scmp
-
Posts
14 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by scmp
-
-
Then please check if you actually turned SRTP on
or use PnP... There is a setting "RTP encryption" and it could be that this setting is "off".Well, it is enabled as I stated at the beginning of the first post:
Identity 1 > Account > Registrar = <pbx ip>:<TLS port>;transport=tls * Outbound Proxy = <pbx ip>:<TLS port>;transport=tls
Identity 1 > SIP > RTP Encryption = on
I actually got the RMA; it is going back. I bought it for the "security" features but those seem to not go beyond the marketing materials. To top it off, the volume is low and it creates a bad echo when using a headset. M3 didn't have those issues. Perhaps I'll give M10 a try if there will be such a device but in the meantime I'll go the Grandstream-3CX route. Thank you.
-
A quick check from here: When I use TLS and make sure that "RTP Encryption" is on, at least calling the mailbox is encrypted. Maybe a configuration problem? Did you use plug and play to configure the device?
Hi
Nope, no plug an play. I just configured the phone manually.
-
Well, first of all the lock only indicates that the traffic between the PBX and the handset is encrypted. There used to be a feature called "end to end encryption" on the PBX, but in the last five years NOBODY ever paid attention to that and even the IETF is still arguing what exacly "sips" means. I agree the lock on the screen is something that needs to be fixed, but the actual encryption is definitevely more critical.
You might want to take a look at ZRTP (the m9 supports that, see http://snom-m9.blogspot.com/2011/09/does-zrtp-solve-key-exchange-problem.html), this implements end-to-end encryption but both sides need to have it. We would have to support the ZRTP packet passthrough also in the PBX, which would not be very hard, but something that would have to be done.
The ticket number is just for refenence in the release notes. The ticket system is not public.
I agree there is a lot of marketing bla bla in the security area. Only very few people really pay attention to it. For most customers, the color of the handset is much more important than encrypting their voice.
Sorry if I'm being dense, but what I saw in my tests is that the M9-PBX stream is not encrypted when talking either with an endpoint that does not support SRTP or through a SIP trunk. This is the part I cannot get my head around. My expectation was to have M9-PBX stream encrypted and PBX-sip trunk unencrypted. Thanks for the link; hopefully ZRTP passthrough will be available in Snom ONE soon. From the comments section of the that blog post I understand that regular builds don't include ZRTP but a custom one could be provided. If that's the case, can I have it?
Getting additional M9 endpoints would take care of the encryption issue with key exchange so the ZRTP built would be just for me to toy around with. However, here is my real life situation that keeps me trying for real encryption. One of the endpoints is in an European country that pumps out hackers on an assembly line. On my last visit I had an account for an online service hacked by sniffing the traffic at the demarc. The endpoint there is now a Grandstream that doesn't support TLS/SRTP and my plan was to replace it with an M9. My Snom ONE PBX is on an Amazon EC2 machine. I'm in the US and I have the M9 here (replaced an M3). So, once I ship an M9 overseas, internal calls are safe (key exchange or ZRTP). What concerns me is the call between the non-US M9 and my cell phone. Since the call to my cell phone will go over the sipgate trunk the encryption will be dropped altogether for the entire stream and not only the PBX-sipgate-cell legs.
-
The M3 is end of life and never supported TLS/SRTP. So that part is clear.
The m9 should always do SRTP. The indication on the handset can be a little bit "misleading", I would consider that a minor problem. Not sure why that is not the case when you talk to the mailbox. The only idea that I have is that the direct call answer screws something up. There is a ticket SMN-343 for this now, so if there is a bug the fix should be on the way.
Thank you for replying. Not sure why you consider the padlock indication a minor problem. We are talking about security. A phone is advertised and sold as supporting TLS/SRTP and the product datasheets tout security and privacy. Yet, the phone shows an encrypted call but it can be decoded with 2 mouse clicks. Nevermind the M3 not supporting TLS/SRTP it is only about M9. If security is dropped because one endpoint doesn't support it then the padlock should stay open on the M9 screen. If I force codec selection on the registration settings, M9 G722 and M3 G711 then the PBX will do transcoding so media is sure to travel M9-PBX-M3. But in this scenario the entire M9-PBX-M3 stream is unencrypted (M9 padlock shows closed) not only PBX-M3. Where is that ticket you mentioned opened? Is it publicly available to read how it is addressed?
-
I've been on a quest to secure my voip traffic for some time and it led me to snom ONE; gave up on SRTP on Asterisk. I've been running a snom One pbx on an Amazon AMI for some time with only few issues. Recently I purchased a snom M9 and I started testing the SRTP feature. Below are the test environemnt and results; further below are my comments on how this is not really working as advertised.
