${SIPDOMAIN})}" = ""]?break) ; requires autodomain in sip.conf same => n,Verbose(0, SIP Extension dialing <${ARG1}@${SIPDOMAIN}>.) same => n,Set(__DYNAMIC_FEATURES=saySecure#testFeature) same => n,Set(CHANNEL(secure_bridge_signaling)=1) ; TLS required; UDP, TCP not OK same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Dial(SIP/${ARG1}) same => n,GoSub(Print-SIP-Hangup-Cause,s,1(${ARG1})) ; call got rejected, client configured for TLS/sRTP? same => n,GotoIf($["${HANGUPCAUSE}" = "58"]?continue) ; SIP status 488 (Counterpath Bria, CSipSimple) same => n,GotoIf($["${HANGUPCAUSE}" = "127"]?continue:break) ; SIP status 415 (Linphone) same => n(continue),NoOp() same => n,Verbose(0, ${ARG1}@${SIPDOMAIN} rejected sRTP, trying again unencrypted) same => n,Set(CHANNEL(secure_bridge_media)=0) same => n,Set(CHANNEL(secure_bridge_signaling)=0) ; UDP, TCP, TLS; all OK same => n,Dial(SIP/${ARG1}) same => n,GotoIf($["${HANGUPCAUSE}" != "58"]?break) ; SIP status 488 (Counterpath Bria, CSipSimple) same => n,Verbose(0, ${ARG1}@${SIPDOMAIN} rejected RTP, trying again unencrypted (displayed status might false)) same => n,Set(CHANNEL(secure_bridge_media)=1) same => n,Set(CHANNEL(secure_bridge_signaling)=0) ; CounterPath Bria (Encrypt Audio: Always; as of version 3.1.3) and ; CSipSimple (SRTP mode: Mandatory; as of version 1.02) ; allow to force sRTP even via the UDP without TLS. This does not add any security. ; Furthermore, these apps display 'call media encrypted' in such a case. ; If you do not want to support this, comment or remove the following line: same => n,Dial(SIP/${ARG1}) same => n,Hangup() same => n(break),Return() [default] exten => malcolm,1,GoSub(Dial-prefer-sRTP,s,1(${EXTEN}))