asterCC, hosted call center solution based asterisk » zh » 常见问题及解答 » sip话机使用tls注册astercc系统方法
您的足迹:
显示页面修订记录
最近更改网站地图

差别

这里会显示出您选择的修订版和当前版本之间的差别。

到此差别页面的链接

两侧同时换到之前的修订记录 前一修订版
后一修订版 		前一修订版
zh:常见问题及解答:sip话机使用tls注册astercc系统方法 [2016/12/29 09:18]
liuxl 		zh:常见问题及解答:sip话机使用tls注册astercc系统方法 [2017/12/12 03:05] (当前版本)
行 1: 行 1:
-<​note>​本篇文章已yealink话机为例,使用TLS传输方式注册astercc系统。</​note>​+<​note>​本篇文章已yealink话机为例,使用TLS传输方式注册astercc系统,其它品牌SIP话机也可以此为参考。</​note>​
  
-  *首先更改【系统设置】-->​【基本SIP配置】-->​如果需要tcp、udp、tls传输方式共存参考下+  *首先更改【系统设置】-->​【基本SIP配置】参考下:
  
-**tcpenable**: 选择“是”+**transport**: 增加tls,​tcp,​udp多个协议使用逗号隔开
  
-**transport**: 填写udp,​tcp,​tls +{{:​zh:​常见问题及解答:​selection_0399999.png?750|}}
- +
-{{:​zh:​常见问题及解答:​selection_033.png?1000|}}+
  
 <note tip>​更改配置完成后,需点击上方配置条重载生效。</​note>​ <note tip>​更改配置完成后,需点击上方配置条重载生效。</​note>​
  
-  *使用官方ast_tls_cert脚本生成证书没有的话使用如下命令创建脚本并赋予可执行权限+  *下载asterisk官方ast_tls_cert脚本,使用脚本生成SSL证书
  
-<​code>​cat << EOF > ast_tls_cert +<​code>​wget http://download3.astercc.org/​ast_tls_cert</​code>​
-#!/bin/sh -e +
-DEFAULT_ORG="​Asterisk"​ +
-DEFAULT_CA_CN="​Asterisk Private CA" +
-DEFAULT_CLIENT_CN="​asterisk"​ +
-DEFAULT_SERVER_CN=`hostname -f`+
  
-# arguments +<​code>​chmod +x ast_tls_cert</​code>​
-# $1 "​ca"​ if we are to generate a CA cert +
-# $2 alternate config file name (for ca) +
-# $3 alternate common name +
-# $4 alternate org name +
-create_config () { +
- if [ "​$1"​ = "​ca"​ ] +
- then +
-castring="​ +
-[ext] +
-basicConstraints=CA:​TRUE"​ +
- fi+
  
-cat ${2:-"${CONFIG_FILE}"<< EOF +<code>./​ast_tls_cert ​-C pbx.asterisk.com -O "xxxxx" ​-d /​etc/​asterisk/​keys ​ 注:xxxxx为密钥</code>
-[req] +
-distinguished_name = req_distinguished_name +
-prompt = no+
  
-[req_distinguished_name] +{{:zh:​常见问题及解答:​selection_034.png?​750|}}
-CN=${3:-"${COMMON_NAME}"​} +
-O=${4:-"​${ORG_NAME}"​} +
-${castring} +
-EOF +
-}+
  
-create_ca () { +<​code>​chown ​-R asterisk.asterisk ​/etc/asterisk/keys</code>
- echo "​Creating ${CAKEY}"​ +
- openssl genrsa ​-des3 -out ${CAKEY} 4096 > /dev/null +
- echo "​Creating ${CACERT}"​ +
- openssl req -new -config ${CACFG} -x509 -days 365 -key ${CAKEY} -out ${CACERT} > /dev/null +
-}+
  
