TLS support

[GoogleCodeExporter]

What steps will reproduce the problem?
1. connect to a proxy or sip server listening for incoming connection on port 
5061

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
0.00-12-09 / Froyo 2.2 on HTC desire

Please provide any additional information below.
Ability to set destination port for both proxy and server will allow to connect 
to any SIP service not listening to 5060 port (like 5061)

Original issue reported on code.google.com by pierre.w...@gmail.com on 10 Aug 2010 at 12:16

[GoogleCodeExporter]

I took some traces and the need is not to implement 5061 but SIP-TLS on port 
5061.

Original comment by pierre.w...@gmail.com on 10 Aug 2010 at 1:06

[GoogleCodeExporter]

What wizard are you using for your account?

For now, only the Expert wizard will allow you to set the port. 
It should work. Just set the registrar uri to sip:domain.name:5061 and proxy 
server to sip:domain.name:5061.

Note : if you have an existing account, you can change the edit wizard by 
Editing > Menu > Choose Wizard (and then change it into an expert account). 
Then you'll be able to modify both registrar uri and proxy uri.

Original comment by r3gis...@gmail.com on 10 Aug 2010 at 1:07

[GoogleCodeExporter]

Oh ok.

In the absolute the native stack has this capability. But no user interface to 
configure it :).

To be done !

Original comment by r3gis...@gmail.com on 10 Aug 2010 at 1:14

• Changed title: TLS support
• Changed state: Accepted
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

pjsip must be compiled with the TLS option enabled. And that means, pjsip is 
looking for openssl header+libs. openssl is present on Android, but I am not 
sure how to build & link against this provided version. In worst case you would 
have to provide your own copy of openssl. But I didn't dig very deep into this. 
So I am not sure if this would be necessary or not. You know probably better.

Furthermore, once you have pjsip with TLS capabilities (and exposed a config 
option to the GUI), we can also enable SRTP (media encryption). That would be a 
fantastic match!

TLS(SIP) + SRTP is something many people are looking for. "Vendors" like Snom, 
Aastra, Counterpath, etc. have implemented this already. Would be great to see 
it on csipsimple too.

Thanks a lot for your hard work!!

Original comment by Ingmar.S...@googlemail.com on 23 Aug 2010 at 12:35

[GoogleCodeExporter]

Issue 241 has been merged into this issue.

Original comment by r3gis...@gmail.com on 25 Sep 2010 at 2:10

[GoogleCodeExporter]

Even with version CSipSimple_0.00-15-10 it's not possible to use TLS.
the REGISTRATION and / or PROXY settings suffix ";transport=tls" doesn't change 
anything. Also the optional Port doesn't care.

Original comment by kumum...@googlemail.com on 8 Nov 2010 at 10:42

[GoogleCodeExporter]

Indeed, for now dev builds are not built with openssl bundled in, so TLS should 
not work.

As it deeply increase the size of the library, I'll soon create releases 
branche with TLS support activated. So that you can test the feature.

Besides, options should not appear anymore in the future if the library is not 
present (since it could create confusion in the mind of users).

Original comment by r3gis...@gmail.com on 9 Nov 2010 at 8:20

[GoogleCodeExporter]

what is the current state of tls support?

Original comment by marcello...@gmail.com on 13 Nov 2010 at 6:30

[GoogleCodeExporter]

For now, only available if you build the lib by hand. With openssl activated 
and MY_USE_TLS set to 1.

I didn't get time to really have a close look to the issue yet (I've to setup a 
sip server on my PC with TLS activated to be able to test on and be sure that 
what I release is reliable).

Original comment by r3gis...@gmail.com on 13 Nov 2010 at 8:55

[GoogleCodeExporter]

Issue 271 has been merged into this issue.

