[VOIPSEC] Snom Softphone with TLS and Openser

Martin Petraschek petraschek at ftw.at
Thu Feb 23 09:50:49 GMT 2006 

Hi all,

I just wanted to share the experiences I made when trying to get the 
Snom 360 Softphone to work with TLS support together with Openser. Maybe 
my findings can be of use for other people having similar problems.

The Snom Softphone is one of the few Softphones I am aware of that 
support TLS as well as RTP encryption. Unfortunately it is not Open 
Source, but the binary is freely available at 
http://www.snom.com/download/snom360-5.3.exe

When trying to use TLS, one might be disappointed that the configuration 
menus do not offer any setting like "enable TLS". This is because the 
Snom phone uses DNS SRV queries in order to find out which connection 
method to use. The first task is therefore to configure SRV records of 
the DNS server. For bind, the following lines did the trick:

example.at.   IN NAPTR 10 50 "s" "SIPS+D2T" "" _sips._tcp.example.at.
example.at.   IN NAPTR 20 50 "s" "SIP+D2U" "" _sip._udp.example.at.
example.at.   IN NAPTR 30 50 "s" "SIP+D2T" "" _sip._tcp.example.at.

; ----- SRV records -----
_sip._udp               IN SRV 0 0 5060 server.example.at.
_sip._tcp               IN SRV 0 0 5060 server.example.at.
_sips._tcp              IN SRV 0 0 5061 server.example.at.


After that, the Snom phone tried to contact the SIP server via TLS. 
However, the program was stuck immediately after starting and did not 
accept any input via the user interface. I inspected the network traffic 
it generated with the help of the tool ssldump, which showed the following:

server:/etc/openser/tools# ssldump -i eth0 port 5061
New TCP connection #1: user.example.at(3695) <-> server.example.at(5061)
1 1  0.0124 (0.0124)  C>S  Handshake
       ClientHello
         Version 3.1
         cipher suites
         TLS_RSA_WITH_RC4_128_MD5
         TLS_RSA_WITH_RC4_128_SHA
         TLS_RSA_WITH_NULL_MD5
         TLS_RSA_WITH_NULL_SHA
         TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
         TLS_DH_anon_WITH_RC4_128_MD5
         TLS_RSA_WITH_DES_CBC_SHA
         TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
         TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
         TLS_DH_anon_WITH_DES_CBC_SHA
         compression methods
                   NULL
1 2  0.0145 (0.0021)  S>C  Handshake
       ServerHello
         Version 3.1
         session_id[32]=
           5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24 82 6a c3
           2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67 53 ab f0
         cipherSuite         TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
         compressionMethod                   NULL
1 3  0.0146 (0.0000)  S>C  Handshake
       Certificate
1 4  0.0146 (0.0000)  S>C  Handshake
       CertificateRequest
         certificate_types                   rsa_sign
         certificate_types                   dss_sign
       ServerHelloDone
1    9.5153 (9.5006)  C>S  TCP RST


I noticed that the chosen ciphersuite was 1024 bit RSA. Checking the 
certificate file /etc/openser/tls/user/user-cert.pem, I found that the 
certificate configured for openser is 2048 bit! To overcome this 
problem, I changed the configuration files ca.conf and user.conf as well 
as gen_rootCA.sh (just replaced 2048 with 1024 at every occurence). 
After re-generating the certificates and restaring openser, the TLS 
connection finally worked like a charm.

Cheers,

Martin

More information about the Voipsec mailing list