Asterisk 1.8 + TLS + Ubuntu 10.04
имеется Asterisk 1.8
настраивал TLS по этой инструкции
http://www.sipring.ru/overview/asterisk- ... ?showall=1
ну никак клиент не соединяются
ошибка 503
через UDP и TCP все соединяется отлично
порты открыты
в sip.conf
| Code: |
| [20000] type=friend secret=xxxxxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=office transport=tls [general] tlsenable=yes tlscertfile=/etc/asterisk/ssl/asterisk.crt |
порт TCP в IPTABLES 5061 5060 5062 5063 открыл
в общем все по инструкции и никак
telnet host 5061 не подключается
то есть asterisk не открывает порт для TLS =-(((
указывал
tlsbindaddr=xxx.xxx.xxx.xxx:5061
и все равно порт молчит
помогите народ очень надо
Заранее всем спасибо
Last edited by elected on Sun Nov 07, 2010 02:39
Ну или не при загрузке, а module unload chan_sip.so ; module load chan_sip.so
Что пишет sudo netstat -alnp | grep /asterisk ?
tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 4507/asterisk
tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 4507/asterisk
udp 0 0 0.0.0.0:5000 0.0.0.0:* 4507/asterisk
udp 0 0 0.0.0.0:2727 0.0.0.0:* 4507/asterisk
udp 0 0 0.0.0.0:4520 0.0.0.0:* 4507/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 4507/asterisk
udp 0 0 0.0.0.0:4569 0.0.0.0:* 4507/asterisk
unix 2 [ ACC ] STREAM LISTENING 501280 4507/asterisk /var/run/asterisk/asterisk.ctl
Verbosity is at least 6
Core debug is at least 5
asterisk*CLI> module load chan_sip.so
Loaded chan_sip.so
SIP channel loading...
== Parsing '/etc/asterisk/sip.conf': == Found
== Parsing '/etc/asterisk/users.conf': == Found
== SIP Listening on 0.0.0.0:5060
== Using SIP CoS mark 4
== Parsing '/etc/asterisk/sip_notify.conf': == Found
== Registered channel type 'SIP' (Session Initiation Protocol (SIP))
== Registered RTP glue 'SIP'
== Registered application 'SIPDtmfMode'
== Registered application 'SIPAddHeader'
== Registered application 'SIPRemoveHeader'
== Registered custom function 'SIP_HEADER'
== Registered custom function 'SIPPEER'
== Registered custom function 'SIPCHANINFO'
== Registered custom function 'CHECKSIPDOMAIN'
== Manager registered action SIPpeers
== Manager registered action SIPshowpeer
== Manager registered action SIPqualifypeer
== Manager registered action SIPshowregistry
== Manager registered action SIPnotify
Loaded chan_sip.so => (Session Initiation Protocol (SIP))
asterisk*CLI>
tcpenable=yes включите
Ну и, если не поможет, еще раз
egrep -v '^\s*(;|$)' sip.conf
asterisk -rx 'sip show settings'
| Quote: |
| tcpenable=yes включите |
включал и выключал
не помогает TLS порт так и не открывается '
' | Code: |
| [20000] type=friend secret=xxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=office srtpcapable=yes transport=tls [999] type=friend secret=xxxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=gategsm [20100] type=friend secret=xxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=office srtpcapable=yes transport=tls [general] context=default ; Default context for incoming calls tcpenable=yes tcpbindaddr=0.0.0.0 srtpcapable=yes tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/ssl/asterisk.crt allowoverlap=no ; Disable overlap dialing support. (Default is yes) udpbindaddr=0.0.0.0 ; IP address to bind UDP listen socket to (0.0.0.0 binds to all) srvlookup=yes ; Enable DNS SRV lookups on outbound calls [authentication] [basic-options](!) ; a template dtmfmode=rfc2833 context=from-office type=friend [natted-phone](!,basic-options) ; another template inheriting basic-options nat=yes directmedia=no host=dynamic [public-phone](!,basic-options) ; another template inheriting basic-options nat=no directmedia=yes [my-codecs](!) ; a template for my preferred codecs disallow=all allow=ilbc allow=g729 allow=gsm allow=g723 allow=ulaw [ulaw-phone](!) ; and another one for ulaw-only disallow=all allow=ulaw |
