[VOIPSEC] Snom Softphone with TLS and Openser
petraschek at ftw.at
Thu Feb 23 09:50:49 GMT 2006
I just wanted to share the experiences I made when trying to get the
Snom 360 Softphone to work with TLS support together with Openser. Maybe
my findings can be of use for other people having similar problems.
The Snom Softphone is one of the few Softphones I am aware of that
support TLS as well as RTP encryption. Unfortunately it is not Open
Source, but the binary is freely available at
When trying to use TLS, one might be disappointed that the configuration
menus do not offer any setting like "enable TLS". This is because the
Snom phone uses DNS SRV queries in order to find out which connection
method to use. The first task is therefore to configure SRV records of
the DNS server. For bind, the following lines did the trick:
example.at. IN NAPTR 10 50 "s" "SIPS+D2T" "" _sips._tcp.example.at.
example.at. IN NAPTR 20 50 "s" "SIP+D2U" "" _sip._udp.example.at.
example.at. IN NAPTR 30 50 "s" "SIP+D2T" "" _sip._tcp.example.at.
; ----- SRV records -----
_sip._udp IN SRV 0 0 5060 server.example.at.
_sip._tcp IN SRV 0 0 5060 server.example.at.
_sips._tcp IN SRV 0 0 5061 server.example.at.
After that, the Snom phone tried to contact the SIP server via TLS.
However, the program was stuck immediately after starting and did not
accept any input via the user interface. I inspected the network traffic
it generated with the help of the tool ssldump, which showed the following:
server:/etc/openser/tools# ssldump -i eth0 port 5061
New TCP connection #1: user.example.at(3695) <-> server.example.at(5061)
1 1 0.0124 (0.0124) C>S Handshake
1 2 0.0145 (0.0021) S>C Handshake
5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24 82 6a c3
2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67 53 ab f0
1 3 0.0146 (0.0000) S>C Handshake
1 4 0.0146 (0.0000) S>C Handshake
1 9.5153 (9.5006) C>S TCP RST
I noticed that the chosen ciphersuite was 1024 bit RSA. Checking the
certificate file /etc/openser/tls/user/user-cert.pem, I found that the
certificate configured for openser is 2048 bit! To overcome this
problem, I changed the configuration files ca.conf and user.conf as well
as gen_rootCA.sh (just replaced 2048 with 1024 at every occurence).
After re-generating the certificates and restaring openser, the TLS
connection finally worked like a charm.
More information about the Voipsec