TLS trouble

[jrosetto]

I have TLS configured on FusionPBX 4.5.13 and am able to register an extension using the protocol. The PBX is in the cloud behind NAT and the phone is in a different network behind NAT. I am able to get the phone to send and receive calls unencrypted on port 5060 but unable to send or receive calls over 5061 TLS. Also BLF doesn't seem to be working over TLS.

Is the NAT on both sides causing the issue?

Any suggestions on things I could try to get it working?

 

[ad5ou]

What type of phones? what type of certificates are in use?

 

[jrosetto]

Happy to see a response.

Currently tried fanvil. If it makes a difference I can test yealink, Cisco, and polycom.

I am using LetsEncrypt through the script provided by FusionPBX.

 

[ad5ou]

I don't know Fanvil, but as long as "verify certificates" or which ever wording depending on phone is turned off, the letsencrypt certs work fine as long as they are current.
The script for letsencrypt will generate/copy the certs to Freeswitch folder on the first run, but cert renewals do not update the files in /etc/freeswitch/tls. So if the certs were first install more than 3 months ago, your certs freeswitch uses are probably expired.

The only other thing to check is the dial string in default settings/config.lua
{sip_invite_domain=${domain_name},leg_timeout=${call_timeout},rtp_secure_media=${regex(${sofia_contact(${dialed_user}@${dialed_domain})}|transport=tls)},presence_id=${dialed_user}@${dialed_domain}}${sofia_contact(*/${dialed_user}@${dialed_domain})}
The above dial string is added to /etc/fusionpbx/config.lua if the default setting is enabled, you run "upgrade>app defaults" and the config.lua is owned by www-data

 

[kostasr]

Hi ad5ou,

your posts are always very helpful.

My FusionPBX version is:
4.5.10,
Branch: master
Commit: 1f7c6304d57370816790d21d75cd4543e74ebc95
Origin: https://github.com/fusionpbx/fusionpbx
Status: Your branch is up-to-date with 'origin/master'. +207 days ago
Switch version: 1.10.1 (64bit)

In this version, in the Default Settings I do not have config.lua. I located the dial_string under the Domain category.
So, I inserted the rtp_secure_media parameter in the dial_string of Default Settings/Domain and enabled it.

But it has no effect. As I see in /var/cache/fusionpbx the dial_string in the directory entries does not take in account the above setting.

The only way I have managed to enable SRTP when calling a registered extension is by setting the dial_string parameter of the specific extension in Account / Extensions [ADVANCED]
I use the same value as you:
{sip_invite_domain=${domain_name},leg_timeout=${call_timeout},rtp_secure_media=${regex(${sofia_contact(${dialed_user}@${dialed_domain})}|transport=tls)},presence_id=${dialed_user}@${dialed_domain}}${sofia_contact(*/${dialed_user}@${dialed_domain})}

Do you think I should try a FusionPBX upgrade ?
Which version are you using ?

 

[ad5ou]

/etc/fusionpbx/config.lua has to be writable by www-data user for the dial string in default settings to be used.

Assuming Debian install, chown -R www-data:www-data /etc/fusionpbx
Edit the dial string in default settings.
Reload default settings
Then go to Adanced>upgrade and select “app defaults” to write the new dial string in /etc/fusionpbx/config.lua

You should also consider upgrading your Fusionpbx. Quite a few improvements in past 207 days.

I normally upgrade every 30-60 days after continuing education meetings.

 

[kostasr]

Hi ad5ou,

thank you for your help. After changing the permissions of /etc/fusionpbx/config.lua, it was possible to be updated with the dial_string.

Regarding the upgrade, you are right, it is a good thing. When I upgraded from 4.5.10 to 4.5.13 I noticed a few menu choices missing in the Advanced menu:

Advanced/Adminer. Do you know if it has been removed for security reasons ? I was able to add it from the older version although without auto_login

The editors are missing from the Advanced menu: Grammar Editor, PHP Editor, Provision Editor, Script Editor, XML Editor.
Can they be installed separately or they have been removed for security reasons ?

 

[ad5ou]

https://www.pbxforums.com/threads/provisioning-editor-missing.3769/#post-13320

 

[jrosetto]

I don't know Fanvil, but as long as "verify certificates" or which ever wording depending on phone is turned off, the letsencrypt certs work fine as long as they are current.
The script for letsencrypt will generate/copy the certs to Freeswitch folder on the first run, but cert renewals do not update the files in /etc/freeswitch/tls. So if the certs were first install more than 3 months ago, your certs freeswitch uses are probably expired.

The only other thing to check is the dial string in default settings/config.lua
{sip_invite_domain=${domain_name},leg_timeout=${call_timeout},rtp_secure_media=${regex(${sofia_contact(${dialed_user}@${dialed_domain})}|transport=tls)},presence_id=${dialed_user}@${dialed_domain}}${sofia_contact(*/${dialed_user}@${dialed_domain})}
The above dial string is added to /etc/fusionpbx/config.lua if the default setting is enabled, you run "upgrade>app defaults" and the config.lua is owned by www-data

Sorry for the delayed response, was on vacation then playing catchup until now. I have two questions.

If I enable the dialstring you provided will phones that aren't configured for encryption yet still work?

Also I am using a letsencrypt cert but am within the 90 days. How should I combat the fact that it doesn't copy the new certs to freeswitch on renewal?

I just moved from Asterisk and will say I am loving freeswitch so far but have a lot to learn still.

 

[jrosetto]

Decided to make the plunge and see what happens. Register a yealink over TLS and it registers fine. Now it seems that my blf lights are working properly and I am able to make outgoing calls.

I am still unable to receive inbound calls over TLS.

If it makes a difference I am using multiple_registrations on the extension.

Any suggestions or troubleshooting steps I can take to narrow down where the issue is?

 

[jrosetto]

One more update.

On yealink if I set RTP Encryption(SRTP) = disabled it works fine, but when I set it to compulsory it incoming calls don't work. Are there additional steps to get SRTP working on top of TLS?

 

[Starblazer]

same issue over here.

yealink, obihai, cisco, inbound doesn't work

 

[jrosetto]

@Starblazer

Would love someone to chime in that has this working. At this point I have the signaling encrypted but not the media which is better than nothing, but not what I want.