| Code: |
| root@asterisk:/home/elected# sudo netstat -alnp | grep /asterisk tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 13844/asterisk tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 13844/asterisk udp 0 0 0.0.0.0:5000 0.0.0.0:* 13844/asterisk udp 0 0 0.0.0.0:2727 0.0.0.0:* 13844/asterisk udp 0 0 0.0.0.0:4520 0.0.0.0:* 13844/asterisk udp 0 0 0.0.0.0:5060 0.0.0.0:* 13844/asterisk udp 0 0 0.0.0.0:4569 0.0.0.0:* 13844/asterisk unix 2 [ ACC ] STREAM LISTENING 524197 13844/asterisk /var/run/asterisk/asterisk.ctl |
| Code: |
| root@asterisk:/etc/asterisk# asterisk -rx 'sip show settings' Global Settings: ---------------- UDP Bindaddress: 0.0.0.0:5060 TCP SIP Bindaddress: 0.0.0.0:5060 TLS SIP Bindaddress: 0.0.0.0:0 Videosupport: No Textsupport: No Ignore SDP sess. ver.: No AutoCreate Peer: No Match Auth Username: No Allow unknown access: Yes Allow subscriptions: Yes Allow overlap dialing: No Allow promsic. redir: No Enable call counters: No SIP domain support: No Realm. auth: No Our auth realm asterisk Use domains as realms: No Call to non-local dom.: Yes URI user is phone no: No Always auth rejects: Yes Direct RTP setup: No User Agent: Asterisk PBX 1.8.0 SDP Session Name: Asterisk PBX 1.8.0 SDP Owner Name: root Reg. context: (not set) Regexten on Qualify: No Caller ID: asterisk From: Domain: Record SIP history: Off Call Events: Off Auth. Failure Events: Off T.38 support: No T.38 EC mode: Unknown T.38 MaxDtgrm: -1 SIP realtime: Disabled Qualify Freq : 60000 ms Q.850 Reason header: No Network QoS Settings: --------------------------- IP ToS SIP: CS0 IP ToS RTP audio: CS0 IP ToS RTP video: CS0 IP ToS RTP text: CS0 802.1p CoS SIP: 4 802.1p CoS RTP audio: 5 802.1p CoS RTP video: 6 802.1p CoS RTP text: 5 Jitterbuffer enabled: No Jitterbuffer forced: No Jitterbuffer max size: -1 Jitterbuffer resync: -1 Jitterbuffer impl: Jitterbuffer log: No Network Settings: --------------------------- SIP address remapping: Disabled, no localnet list Externhost: externaddr: (null) Externrefresh: 10 Global Signalling Settings: --------------------------- Codecs: 0x80000008000e (gsm|ulaw|alaw|h263|testlaw) Codec Order: none Relax DTMF: No RFC2833 Compensation: No Symmetric RTP: No Compact SIP headers: No RTP Keepalive: 0 (Disabled) RTP Timeout: 0 (Disabled) RTP Hold Timeout: 0 (Disabled) MWI NOTIFY mime type: application/simple-message-summary DNS SRV lookup: Yes Pedantic SIP support: Yes Reg. min duration 60 secs Reg. max duration: 3600 secs Reg. default duration: 120 secs Outbound reg. timeout: 20 secs Outbound reg. attempts: 0 Notify ringing state: Yes Include CID: No Notify hold state: No SIP Transfer mode: open Max Call Bitrate: 384 kbps Auto-Framing: No Outb. proxy: Session Timers: Accept Session Refresher: uas Session Expires: 1800 secs Session Min-SE: 90 secs Timer T1: 500 Timer T1 minimum: 100 Timer B: 32000 No premature media: Yes Max forwards: 70 Default Settings: ----------------- Allowed transports: UDP Outbound transport: UDP Context: default Force rport: No DTMF: rfc2833 Qualify: 0 Use ClientCode: No Progress inband: Never Language: MOH Interpret: default MOH Suggest: Voice Mail Extension: asterisk |
Added after 18 minutes:
делал так
| Code: |
| tlsenable=yes tlsbindaddr=0.0.0.0:5061 |
получается
| Code: |
| root@asterisk:/etc/asterisk# asterisk -rx 'sip show settings' Global Settings: ---------------- UDP Bindaddress: 0.0.0.0:5060 TCP SIP Bindaddress: 0.0.0.0:5060 TLS SIP Bindaddress: 0.0.0.0:5061 |