Original comment by r3gis...@gmail.com on 14 Nov 2010 at 6:12

[GoogleCodeExporter]

0.00-15-13-tls is available to test TLS

How about settings :
First of all, you should activate TLS.
  Settings > Network > Secure transport -> Enable TLS (and also maybe SRTP could be a good idea)

Then configure your TLS account :
  Account > Add > Expert (you can start by a Basic and then transform it into an Expert)

  Registrar URI + proxy URI : you should probably put something with sips (_s_) protocol, it will automatically choose 5061 as remote port, which should be the default on your server.
  In transport you must choose TLS.
  If you want secure media for SRTP mode choose optional or mandatory.

And everything then should be fine :).

Registers and calls will be done using TLS. Media will try/force 
(optional/mandatory) use of SRTP.

I've not yet tested other TLS method that TLSv1 (I mean not SSLv*), nor played 
with sips:xxx to make calls (the UI doesn't permit that).

But at least for TLS seems to work fine right now.

Original comment by r3gis...@gmail.com on 16 Nov 2010 at 9:14

• Changed state: Started

[GoogleCodeExporter]

thanks for setting this up and creating a locked status notification to boot!   
I noticed that the lock showed up whether my connection was made with TLS or 
not(if I had srtp enabled)..  As a possible future enhancement it would nice to 
differentiate between different crypto statuses..

little mockup here
http://i.imgur.com/oiF4n.png

should I create a separate issue?

Original comment by wheresau...@lavabit.com on 16 Nov 2010 at 10:58

[GoogleCodeExporter]

Excellent,
Just tested with my corporate VOIP solution and it's working.

Note : in my case I also added the s to sip (sips) account id.

Thanks a lot!

Original comment by pierre.w...@gmail.com on 16 Nov 2010 at 11:03

[GoogleCodeExporter]

GREAT!

However, I have a non standard TLS port (ie not 5061) to connect to. I have 
tried putting the port I should connect to in the TLS port settings but I can 
not get registration.  

Any tips on how I could get this to work would be great!  (BTW I tested with 
port 5061 and it works great, but I have to use another port)

Thanks

Original comment by mcampbel...@gmail.com on 16 Nov 2010 at 11:13

[GoogleCodeExporter]

Ok for the lock icon. This icon was just the first hint ;) (it only indicate 
SRTP status for now). But indeed, should indicate both SIP (control) and Media 
encryption status. I've to think a little bit more about where and how to put 
it (as this part of the screen will soon be useful for multiple call 
management, I'll maybe choose a different approach than a icon here (maybe I'll 
get inspired of what browser does with https). 
Maybe the color of "SIP" under the picture can be enough to indicate for 
control encryption state, and picture shadow color (yellow) for the media... 

Original comment by r3gis...@gmail.com on 16 Nov 2010 at 11:19

[GoogleCodeExporter]

@mcampbellsmith : the port in TLS settings is not the good place to change the 
port to use on your account (that's just the local port on the client side in 
global settings).

To change in your account, you should just change registrar uri to something 
like that :

sips:your_server:8562 (where 8562 is your custom port for example)
and same thing in proxy uri.

(It make sense : you want to change the port for this account, not for the 
entire app... so the setting is in the account settings ;) )

Original comment by r3gis...@gmail.com on 16 Nov 2010 at 11:22

[GoogleCodeExporter]

@r3gis.3R ... PERFECT!

Original comment by mcampbel...@gmail.com on 17 Nov 2010 at 12:11

[GoogleCodeExporter]

Perfect work!!!

Original comment by marcello...@gmail.com on 18 Nov 2010 at 3:55

[GoogleCodeExporter]

Does this mean that ISPs can't tell that the connection is sip (forced 
neutrality?) or is the ISP able to tell it's sip, just unable to listen into 
the conversation?