PBX:
PBX Snom One 4.3.0.5020
Amazon Linux AMI release 2011.09 x32
snom M9: Version 9.4.12-a
PSTN termination: SIP trunk via sipgate
Test setup:
Voip phones: M9 and M3 connected to the same snom ONE pbx
Cell phone via SIP trunk
Wireshark capture ran on the pbx
Certificates are the default snom certificates on both M9 and pbx
Test Results:
*** with encryption set
Identity 1 > Account > Registrar = <pbx ip>:<TLS port>;transport=tls * Outbound Proxy = <pbx ip>:<TLS port>;transport=tls
Identity 1 > SIP > RTP Encryption = on
~~~logs confirm signaling over TLS (SIP/2.0/TLS)
M9 -> Voicemail
- padlock = closed
- decode outgoing = no
- decode incoming = no
* call not found in the capture by wireshark VoIP plugin
M9 -> Cell
- padlock = closed
- can hear what I say while ringing (see note 1 for explanation) = yes
- decode outgoing = yes
- decode incoming = yes
M9 -> M3
- padlock = closed
- can hear what I say while ringing = no
- decode outgoing = yes
- decode incoming = yes
M3 -> M9
- padlock = closed
- can hear what I say while ringing = yes
- decode outgoing = yes
- decode incoming = yes
*** with encryption NOT set
Identity 1 > Account > Registrar = <pbx ip>:<SIP port> * Outbound Proxy = <pbx ip>:<SIP port>
Identity 1 > SIP > RTP Encryption = off
M9 -> Voicemail
- padlock = open
- decode outgoing = no
- decode incoming = no
* call found in the capture by wireshark VoIP plugin, decoded but nothing playing
M9 -> Cell
- padlock = open
- can hear what I say while ringing = yes
- decode outgoing = yes
- decode incoming = yes
M9 -> M3
- padlock = open
- can hear what I say while ringing = no
- decode outgoing = yes
- decode incoming = yes
M3 -> M9
- padlock = open
- can hear what I say while ringing = yes
- decode outgoing = yes
- decode incoming = yes
note 1:
"can hear what I say while ringing" means that while playing the capture decoded with wireshark I can hear myself talking while the remote party is still ringing (before picking up). This is on the caller' stream. So media is transmitted before the call is set up.
=================================
This is it. It looks like the only really secure call is the M9 - Voicemail call. For the tests with the M3 phone I was expecting that the M9-PBX leg to be encrypted and PBX-M3 not encrypted. Same for the tests with the cell phone (M9-PBX leg to be encrypted). I'm assuming that a call between 2 M9 phones with encryption set would be indeed encrypted end to end. The tests without encryption set are not relevant for this encryption issue; I tested that way to see if the media is sent early as in the first tests.
So, what am I missing? The closed padlock is certainly misleading. Am I not understanding correctly how this encryption thingy is supposed to work or did I run into some known bugs with M9?
-
Hmm... We tested it here on Win32/snomONE and it seems to work fine. What are you using as the OS there?
Hi,
I'm using it on CentOS Amazon AMI, x32. Your screenshot is different than mine; is that from the beta you mentioned earlier?
-
Which version of PBX software are you using? If you are using 4.2.1.4025 & later, you should see the selected greeting file(s) on the web interface itself.
Then when you are in the mailbox main menu and press 9, it should play out something like "For - <Messge1>, press 0, For - <Message2> press 1 etc"
In the new version (beta will be released this week), we have made some improvements to the web interface too. In that version you can see/play/select a specific greeting from the web interface itself.
4.3.0.5020
Nope, after I upload them I'm not given those choices in PM.
-
This setting is to upload your personal greetings, you will have the ability to choose them when you call into your mailbox, you can also recorded them when you call into the PM as well. Option 4 will have you recorded your greeting and Option 9 will be have you choose them.
Thanks for replying. The thing is that after I upload them, they are not given as options when calling PM and pressing 9. Also, there is no confirmation that they are actually uploaded and so far I haven't found them on the file system.
-
Hello,
On Account settings > Mailbox there is a section "Files". What is it for? I can upload files but they don't seem to go anywhere.
-
That worked!
I removed the certificates I had imported (all except snom certificates) and imported the one in the thread you linked to as Trusted Root CA for server authentication. Also, I changed to Account: user@gmail.com (instead of Account: user).
Thanks a lot for your help.
Please try:
Account: user@gmail.com
Did you the certificate as server root CA? See details here: http://forum.snomone.com/index.php?/topic/3993-cannot-send-email-via-gmail-on-4203958/page__p__17173#entry17173
If it still doesn't work, please printscreen your Certificates page and post it here
-
Hello,
I'm using snom One Version: 2011-4.2.0.3981 (Win64) and I can't figure out how to send voicemails to email using gmail.
The email configuration is:
from address: user@gmail.com
Account: user
Password: password
SMTP server: smtp.gmail.com:587
Encryption: Automatic
And this is what is constantly reported in the log:
[4] 2011/05/15 14:14:15: Certificate for Equifax Secure Certificate Authority not available
[5] 2011/05/15 14:14:15: SMTP: Connection refused on 209.85.225.109:587
I imported the GeoTrust Global CA and GeoTrust Primary Certification Authority but still no dice.
Thanks in advance for any help.
-
There were some issues with the cseq number in versions earlier to .3958. So I would suggest you to upgrade the PBX version and try it again.
Thank you for the reply and sorry for responding so late. I'll give it a shot. Thanks.
-
Hello,
While setting up a sip trunk with sipgate, it registers successfully initially but a few minutes later it shows "400 Bad Request (Registration failed, retry after 60 seconds)". Setting keepalive to different values (30, 60 ,180) didn't seem to make a difference.
This is a screenshot of the trunk status: capture
And the logs below. I noticed P-Registrar-Error: Invalid CSeq number at the end. Does that point to a bad SIP implementation. If it does, which one, snom ONE or sipgate?
REGISTER sip:sipgate.com SIP/2.0
Via: SIP/2.0/UDP yy.yy.yy.yy:5060;branch=z9hG4bK-99919a0008f368a0dc31dd56a884570c;rport
From: "****" <sip:****@sipgate.com>;tag=22009
To: "****" <sip:****@sipgate.com>
Call-ID: 1til7rhv@pbx
CSeq: 4891 REGISTER
Max-Forwards: 70
Contact: <sip:****@yy.yy.yy.yy:5060;transport=udp;line=e4da3b7f>;+sip.instance="<urn:uuid:c8d3c441-6829-4e9b-86d0-e12afdabc4f2>"
User-Agent: snom-PBX/4.2.0.3950
Supported: outbound
Expires: 3600
Content-Length: 0
[9] 2010/11/21 11:33:03: SIP Rx udp:204.155.28.10:5060:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP yy.yy.yy.yy:5060;received=yy.yy.yy.yy;branch=z9hG4bK-99919a0008f368a0dc31dd56a884570c;rport=5060
From: "****" <sip:****@sipgate.com>;tag=22009
To: "****" <sip:****@sipgate.com>;tag=ebea40332804c9eac6fca132b3193bcb.cbcb
Call-ID: 1til7rhv@pbx
CSeq: 4891 REGISTER
WWW-Authenticate: Digest realm="sipgate.com", nonce="4ce958fb03a273b0f769047ecc57d71969169e9d"
Content-Length: 0
[8] 2010/11/21 11:33:03: Answer challenge with username ****
[9] 2010/11/21 11:33:03: Resolve 126: udp 204.155.28.10 5060 udp:1
[9] 2010/11/21 11:33:03: SIP Tx udp:204.155.28.10:5060:
REGISTER sip:sipgate.com SIP/2.0
Via: SIP/2.0/UDP yy.yy.yy.yy:5060;branch=z9hG4bK-94e04b8c0caa173656b5a21dec574eae;rport
From: "****" <sip:****@sipgate.com>;tag=22009
To: "****" <sip:****@sipgate.com>
Call-ID: 1til7rhv@pbx
CSeq: 45315 REGISTER
Max-Forwards: 70
Contact: <sip:****@yy.yy.yy.yy:5060;transport=udp;line=e4da3b7f>;+sip.instance="<urn:uuid:c8d3c441-6829-4e9b-86d0-e12afdabc4f2>"
User-Agent: snom-PBX/4.2.0.3950
Supported: outbound
Authorization: Digest realm="sipgate.com",nonce="4ce958fb03a273b0f769047ecc57d71969169e9d",response="c73a9c2d7128fb559ac15d008323121a",username="****",uri="sip:sipgate.com",algorithm=MD5
Expires: 3600
Content-Length: 0
[9] 2010/11/21 11:33:03: Message repetition, packet dropped
[9] 2010/11/21 11:33:04: SIP Rx udp:204.155.28.10:5060:
SIP/2.0 400 Bad Request
Via: SIP/2.0/UDP yy.yy.yy.yy:5060;received=yy.yy.yy.yy;branch=z9hG4bK-94e04b8c0caa173656b5a21dec574eae;rport=5060
From: "****" <sip:****@sipgate.com>;tag=22009
To: "****" <sip:****@sipgate.com>;tag=ebea40332804c9eac6fca132b3193bcb.1ba3
Call-ID: 1til7rhv@pbx
CSeq: 45315 REGISTER
Contact: <sip:****@yy.yy.yy.yy:5060;transport=udp;line=e4da3b7f>;expires=419
P-Registrar-Error: Invalid CSeq number
Content-Length: 0
[5] 2010/11/21 11:33:04: Registration on trunk 5 (SIPGate) failed. Retry in 60 seconds
or use PnP... There is a setting "RTP encryption" and it could be that this setting is "off".
Getting additional M9 endpoints would take care of the encryption issue with key exchange so the ZRTP built would be just for me to toy around with. 
snom ONE + snom M9 = SRTP not really working
in Security
Posted
Domain registrar is wrong? You do realize that it was an example as I didn't want to post the fqdn and ports of my pbx, right? If you actually used M9 and snom you would have known that if the registrar was wrong I could have not register the M9 in the first place, nevermind testing and capturing traffic. I think you already know that plug and play would have fixed absolutely nothing for the encryption issue; you are just posting non-sense now. And you don't say, there are buttons on the side of the phone? That must be a miracle. It never crossed my mind to turn the volume up from the keys... Perhaps you want to inform the readers of this forum why vendors call the M9 a "boomerang".
I shiver to think of paying for your commercial license and receive this kind of support. Wanna guess how many times I'm going to recommend snom as a business voip solution?