но все равно порт не слушает
| Code: |
| root@asterisk:/etc/asterisk# sudo netstat -alnp | grep /asterisk tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 13937/asterisk tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 13937/asterisk udp 0 0 0.0.0.0:5000 0.0.0.0:* 13937/asterisk udp 0 0 0.0.0.0:2727 0.0.0.0:* 13937/asterisk udp 0 0 0.0.0.0:4520 0.0.0.0:* 13937/asterisk udp 0 0 0.0.0.0:5060 0.0.0.0:* 13937/asterisk udp 0 0 0.0.0.0:4569 0.0.0.0:* 13937/asterisk unix 2 [ ACC ] STREAM LISTENING 524373 13937/asterisk /var/run/asterisk/asterisk.ctl |
| Code: |
| tlsenable=yes tlsbindaddr=xxx.xxx.xxx.xxx:5061 |
где xxx.xxx.xxx.xxx ip интерфейса
тоже самое
я только что ради интереса у себя на машине все собрал по той статье, вот вывод:
| Code: |
| anest@desktop ~ $ sudo netstat -alnp | grep /asterisk tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 22040/asterisk tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 22040/asterisk udp 0 0 0.0.0.0:4520 0.0.0.0:* 22040/asterisk udp 0 0 0.0.0.0:4569 0.0.0.0:* 22040/asterisk udp 0 0 0.0.0.0:5000 0.0.0.0:* 22040/asterisk udp 0 0 0.0.0.0:5060 0.0.0.0:* 22040/asterisk unix 2 [ ACC ] STREAM LISTENING 5033072 22040/asterisk /var/run/asterisk/asterisk.ctl anest@desktop ~ $ |
всё делал по шагам из статьи в точности, пока не дошел до настройки клиента. тогда я перезапустил астериск и глянул порты. рекомендую снести все (включая конфиги) и попробовать все сначала.
_________________
Успехов!
Во-первых:
* tcpbindaddr = extra address for additional TCP connections
* tlsbindaddr = extra address for additional TCP/TLS connections
* udpbindaddr = extra address for additional UDP connections
Их включать никто не просил.
Во-вторых, почему секция [general] не выше всех пиров?
В-третьих, nc -lp 5061 что говорит?
В-четвертых:
| Code: |
| tcpenable=yes tlsenable=yes tlscertfile=/etc/asterisk/ssl/asterisk.crt |
и смотрим на логи загрузки, sip show settings и netstat
| Code: |
| root@asterisk:/etc/asterisk# mkdir /etc/asterisk/ssl root@asterisk:/etc/asterisk# cd ssl/ root@asterisk:/etc/asterisk/ssl# openssl req -new -newkey rsa:1024 -nodes -keyout ca.key -x509 -days 500 -subj /C=RU/ST=Msk/L=Msk/O=sipring/OU=asterisk/CN=mydomain.ru/ -out ca.crt Generating a 1024 bit RSA private key ................................................++++++ .++++++ writing new private key to 'ca.key' ----- root@asterisk:/etc/asterisk/ssl# cp ca.crt asterisk.crt root@asterisk:/etc/asterisk/ssl# cat ca.key >> asterisk.crt root@asterisk:/etc/asterisk/ssl# ls asterisk.crt ca.crt ca.key root@asterisk:/etc/asterisk/ssl# cat asterisk.crt -----BEGIN CERTIFICATE----- MIIDIjCCAougAwIBAgIJAMepN8eKfGkFMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAlJVMQwwCgYDVQQIEwNNc2sxDDAKBgNVBAcTA01zazEQMA4GA1UEChMHc2lw ............................ -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDKyXRqhMU81WJNm9A7qLX4uv7Uo04h6tyhBbZxnvT7gobPAXHM nCqaRPIn1nf4wd6aAyYLNUJVphZSqZxYxSNljXVjaySzyF4f4rK8sgKHhqHpaMb3 .............................. -----END RSA PRIVATE KEY----- root@asterisk:/etc/asterisk/ssl# vi ca.config (встаил содержимое ca.config как на сайте) root@asterisk:/etc/asterisk/ssl# mkdir db root@asterisk:/etc/asterisk/ssl# mkdir db/certs root@asterisk:/etc/asterisk/ssl# mkdir db/newcerts root@asterisk:/etc/asterisk/ssl# touch db/index.txt root@asterisk:/etc/asterisk/ssl# echo "01" > db/serial root@asterisk:/etc/asterisk/ssl# openssl req -new -newkey rsa:1024 -nodes -keyout client.key -subj /C=RU/ST=Msk/L=Msk/O=Inc/OU=SIP/CN=mydomain.ru/emailAddress=email@mydomain.ru -out client.csr Generating a 1024 bit RSA private key .......++++++ ..............................