Original comment by kro...@gmail.com on 19 Nov 2010 at 11:18

[GoogleCodeExporter]

For those how want to keep up to date with TLS support :

http://nightlies.csipsimple.com/tls/

(Builds each night @ 5:01 CET)

:D

Original comment by r3gis...@gmail.com on 6 Dec 2010 at 1:22

[GoogleCodeExporter]

Oh and @krolaw : Indeed, ISP doesn't see it's sip : with transport=tls it's 
just like https. Content is crypted so impossible for anyone to detect what is 
on the flow.
The only thing that remains is the default port : 5061 (like 443 for https) but 
can be changed.
Then to encrypt totally (not only sip exchange but also media exchange), you 
can also use SRTP (or soon thanks to Werner's contribution, ZRTP).

Media and signal (SIP control) are independent from the transport point of 
view. So can be crypted media but not crypted sig and the inverse or both 
crypted.

Original comment by r3gis...@gmail.com on 6 Dec 2010 at 1:26

[GoogleCodeExporter]

Hi!
I`m trying to start CSipSimple-r419-tls.apk on HTC Wildfire. Client is 
registered, when using UDP, but not when switching on TLS.
Server doesn`t receive any packet, in log CSipSimple I found the following:
D/libpjsip(11650):  15:45:33.839    pjsua_acc.c  Account 
<sip:998@192.168.20.231> added with id 0
E/libpjsip(11650):  15:45:33.839    pjsua_acc.c  Unable to generate suitable 
Contact header for registration: Unknown error 171060 [status=171060]
E/libpjsip(11650):  15:45:33.840    pjsua_acc.c  Unable to create registration: 
Unknown error 171060 [status=171060]

Could you, please, tell me how to fix it?
Thank you in advance!

Original comment by dmitrymo...@gmail.com on 9 Dec 2010 at 3:41

[GoogleCodeExporter]

Did you enabled TLS in settings -> network -> secure connection?

Original comment by marcello...@gmail.com on 9 Dec 2010 at 4:23

[GoogleCodeExporter]

No, the problem was I didn`t enable it. I just didn`t notice that menu has 
appeared. Thank you

Original comment by dmitrymo...@gmail.com on 9 Dec 2010 at 4:39

[GoogleCodeExporter]

Ive been getting force closes when I goto to my sip registration config using 
the TLS version

Im using 0.00-16 r427 TLS  occurs on both my nexus one and mytouch

Original comment by wheresau...@lavabit.com on 11 Dec 2010 at 6:17

[GoogleCodeExporter]

Should be fixed in r433 thx for the report.

Original comment by r3gis...@gmail.com on 12 Dec 2010 at 7:46

[GoogleCodeExporter]

wow nice work :D  working again on both phones

Original comment by wheresau...@lavabit.com on 12 Dec 2010 at 10:37

[GoogleCodeExporter]

Hello!

I`m trying to connect 2 installations CSipSimple-r573-tls on TLS+SRTP.
When using TLS/RTP everything is OK, but when switching SRTP to mandatory 
hangup happens at once, log is attached.

http://194.44.186.130/storage/csipsimple-tls-srtp.txt

I`m using asterisk, when colling in log I see the following: “process_sdp: We 
are requesting SRTP, but they responded without it!"
Could you, please, tell me where is the problem?
Thank you in advance!
Best regards,
Dmitry

Original comment by dmitrymo...@gmail.com on 10 Jan 2011 at 4:42

[GoogleCodeExporter]

Is there TLS support in debug mode ?
After building pjsip library and csipsimple from sources, i have no "settings 
-> network -> secure connection" in menu.
Could you, please, tell me where is the problem?

Original comment by dmitrymo...@gmail.com on 27 Jan 2011 at 4:46

[GoogleCodeExporter]

@dmitry : you have to turn TLS flag to 1 in Application.mk file to build with 
TLS enabled. 
http://code.google.com/p/csipsimple/source/browse/trunk/pjsip_android/apps/pjsip
/Application.mk

It's not done by default cause app size is much bigger when doing that (I have 
to package openssl with the app cause not an official API of android system). 
But there is auto builds done each night of TLS. (see nightly build website).