-create_cert () { +<code>asterisk ​-rx "sip reload"</code>
- local base=${OUTPUT_DIR}/​${OUTPUT_BASE} +
- echo "​Creating ${base}.key"​ +
- openssl genrsa -out ${base}.key 1024 /dev/null +
- echo "​Creating signing request"​ +
- openssl req -batch -new -config ${CONFIG_FILE} -key ${base}.key -out ${base}.csr > /dev/null +
- echo "Creating ${base}.crt" +
- openssl x509 -req -days 365 -in ${base}.csr -CA ${CACERT} -CAkey ${CAKEY} -set_serial 01 -out ${base}.crt > /dev/null +
- echo "​Combining key and crt into ${base}.pem"​ +
- cat ${base}.key > ${base}.pem +
- cat ${base}.crt >${base}.pem +
-}+
  
-usage () { +  *查看asterisk的TLS设置,监听端口为5061。
-cat << EOF +
-This script is useful for quickly generating self-signed CA, server, and client +
-certificates for use with Asterisk. It is still recommended to obtain +
-certificates from a recognized Certificate Authority and to develop an +
-understanding how SSL certificates work. Real security is hard work.+
  
-OPTIONS: +{{:​zh:​常见问题及解答:​选区_0083.png?750|}}
-  -h  Show this message +
-  -m  Type of cert "​client"​ or "​server"​. Defaults to server. +
-  -f  Config filename (openssl config file format) +
-  -c  CA cert filename (creates new CA cert/key as ca.crt/​ca.key if not passed) +
-  -k  CA key filename +
-  -C  Common name (cert field) +
-        This should be the fully qualified domain name or IP address for +
-        the client or server. Make sure your certs have unique common +
-        names. +
-  -O  Org name (cert field) +
-        An informational string (company name) +
-  -o  Output filename base (defaults to asterisk)  +
-  -d  Output directory (defaults to the current directory) +
- +
-Example: +
- +
-To create a CA and a server (pbx.mycompany.com) cert with output in /tmp: +
-  ast_tls_cert -C pbx.mycompany.com -O "My Company"​ -d /tmp +
- +
-This will create a CA cert and key as well as asterisk.pem and the the two +
-files that it is made from: asterisk.crt and asterisk.key. Copy asterisk.pem +
-and ca.crt somewhere (like /​etc/​asterisk) and set tlscertfile=/​etc/​asterisk.pem +
-and tlscafile=/​etc/​ca.crt. Since this is a self-signed key, many devices will +
-require you to import the ca.crt file as a trusted cert. +
- +
-To create a client cert using the CA cert created by the example above: +
-  ast_tls_cert -m client -c /tmp/ca.crt -k /tmp/ca.key -C phone1.mycompany.com \\ +
-    -O "My Company"​ -d /tmp -o joe_user +
- +
-This will create client.crt/​key/​pem in /tmp. Use this if your device supports +
-a client certificate. Make sure that you have the ca.crt file set up as +
-a tlscafile in the necessary Asterisk configs. Make backups of all .key files +
-in case you need them later. +
-EOF +
-+
- +
-if ! type openssl >/​dev/​null 2>&​1 +
-then +
- echo "This script requires openssl to be in the path"​ +
- exit 1 +
-fi +
- +
-OUTPUT_BASE=asterisk # Our default cert basename +
-CERT_MODE=server +
-ORG_NAME=${DEFAULT_ORG} +
- +
-while getopts "​hf:​c:​k:​o:​d:​m:​C:​O:"​ OPTION +
-do +
- case ${OPTION} in +
- h) +
- usage +
- exit 1 +
- ;; +
- f) +
- CONFIG_FILE=${OPTARG} +
- ;; +
- c) +
- CACERT=${OPTARG} +
- ;; +
- k) +
- CAKEY=${OPTARG} +
- ;; +
- o) +
- OUTPUT_BASE=${OPTARG} +
- ;; +
- d) +
- OUTPUT_DIR=${OPTARG} +
- ;; +
- m) +
- CERT_MODE=${OPTARG} +
- ;; +
- C) +
- COMMON_NAME=${OPTARG} +
- ;; +
- O) +
- ORG_NAME=${OPTARG} +
- ;; +
- ?) +
- usage +
- exit +
- ;; +
- esac +
-done +
- +
-if [ -z "​${OUTPUT_DIR}"​ ] +
-then +
- OUTPUT_DIR=. +
-else +
- mkdir -p "​${OUTPUT_DIR}"​ +
-fi +
- +
-umask 177 +
- +
-case "​${CERT_MODE}"​ in +
- server) +
- COMMON_NAME=${COMMON_NAME:​-"​${DEFAULT_SERVER_CN}"​} +
- ;; +
- client) +
- COMMON_NAME=${COMMON_NAME:​-"​${DEFAULT_CLIENT_CN}"​} +
- ;; +
- *) +
- echo +
- echo "​Unknown mode. Exiting."​ +
- exit 1 +
- ;; +
-esac +
- +
-if [ -z "​${CONFIG_FILE}"​ ] +
-then +
- CONFIG_FILE="​${OUTPUT_DIR}/​tmp.cfg"​ +
- echo +
- echo "No config file specified, creating '​${CONFIG_FILE}'"​ +
- echo "You can use this config file to create additional certs without"​ +
- echo "​re-entering the information for the fields in the certificate"​ +
- create_config +
-fi +
- +
-if [ -z ${CACERT} ] +
-then +
- CAKEY=${OUTPUT_DIR}/​ca.key +
- CACERT=${OUTPUT_DIR}/​ca.crt +
- CACFG=${OUTPUT_DIR}/​ca.cfg +
- create_config ca "​${CACFG}"​ "​${DEFAULT_CA_CN}"​ "​${DEFAULT_CA_ORG}"​ +
- create_ca +
-fi +
- +
-create_cert +
-EOF</​code>​ +
- +
-  *使用命令在/​etc/​asterisk/​keys路径下生成SSL证书。 +
- +
-<​code>​./​ast_tls_cert -C pbx.sorry.com -O "My Computer"​ -d /​etc/​asterisk/​keys</​code>​ +
- +
-{{:​zh:​常见问题及解答:​selection_034.png?1000|}}+
  