++++++ writing new private key to 'client.key' ----- root@asterisk:/etc/asterisk/ssl# openssl ca -config ca.config -in client.csr -out client.crt -batch Using configuration from ca.config Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'RU' stateOrProvinceName :PRINTABLE:'Msk' localityName :PRINTABLE:'Msk' organizationName :PRINTABLE:'Inc' organizationalUnitName:PRINTABLE:'SIP' commonName :PRINTABLE:'mydomain.ru emailAddress :IA5STRING:'mail@mydaomain.ru' Certificate is to be certified until Nov 7 00:27:49 2011 GMT (365 days) Write out database with 1 new entries Data Base Updated |
SIP.conf
| Code: |
| [general] context=default ; Default context for incoming calls tcpenable=yes tlsenable=yes tlscertfile=/etc/asterisk/ssl/asterisk.crt srvlookup=yes ; Enable DNS SRV lookups on outbound calls [authentication] [basic-options](!) ; a template dtmfmode=rfc2833 context=from-office type=friend [natted-phone](!,basic-options) ; another template inheriting basic-options nat=yes directmedia=no host=dynamic [public-phone](!,basic-options) ; another template inheriting basic-options nat=no directmedia=yes [my-codecs](!) ; a template for my preferred codecs disallow=all allow=ilbc allow=g729 allow=gsm allow=g723 allow=ulaw [ulaw-phone](!) ; and another one for ulaw-only disallow=all allow=ulaw [20000] type=friend secret=xxxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=office srtpcapable=yes transport=tls [999] type=friend secret=xxxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=gategsm [20100] type=friend secret=xxxxxx qualify=yes nat=yes host=dynamic canreinvite=no context=office srtpcapable=yes transport=tls |
результат:
| Code: |
| root@asterisk:/etc/asterisk# /etc/init.d/asterisk restart * Stopping Asterisk PBX: asterisk ...done. * Starting Asterisk PBX: asterisk Parsing /etc/asterisk/extconfig.conf ...done. root@asterisk:/etc/asterisk# sudo netstat -alnp | grep /asterisk tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 15209/asterisk tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 15209/asterisk udp 0 0 0.0.0.0:5000 0.0.0.0:* 15209/asterisk udp 0 0 0.0.0.0:2727 0.0.0.0:* 15209/asterisk udp 0 0 0.0.0.0:4520 0.0.0.0:* 15209/asterisk udp 0 0 0.0.0.0:5060 0.0.0.0:* 15209/asterisk udp 0 0 0.0.0.0:4569 0.0.0.0:* 15209/asterisk unix 2 [ ACC ] STREAM LISTENING 527107 15209/asterisk /var/run/asterisk/asterisk.ctl root@asterisk:/etc/asterisk# asterisk -rx 'sip show settings' Parsing /etc/asterisk/extconfig.conf Global Settings: ---------------- UDP Bindaddress: 0.0.0.0:5060 TCP SIP Bindaddress: 0.0.0.0:5060 TLS SIP Bindaddress: (null) ........... |
в логе загрузки ни одого упоминания про TLS или SSL
Когда собирал Астериск openssl был установлен
пересборка результата не дает
куда копать не знаю =-(((((
Last edited by elected on Sun Nov 07, 2010 01:33
А точно 1.8?
Сделайте в logger.conf console=...,debug
запустите * методом 'asterisk -cdvdvdvdvdvdvdv' и покажите строчки, начиная с SIP Listening on 0.0.0.0:5060
Должны там внятные ошибки вываливаться, есть они в коде
| Code: |
| Global Settings: ---------------- UDP Bindaddress: 0.0.0.0:5060 TCP SIP Bindaddress: 0.0.0.0:5060 TLS SIP Bindaddress: (null) Videosupport: No Textsupport: No Ignore SDP sess. ver.: No AutoCreate Peer: No Match Auth Username: No Allow unknown access: Yes Allow subscriptions: Yes Allow overlap dialing: Yes Allow promsic. redir: No Enable call counters: No SIP domain support: No Realm. auth: No Our auth realm asterisk Use domains as realms: No Call to non-local dom.: Yes URI user is phone no: No Always auth rejects: Yes Direct RTP setup: No User Agent: Asterisk PBX 1.8.0 SDP Session Name: Asterisk PBX 1.8.0 |
......
.....
| Code: |
| == SIP Listening on 0.0.0.0:5060 == Using SIP CoS mark 4 [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:27152 reload_config: SIP TCP server started [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26227 build_peer: Not an IPv4 nor IPv6 address, cannot get port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26230 build_peer: Not an IPv4 nor IPv6 address, cannot set port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26232 build_peer: Not an IPv4 nor IPv6 address, cannot get port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26235 build_peer: Not an IPv4 nor IPv6 address, cannot set port. [Nov 7 02:37:21] DEBUG[15697]: db.c:243 ast_db_get: Unable to find key '20000' in family 'SIP/Registry' [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26227 build_peer: Not an IPv4 nor IPv6 address, cannot get port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26230 build_peer: Not an IPv4 nor IPv6 address, cannot set port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26232 build_peer: Not an IPv4 nor IPv6 address, cannot get port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26235 build_peer: Not an IPv4 nor IPv6 address, cannot set port. [Nov 7 02:37:21] DEBUG[15697]: db.c:243 ast_db_get: Unable to find key '999' in family 'SIP/Registry' [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26227 build_peer: Not an IPv4 nor IPv6 address, cannot get port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26230 build_peer: Not an IPv4 nor IPv6 address, cannot set port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26232 build_peer: Not an IPv4 nor IPv6 address, cannot get port. [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:26235 build_peer: Not an IPv4 nor IPv6 address, cannot set port. [Nov 7 02:37:21] DEBUG[15697]: db.c:243 ast_db_get: Unable to find key '20100' in family 'SIP/Registry' == Parsing '/etc/asterisk/sip_notify.conf': [Nov 7 02:37:21] DEBUG[15697]: config.c:1335 config_text_file_load: Parsing /etc/asterisk/sip_notify.conf == Found [Nov 7 02:37:21] DEBUG[15697]: chan_sip.c:27347 reload_config: SIP reload_config done...Runtime= 0 sec [Nov 7 02:37:21] DEBUG[15697]: channel.c:858 ast_channel_register: Registered handler for 'SIP' (Session Initiation Protocol (SIP)) == Registered channel type 'SIP' (Session Initiation Protocol (SIP)) == Registered RTP glue 'SIP' == Registered application 'SIPDtmfMode' == Registered application 'SIPAddHeader' == Registered application 'SIPRemoveHeader' == Registered custom function 'SIP_HEADER' [Nov 7 02:37:21] DEBUG[15697]: xmldoc.c:1796 xmldoc_build_field: Cannot find variable 'SIPPEER' in tree 'description' == Registered custom function 'SIPPEER' [Nov 7 02:37:21] DEBUG[15697]: xmldoc.c:1796 xmldoc_build_field: Cannot find variable 'SIPCHANINFO' in tree 'description' == Registered custom function 'SIPCHANINFO' == Registered custom function 'CHECKSIPDOMAIN' == Manager registered action SIPpeers == Manager registered action SIPshowpeer == Manager registered action SIPqualifypeer == Manager registered action SIPshowregistry == Manager registered action SIPnotify chan_sip.so => (Session Initiation Protocol (SIP)) |
А как собрать asterisk принудительно с опцией TLS ?
в make menuselect
ничего подобного не нашел
сам asterisk стоит на ubuntu LTS 10.04 Server
пакет openssl-devel не установлен так как его нет в репах
вместо него установлен libssl-dev
пакет openssl стоит
Added after 40 minutes:
Всем спасибо за участие за помощь
проблему решил
установил пакеты
| Code: |
| apt-get install build-essential libssl-dev |
и все зажило
огромное и отдельное спасибо bird_of_Luck
вы меня навели на мысль о том что астер не скомпилен для использования TLS
в общем у тех у кого debian или ubuntu
ставьте
| Code: |
| apt-get install build-essential libssl-dev |
и только потом собирайте asterisk
_________________
2.6.33.7 / *1.8.6.0 + https://github.com/nixonch/a2billing / SFA / chan_mobile / chan_dongle / app_fax to e-mail&SMS
_________________
нанотехнолигии в области Asterisk
Одна строчка - и все полетело.