Original comment by r3gis...@gmail.com on 27 Jan 2011 at 9:00

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Thank you for your help, r3gis.3R! Now everything is build successfully.
I use "nightly builds", but all the time "Issue 524" appears. I`m trying to 
figure out why. As far as I understand it happens because media stream starts 
too late.

Original comment by dmitrymo...@gmail.com on 28 Jan 2011 at 10:01

[GoogleCodeExporter]

Issue 1057 has been merged into this issue.

Original comment by r3gis...@gmail.com on 15 Jun 2011 at 9:01

[GoogleCodeExporter]

New nightly build available here :
http://nightlies.csipsimple.com/trunk/

Now TLS and ZRTP are part of trunk builds. ZRTP support should have been really 
improved.

As it's a new build toolchain and it's based on a different pjsip version there 
is maybe some possible regression, feel free to open new issues about it :). 
Also I'm unsure about how it will go on all android phones since the openssl 
library is not included into the app but it tries to rely on the one of the 
phone. 
For now I never found a phone without openssl on it. However, if someone has a 
phone without openssl I can produce a plugin which intent to provide openssl 
library to CSipSimple.  

When this version will become stable, it will be released on android market so 
that android market version will also have secure features :)

Original comment by r3gis...@gmail.com on 20 Nov 2011 at 9:44

[GoogleCodeExporter]

After updating to 0.03-01 TLS is not working anymore. My phone is HTC Desire 
(r) running android 2.3.3 LeeDroId ROM.
SSL bundled, at least I found this
# ls -l /system/lib/libssl*
-rw-r--r-- root     root       183144 2008-08-01 16:00 libssl.so

Any thoughts?

Original comment by hotplug...@gmail.com on 29 Nov 2011 at 4:36

[GoogleCodeExporter]

try the latest trunk,  I dont think any of the current RELEASE(0.03-01) 
downloads use the new TLS style yet.

http://nightlies.csipsimple.com/trunk/

Original comment by wheresau...@lavabit.com on 29 Nov 2011 at 5:03

[GoogleCodeExporter]

Yep! Indeed the latest trunk works fine, thanks!

Original comment by hotplug...@gmail.com on 29 Nov 2011 at 5:53

[GoogleCodeExporter]

Is there an easy way to find out what sip providers support tls + srtp?

Original comment by dodts...@gmail.com on 19 Dec 2011 at 6:37

[GoogleCodeExporter]

Comment #38 on issue 136 by dodts...@gmail.com: TLS support 
http://code.google.com/p/csipsimple/issues/detail?id=136

Is there an easy way to find out what sip providers support tls + srtp?

--You received this message because you starred the issue. You may adjust your 
notification preferences at: https://code.google.com/hosting/settings

Reply to this email to add a comment.

Original comment by Zyz3...@gmail.com on 19 Dec 2011 at 6:49

[GoogleCodeExporter]

Hello. I'm running CSipSimple trunk 0.04-00 r1158 on Eee Pad Transformer 
(Android 3.2.1, US SKU).

But TLS doesn't seems to be working (I don't see any packet sent out from the 
device when CSipSimple is configured to "Transport: TLS", while I see packets 
when it is set to "Transport: TCP".)

Do you have ny idea ?

Original comment by s...@khaotic.net on 8 Jan 2012 at 6:13

[GoogleCodeExporter]

Have you enabled TLS transport in global settings? (Menu > Settings > Network > 
Secured transport > Enable TLS transport).

I know that's very bad user experience to have to enable manually the transport 
while you already configured the transport to be TLS in expert wizard. But I 
want to leave the expert wizard to be a raw access to the sip stack 
configuration without doing extra conf. 
What is planned is to warn about the fact there is something not coherent when 
one set an account transport to TLS while the transport is not enabled in 
global settings. But since this is only for expert users for now, that's not 
something with high priority ;).

BTW, other wizards that use a known sip provider that has TLS support do that 
automatically. (for now there's just tanstagi ;) ).

