Page Index Toggle Pages: 1 ... 6 7 [8] 9 10  Send TopicPrint
Very Hot Topic (More than 25 Replies) Encryption: TLS, SRTP & ZRTP (Read 127296 times)
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #105 - 17. Nov 2011 at 08:41
Print Post  
Put your mouse cursor over that TLS icon and you will see why the icon is not "golden". TLS is based on certificates and server certificates are created for a special domain. But you connect directly to an IP address. That IP address doesn't match with the name (CN) within the server certificate. Thats the reason for the different color of the icon.
This white/grayed icon doesn't mean that the encryption is less secure - it just tells that the remote party is not the same as it tells within the certificate.
  
Back to top
WWW  
IP Logged
 
o b m
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 17. Nov 2011
Re: Encryption: TLS, SRTP & ZRTP
Reply #106 - 17. Nov 2011 at 09:15
Print Post  
thx
so what sould I do to make certificate work/make tls golden? Or its not worth trying? Its useless for me since it does not effect security, but I guess my boss would appreciate if everything looked right Smiley
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #107 - 17. Nov 2011 at 12:33
Print Post  
You would need a server certificate where the CN is the IP address of that PC.
But if you don't like the why how PhonerLite is handling that - feel free to use any other softphone.
  
Back to top
WWW  
IP Logged
 
o b m
YaBB Newbies
*
Offline


Phoner is great!

Posts: 4
Joined: 17. Nov 2011
Re: Encryption: TLS, SRTP & ZRTP
Reply #108 - 18. Nov 2011 at 04:24
Print Post  
If i didnt like it i would not use it. Actually tried looked through 30-40 voip programms and tried 6 of them. ONLY PL met our need since skype made nuts, cas PL has good encrypting and direct ip connection.

So i make txt file and insert smt like this

----BEGIN RSA PRIVATE KEY-----
123 'random key?
-----END RSA PRIVATE KEY----- 
-----BEGIN CERTIFICATE----- 
111.222.333.001 'ipadress f 1st computer
111.222.333.002 'ipadress f 2st computer
-----END CERTIFICATE-----

then rename it to .cer and give to both clients?
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #109 - 18. Nov 2011 at 08:36
Print Post  
You have to use a real server certificate. If you export such certificate in text format (.pem) you will get the right format. But if you create a self signed certificate you have the problem that others doesn't see that certificate as valid, as long they doesn't trust the same certificate authority (CA).
All that certificate stuff is very complicated. Therefore PhonerLite has a built in certificate to use TLS out of the box. Only if you are familiar with creating certificates you should change any certificate setting in PhonerLite.
  
Back to top
WWW  
IP Logged
 
Tom22
YaBB Newbies
*
Offline


Phoner is great!

Posts: 30
Joined: 06. Mar 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #110 - 18. Nov 2011 at 14:11
Print Post  
Phoner Admin wrote on 10. Nov 2011 at 08:20:
PhonerLite doesn't keep any session data for future calls with the same partner. You are right that is part of the ZRTP draft, but it is not implemented in PhonerLite. I don't see any security risks for this.

I don't know anything about a "preshared key mode". ZRTP is designed to work without preshared keys, so I don't know why you are interested to use this. PhonerLite doesn't support any preshared key.

If you don't trust ZRTP implementation in PhonerLite - feel free to use any other implementation. You can still use ZFone with PhonerLite.

Ehrm no. Sorry. All this wasn't meant as criticism.

I just wanted to understand all the encryption related stuff better as I haven't found any documentation about it.

PhonerLite is the only available client for us. It has unique Windows, IPv6 and ZRTP support.
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #111 - 18. Nov 2011 at 14:18
Print Post  
@Tom22
I didn't interpret this as criticism. I just wanted to tell, that PhonerLite is a hobby project and I don't have time to implement all theoretical stuff. I just wanted to understand how ZRTP is working and used therefore my own implementation for that - that is even compatible to ZFone & Co.
I don't like to document things - that is my fault, I know. But writing documentations is no fun for me. Hopefully you understand.
  
Back to top
WWW  
IP Logged
 
deti
Junior Member
**
Offline



Posts: 93
Location: Prien am Chiemsee
Joined: 16. Dec 2006
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #112 - 18. Nov 2011 at 15:05
Print Post  
@ o b m

For a verification of Peer-To-Peer connections you need a certificate according to RFC 5922 and PhonerLite must then also be able to read and verify the subjectAltName in the certificate, what it can't at the moment as far as I know.

I started in the last days, after a longer pause, to code an implementation of a certificate with the subjectAltName into the PhonerLite download on my homepage (see signature). I guess it will take one or two more month for this to be ready (I'm doing this only in my free time). I hope that Heiko then also can afford some time to implement this in PhonerLite!  Wink
  
Back to top
WWW  
IP Logged
 
botyhc
Junior Member
**
Offline


Phoner is great!

Posts: 95
Joined: 02. May 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #113 - 30. Jan 2012 at 01:32
Print Post  
TLS is not working stably with Freeswitch. Every other client is working fine with the same Freeswitch.
Phonerlite registers, but sometime later stops and tries to register.

Also the debug option seems to have vanished, I have debug selected in the menu, but I am unable to see the debug tab/window. 

Recently also when I press save button, phonerlite hangs for a few seconds (not really hangs, but freezes). 

Is there any change in SAVP ? Earlier phonerlite SRTP use to work without SAVP, but now it is not working without SAVP. 
Also does ZRTP require SAVP ?
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #114 - 30. Jan 2012 at 08:55
Print Post  
Quote:
TLS is not working stably with Freeswitch. Every other client is working fine with the same Freeswitch.
Phonerlite registers, but sometime later stops and tries to register.

Do you have an installation where public access is possible? So where can I try to register and try for my own? I don't want to install and configure Freeswitch for my own.

Quote:
Also the debug option seems to have vanished, I have debug selected in the menu, but I am unable to see the debug tab/window.

If you disable "Debug" in the Options menu, there is no debug output at all. So "Debug" must be enabled in Options menu. Then you can switch the visibility of debug in the help menu.

Quote:
Recently also when I press save button, phonerlite hangs for a few seconds (not really hangs, but freezes).

What version of PhonerLite are you using? Is that problem reproducible?

Quote:
Is there any change in SAVP ? Earlier phonerlite SRTP use to work without SAVP, but now it is not working without SAVP. 
Also does ZRTP require SAVP ?

You can configure if you want to use "AVP" or "SAVP". Take a look at the codec settings. There is a switch called "SAVP".
  
Back to top
WWW  
IP Logged
 
botyhc
Junior Member
**
Offline


Phoner is great!

Posts: 95
Joined: 02. May 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #115 - 15. Feb 2012 at 09:10
Print Post  
"Do you have an installation where public access is possible? So where can I try to register and try for my own? I don't want to install and configure Freeswitch for my own."

Unfortunately I don't have one. Installation is fairly straightforward and is there on the install wiki. If you have a VM or machine I can access, I can install. You can make a VM so you don't have to worry.

---------

The save button freezing for few moments is consistent and happens EVERY time. It freezes for about 2 seconds. Its not a big deal compared to TLS, ZRTP kind of things, but is observable. This with latest version

-----------

"If you disable "Debug" in the Options menu, there is no debug output at all. So "Debug" must be enabled in Options menu. Then you can switch the visibility of debug in the help menu."

Of course. With it enabled only I can't see it. 

------------------------

I know the switch for SAVP of course. What I am saying is that did SAVP implementation change between phonerlite versions ? 

Earlier phonerlite SRTP use to work without SAVP, but now it is not working without SAVP.
Also does ZRTP require SAVP ? 


  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #116 - 15. Feb 2012 at 09:51
Print Post  
I can't reproduce any 2 seconds freeze when saving a profile. When you save a profile, the actual profile will be unloaded before. So if you are registered at a SIP server, an unregistration is done. Maybe this last so long in your case.
I have no difficulties with other SIP clients supporting ZRTP. So if you have problems with Freeswitch, I need a way to test with that installation. But I don't want to setup a Freeswitch for my own. All that certificate configuration stuff and recompile with special settings is not the way i like. Sorry.
I found that one: https://create.tanstagi.net/
But at the moment that service is down.

If there is no other way for testing, you need to use another softphone.
  
Back to top
WWW  
IP Logged
 
Mihail
YaBB Newbies
*
Offline


Wunderbar!!!

Posts: 8
Location: Ukraine
Joined: 27. Feb 2012
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #117 - 27. Feb 2012 at 13:08
Print Post  
botyhc wrote on 30. Jan 2012 at 01:32:
TLS is not working stably with Freeswitch. Every other client is working fine with the same Freeswitch.
Phonerlite registers, but sometime later stops and tries to register.


Hi!
I faced the same issue with freeswitch. And I solved it by changing param name="tls-verify-depth" to value="1" (by default "2") in ../sip_profiles/internal.xml
After that PhonerLite successfully registered and start to work.
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 9172
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #118 - 27. Feb 2012 at 13:15
Print Post  
I don't know what this "tls-verify-depth" means. Does Freeswitch request a client certificate? If so, you need to config one in PhonerLite.
For some days that tanstagi.net service was running. I used 2 accounts on that server. TLS was no problem there. There was no ZRTP pass through possible. But with enabled "ZRTP masquerading" in PhonerLite it worked.
  
Back to top
WWW  
IP Logged
 
Mihail
YaBB Newbies
*
Offline


Wunderbar!!!

Posts: 8
Location: Ukraine
Joined: 27. Feb 2012
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #119 - 02. Mar 2012 at 10:46
Print Post  
Hi! Sorry, I was wrong, any changes to tls-verify-depth had no effect. It was just coincidence. I tried with and without Client certificate - nothing help.

PL -> REGISTER -> FS
PL <- UNATHORIZED <- FS
PL -> REGISTER w/Authorization field -> FS
PL <- 200 OK <- FS (PhonerLite ignore it and send reg. again)
PL -> REGISTER w/Authorization field -> FS
In att you can find debug output from phonerlite.

Please, advise.
  

register_trace.txt ( 8 KB | Downloads )
Back to top
 
IP Logged
 
Page Index Toggle Pages: 1 ... 6 7 [8] 9 10 
Send TopicPrint