TLS support
Brought to you by:
krunalhire
Originally created by: pierre.w...@gmail.com
Originally owned by: r3gis...@gmail.com
What steps will reproduce the problem?
1. connect to a proxy or sip server listening for incoming connection on port 5061
What is the expected output? What do you see instead?
What version of the product are you using? On what operating system?
0.00-12-09 / Froyo 2.2 on HTC desire
Please provide any additional information below.
Ability to set destination port for both proxy and server will allow to connect to any SIP service not listening to 5060 port (like 5061)
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: pierre.w...@gmail.com
I took some traces and the need is not to implement 5061 but SIP-TLS on port 5061.
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
What wizard are you using for your account?
For now, only the Expert wizard will allow you to set the port.
It should work. Just set the registrar uri to sip:domain.name:5061 and proxy server to sip:domain.name:5061.
Note : if you have an existing account, you can change the edit wizard by Editing > Menu > Choose Wizard (and then change it into an expert account). Then you'll be able to modify both registrar uri and proxy uri.
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
Oh ok.
In the absolute the native stack has this capability. But no user interface to configure it :).
To be done !
Summary: TLS support
Owner: r3gis.3R
Labels: -Type-Defect Type-Enhancement
Status: Accepted
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: Ingmar.S...@googlemail.com
pjsip must be compiled with the TLS option enabled. And that means, pjsip is looking for openssl header+libs. openssl is present on Android, but I am not sure how to build & link against this provided version. In worst case you would have to provide your own copy of openssl. But I didn't dig very deep into this. So I am not sure if this would be necessary or not. You know probably better.
Furthermore, once you have pjsip with TLS capabilities (and exposed a config option to the GUI), we can also enable SRTP (media encryption). That would be a fantastic match!
TLS(SIP) + SRTP is something many people are looking for. "Vendors" like Snom, Aastra, Counterpath, etc. have implemented this already. Would be great to see it on csipsimple too.
Thanks a lot for your hard work!!
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
Issue 241 has been merged into this issue.
Related
Tickets:
#241View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: kumum...@googlemail.com
Even with version CSipSimple_0.00-15-10 it's not possible to use TLS.
the REGISTRATION and / or PROXY settings suffix ";transport=tls" doesn't change anything. Also the optional Port doesn't care.
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
Indeed, for now dev builds are not built with openssl bundled in, so TLS should not work.
As it deeply increase the size of the library, I'll soon create releases branche with TLS support activated. So that you can test the feature.
Besides, options should not appear anymore in the future if the library is not present (since it could create confusion in the mind of users).
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: marcello...@gmail.com
what is the current state of tls support?
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
For now, only available if you build the lib by hand. With openssl activated and MY_USE_TLS set to 1.
I didn't get time to really have a close look to the issue yet (I've to setup a sip server on my PC with TLS activated to be able to test on and be sure that what I release is reliable).
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
Issue 271 has been merged into this issue.
Related
Tickets:
#271View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
0.00-15-13-tls is available to test TLS
How about settings :
First of all, you should activate TLS.
Settings > Network > Secure transport -> Enable TLS (and also maybe SRTP could be a good idea)
Then configure your TLS account :
Account > Add > Expert (you can start by a Basic and then transform it into an Expert)
Registrar URI + proxy URI : you should probably put something with sips (_s_) protocol, it will automatically choose 5061 as remote port, which should be the default on your server.
In transport you must choose TLS.
If you want secure media for SRTP mode choose optional or mandatory.
And everything then should be fine :).
Registers and calls will be done using TLS. Media will try/force (optional/mandatory) use of SRTP.
I've not yet tested other TLS method that TLSv1 (I mean not SSLv*), nor played with sips:xxx to make calls (the UI doesn't permit that).
But at least for TLS seems to work fine right now.