   *编辑sip.conf文件增加asterisk对TLS的支持。   *编辑sip.conf文件增加asterisk对TLS的支持。
  
-{{:​zh:​常见问题及解答:​selection_03555555555.png?​1000|}}+{{:​zh:​常见问题及解答:​selection_03555555555.png?​750|}}
  
   *yealink上传客户端SSL认证证书ca.crt。   *yealink上传客户端SSL认证证书ca.crt。
  
-{{:​zh:​常见问题及解答:​selection_037777777.png?​1000|}}+{{:​zh:​常见问题及解答:​selection_037777777.png?​750|}}
  
-{{:​zh:​常见问题及解答:​selection_03888888.png?​1000|}}+{{:​zh:​常见问题及解答:​selection_03888888.png?​750|}}
  
   *yealink话机改传输方式为TLS注册astercc系统。   *yealink话机改传输方式为TLS注册astercc系统。
  
-{{:​undefined:​selection_03666666666.png?​1000|}}+{{:​undefined:​selection_03666666666.png?​750|}} 
 + 
 +<note tip>​请在iptables上为TLS方式注册放行tcp 5006、5061端口。</​note>​ 
 + 
 +参考:[[https://​translate.google.com.hk/​translate?​hl=zh-CN&​sl=en&​u=https://​wiki.asterisk.org/​wiki/​display/​AST/​Secure%2BCalling%2BTutorial&​prev=search|外部参考链接]]
zh/常见问题及解答/sip话机使用tls注册astercc系统方法.1483003130.txt.gz · 最后更改: 2017/12/12 03:11 (外部编辑)
显示页面修订记录
反向链接回到顶部
Recent changes RSS feed Debian Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki