Page Index Toggle Pages: 1 ... 8 9 [10]  Send TopicPrint
Very Hot Topic (More than 25 Replies) Encryption: TLS, SRTP & ZRTP (Read 260166 times)
botyhc
Junior Member
**
Offline


Phoner is great!

Posts: 95
Joined: 02. May 2010
Re: Encryption: TLS, SRTP & ZRTP
Reply #135 - 16. Oct 2012 at 10:44
Print Post  
There should be an option to ensure the media is encrypted, otherwise to warn the user and drop the call. 
If you see even soft phones (in addition to hard phones) like eyebeam for example, they have an option where if the user selects that media must be encrypted, they won't do the call and give an indicative error.
Snom for example is a very very respected phone and they have this option where SRTP if selected as required, won't do the call unless it is SRTP.

You can put an option but not make it on by default. The person using it can choose to enable it.

This is quite similar to the TLS option where you put connection type is fixed since if its not secure we don't want it to fall back.
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #136 - 17. Oct 2012 at 08:40
Print Post  
If you are using such Snom phone and you are initiate a call to PhonerLite. What exactly happens if PhonerLite answers the call without SRTP? Does the Snom phone disconnect the call immediately?
  
Back to top
WWW  
IP Logged
 
Nuno Goncalves
YaBB Newbies
*
Offline


Phoner is great!

Posts: 1
Joined: 08. Sep 2013
Re: Encryption: TLS, SRTP & ZRTP
Reply #137 - 08. Sep 2013 at 16:41
Print Post  
Could you clarify how the certificates are being handled currently?

1 - on the GUI there is a distinct box for the server certificate and server private key, but only one for the client. So the client certificate must have the key built-in, but the server must be separate?

2 - If the transport is TLS, what does "check certificate from the remote site" do?

3 - What does "Load Windows CA" do? Without this it only accepts CACert and root certificates on the PhonerLite folder?

Thanks!
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #138 - 09. Sep 2013 at 13:41
Print Post  
Quote:
1 - on the GUI there is a distinct box for the server certificate and server private key, but only one for the client. So the client certificate must have the key built-in, but the server must be separate?
Until now there was no great need for a supporting client certificates. Does your peer requests it? But you are true - until now a single file is needed.

Quote:
2 - If the transport is TLS, what does "check certificate from the remote site" do?
I had some problems with peer certificates. Therefore checking the certificate can be disabled. Please keep in mind, that PhonerLite is just a hobby project. For me the technical questions are more interesting than a perfect secure solution.

Quote:
3 - What does "Load Windows CA" do? Without this it only accepts CACert and root certificates on the PhonerLite folder?
Exactly!
  
Back to top
WWW  
IP Logged
 
TonyOZ
YaBB Newbies
*
Offline


PhonerLite is great!

Posts: 37
Location: Saint-Petersburg, Russia
Joined: 25. Sep 2013
Re: Encryption: TLS, SRTP & ZRTP
Reply #139 - 25. Apr 2016 at 11:47
Print Post  
I'm trying to understand whether my SIP provider supports the TLS for SIP.

I tick the "check certificate from the remote site" and the "Load Windows CA" because I expect that provider to have an SSL certificate from a known root CA (like Thawte or Comodo).

I select the TLS in the "Network->Preferred connection type" tab.
Then I see PhonerLite registering successfully (the green button in the status field) and the notice: "...;transport=tcp registered".

Does that mean my SIP provider declines the TLS mode and falls back to plain unencrypted TCP?
  

PhonerLite v2.17 on winXP-SP3.
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #140 - 25. Apr 2016 at 13:14
Print Post  
You can activate the option "connection type is fixed", then PhonerLite doesn't do any fallback to unencrypted connections.
If you don't enable this certificate check the TLS connection is established?
  
Back to top
WWW  
IP Logged
 
TonyOZ
YaBB Newbies
*
Offline


PhonerLite is great!

Posts: 37
Location: Saint-Petersburg, Russia
Joined: 25. Sep 2013
Re: Encryption: TLS, SRTP & ZRTP
Reply #141 - 25. Apr 2016 at 17:31
Print Post  
Dear Heiko,

Thank you for the hint.

Alas, no. This time I get "...:5061;transport=tls not registered <Connectivity Checks Failed>".

Is that final and I cannot do anything about it?

BTW
My signature is outdated, I'm on PL v2.37 (on winXP-SP3)
  

PhonerLite v2.17 on winXP-SP3.
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #142 - 26. Apr 2016 at 09:35
Print Post  
So your SIP provider doesn't support TLS!
  
Back to top
WWW  
IP Logged
 
TonyOZ
YaBB Newbies
*
Offline


PhonerLite is great!

Posts: 37
Location: Saint-Petersburg, Russia
Joined: 25. Sep 2013
Re: Encryption: TLS, SRTP & ZRTP
Reply #143 - 27. Apr 2016 at 11:24
Print Post  
Thank you again!

So, to finalise the question:
My understanding is that if a provider implements TLS with a cert from a well-known root CA - I would be able to enable it on PhonerLite without importing/installing any certificates - just by referencing to my OS's cert store.
Right?
  

PhonerLite v2.17 on winXP-SP3.
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #144 - 27. Apr 2016 at 11:26
Print Post  
That is true. But you might check first without any certificate check. I assume that your provider doesn't support TLS for SIP at all.
  
Back to top
WWW  
IP Logged
 
TonyOZ
YaBB Newbies
*
Offline


PhonerLite is great!

Posts: 37
Location: Saint-Petersburg, Russia
Joined: 25. Sep 2013
Re: Encryption: TLS, SRTP & ZRTP
Reply #145 - 16. Jun 2016 at 17:08
Print Post  
Just noticed that the latest PhonerLite does not have the ZRTP "masquerade" capability any more.
Why is that?
  

PhonerLite v2.17 on winXP-SP3.
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #146 - 17. Jun 2016 at 07:54
Print Post  
This option is still supported. To reduce the number of visual combobox elements, this option is now available via context menu for "ZRTP".
  
Back to top
WWW  
IP Logged
 
TonyOZ
YaBB Newbies
*
Offline


PhonerLite is great!

Posts: 37
Location: Saint-Petersburg, Russia
Joined: 25. Sep 2013
Re: Encryption: TLS, SRTP & ZRTP
Reply #147 - 20. Jun 2016 at 17:47
Print Post  
OK, got it!
Thank you.
  

PhonerLite v2.17 on winXP-SP3.
Back to top
 
IP Logged
 
Blonet
YaBB Newbies
*
Offline


Phoner is great!

Posts: 3
Joined: 24. Nov 2017
Re: Encryption: TLS, SRTP & ZRTP
Reply #148 - 27. Nov 2017 at 14:35
Print Post  
Do it is possible to configure a sure comunication with a self-signed certificate generated using OpenSSL?
  
Back to top
 
IP Logged
 
Phoner Admin
YaBB Administrator
*****
Offline



Posts: 11389
Location: Germany
Joined: 12. Oct 2003
Gender: Male
Re: Encryption: TLS, SRTP & ZRTP
Reply #149 - 27. Nov 2017 at 15:58
Print Post  
So you want to connect by TLS to a SIP server that uses self signed certificates? Take a look at the "Certificate" configuration page. There is an option called "check certificate from the remote site". If that option is not active, all certificates are accepted.
  
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: 1 ... 8 9 [10] 
Send TopicPrint