Status: Started
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: wheresau...@lavabit.com
thanks for setting this up and creating a locked status notification to boot! I noticed that the lock showed up whether my connection was made with TLS or not(if I had srtp enabled).. As a possible future enhancement it would nice to differentiate between different crypto statuses..
little mockup here
http://i.imgur.com/oiF4n.png
should I create a separate issue?
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: pierre.w...@gmail.com
Excellent,
Just tested with my corporate VOIP solution and it's working.
Note : in my case I also added the s to sip (sips) account id.
Thanks a lot!
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: mcampbel...@gmail.com
GREAT!
However, I have a non standard TLS port (ie not 5061) to connect to. I have tried putting the port I should connect to in the TLS port settings but I can not get registration.
Any tips on how I could get this to work would be great! (BTW I tested with port 5061 and it works great, but I have to use another port)
Thanks
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
Ok for the lock icon. This icon was just the first hint ;) (it only indicate SRTP status for now). But indeed, should indicate both SIP (control) and Media encryption status. I've to think a little bit more about where and how to put it (as this part of the screen will soon be useful for multiple call management, I'll maybe choose a different approach than a icon here (maybe I'll get inspired of what browser does with https).
Maybe the color of "SIP" under the picture can be enough to indicate for control encryption state, and picture shadow color (yellow) for the media...
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
@mcampbellsmith : the port in TLS settings is not the good place to change the port to use on your account (that's just the local port on the client side in global settings).
To change in your account, you should just change registrar uri to something like that :
sips:your_server:8562 (where 8562 is your custom port for example)
and same thing in proxy uri.
(It make sense : you want to change the port for this account, not for the entire app... so the setting is in the account settings ;) )
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: mcampbel...@gmail.com
@r3gis.3R ... PERFECT!
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: marcello...@gmail.com
Perfect work!!!
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: kro...@gmail.com
Does this mean that ISPs can't tell that the connection is sip (forced neutrality?) or is the ISP able to tell it's sip, just unable to listen into the conversation?
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
For those how want to keep up to date with TLS support :
http://nightlies.csipsimple.com/tls/
(Builds each night @ 5:01 CET)
:D
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: r3gis...@gmail.com
Oh and @krolaw : Indeed, ISP doesn't see it's sip : with transport=tls it's just like https. Content is crypted so impossible for anyone to detect what is on the flow.
The only thing that remains is the default port : 5061 (like 443 for https) but can be changed.
Then to encrypt totally (not only sip exchange but also media exchange), you can also use SRTP (or soon thanks to Werner's contribution, ZRTP).
Media and signal (SIP control) are independent from the transport point of view. So can be crypted media but not crypted sig and the inverse or both crypted.
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: dmitrymo...@gmail.com
Hi!
I`m trying to start CSipSimple-[r419]-tls.apk on HTC Wildfire. Client is registered, when using UDP, but not when switching on TLS.
Server doesn`t receive any packet, in log CSipSimple I found the following:
D/libpjsip(11650): 15:45:33.839 pjsua_acc.c Account <sip:998@192.168.20.231> added with id 0
E/libpjsip(11650): 15:45:33.839 pjsua_acc.c Unable to generate suitable Contact header for registration: Unknown error 171060 [status=171060]
E/libpjsip(11650): 15:45:33.840 pjsua_acc.c Unable to create registration: Unknown error 171060 [status=171060]
Could you, please, tell me how to fix it?
Thank you in advance!
Related
Commit: [r419]
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: marcello...@gmail.com
Did you enabled TLS in settings -> network -> secure connection?
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: dmitrymo...@gmail.com
No, the problem was I didn`t enable it. I just didn`t notice that menu has appeared. Thank you
View and moderate all "tickets Discussion" comments posted by this user
Mark all as spam, and block user from posting to "Tickets"
Originally posted by: wheresau...@lavabit.com
Ive been getting force closes when I goto to my sip registration config using the TLS version
Im using 0.00-16 [r427] TLS occurs on both my nexus one and mytouch
Related
Commit: [r427]