Original comment by r3gis...@gmail.com on 8 Jan 2012 at 9:42

[GoogleCodeExporter]

I thought I had enabled that (I'm pretty sure I did when I configured latest 
release, 0.03-01, on the Market before trying trunk.) but actually is NOT. So, 
I went ahead and enabled, and, voila!, it worked.

Thank you very much for pointing that out. I'm looking forward 0.04 to come out 
as release.

P.S. I like new icon.

Original comment by s...@khaotic.net on 8 Jan 2012 at 9:18

[GoogleCodeExporter]

Under Settings > Network > Secure transport 

I do not see "Enable TLS" only "SRTP Mode"

Anyone know why?

0.03-01 r1108 - 2.2.1

Original comment by hobbs...@gmail.com on 10 Feb 2012 at 5:45

[GoogleCodeExporter]

re: comment 43 updated to r1253 and everything is working

Original comment by hobbs...@gmail.com on 10 Feb 2012 at 5:56

[GoogleCodeExporter]

Yep, market version doesn't have TLS. It was previously a special build and has 
been merged to trunk recently. So it's now only in nightly builds ;). And of 
course it will be released on the market with next release which will also 
bring sip presence and video ;)

Original comment by r3gis...@gmail.com on 10 Feb 2012 at 9:43

[GoogleCodeExporter]

Hello, 
I am using nightly build 0.04-00r1250 and trying to set up a TSL + SRTP call 
using a test server Asterisk, when CSipSimple tries to register to the server 
it uses TSL as required and everything is OK, but when I want to make a call it 
keeps using SIP over UDP but not TSL which I can tell by taking a capture on 
the server computer. On the other hand I have another CSipSimple client at the 
otherside which has also TSL+SRTP enabled receiving the call, the SIP messages 
between called party and server transported on TSL. To sum up, CSipSimple as 
caller uses SIP/UDP and as callee uses TSL. Is there something I am missing? 
Thank you,

Original comment by nwpse...@gmail.com on 14 Feb 2012 at 3:47

[GoogleCodeExporter]

Did you entered the "sip proxy" field in the expert wizard mode? If not it may 
indeed try to call directly without using the registrar as proxy (and so 
without using the TLS transport).

Normally, the good solution to this case would be to have cispsimple supporting 
"sips:" scheme in text edit mode (and automatically add it when dialing using 
an account that is a tls account). That's the point of another issue (see issue 
1545).

But the simplier way for you for now is just to configure your sip server as 
the proxy for sip calls (btw, it's pretty standard config ;) -- the basic 
wizard configure both registrar and proxy when you enter server name).

Original comment by r3gis...@gmail.com on 14 Feb 2012 at 3:55

[GoogleCodeExporter]

Thank you for the hint, it works all encrypted now. :)

Original comment by nwpse...@gmail.com on 14 Feb 2012 at 5:08

[GoogleCodeExporter]

I have TLS + ZRTP working and tested between two handsets registered to 
Freeswitch in SSLv23 mode and proxying media in pass-through mode. I have a 
signed certificate on the server, using CAcert as a root CA. Despite the 
"Verify server" option in the TLS preferences, I cannot verify this certificate 
and registration fails. When I do not verify it registration is successful. Is 
it possible to include some root CAs in the CSip configuration?

Original comment by l...@rockingtiger.com on 1 Mar 2012 at 11:15

[GoogleCodeExporter]

I think that you should add the root CA to android certificates (globally).

However, normally you can also use the "TLS CA file" field to specify a TLS CA 
list file.
You can have a look here for exact mean of each field.
http://www.pjsip.org/docs/2.0-alpha2/pjsip/docs/html/structpjsip__tls__setting.h
tm

Normally it requires absolute file path. The best way is probably to put on 
sdcard. I never tried however. CSipSimple entirely rely on pjsip for that, so 
if it doesn't work probably some problem in pjsip ;).

Maybe my naming of field in csipsimple is not perfect however - if so tell me, 
I'll change it -.

Original comment by r3gis...@gmail.com on 5 Mar 2012 at 2:06