Tls: Difference between revisions

From VoIPmonitor.org
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
Since version 11 VoIPmonitor sniffer is able to decode and decrypt TLS SIP protocol by providing private key. Currently the code is in GIT develop branch and here is statically beta version 64bit which should run on any >= 2.6.18 linux.  
Since version 11 VoIPmonitor sniffer is able to decode and decrypt TLS SIP protocol by providing private key.  
 
Please note that the sniffer only supports TLS layer and not SSL layer which you can verify in CLIENT HELLO packet in wireshark where you can see SSL or TLS in header. SSL 2.0 is vulnerable so it should not be used.  


Decrypted SIP packets are converted to virtual UDP packets with the same ethernet headers replacing the IP TCP layer with UDP so you will not see the TCP stream in stored pcap files.  
Decrypted SIP packets are converted to virtual UDP packets with the same ethernet headers replacing the IP TCP layer with UDP so you will not see the TCP stream in stored pcap files.  

Revision as of 16:02, 14 July 2015

Since version 11 VoIPmonitor sniffer is able to decode and decrypt TLS SIP protocol by providing private key.

Please note that the sniffer only supports TLS layer and not SSL layer which you can verify in CLIENT HELLO packet in wireshark where you can see SSL or TLS in header. SSL 2.0 is vulnerable so it should not be used.

Decrypted SIP packets are converted to virtual UDP packets with the same ethernet headers replacing the IP TCP layer with UDP so you will not see the TCP stream in stored pcap files.

TLS feature is still in beta - if you will have any problems which are reproducible we need to see pcap file with the TLS packets (no need for RTP) and of course the private key.

Please note that TLS where cipher suite is set to Diffie–Hellman key exchange is not possible to decode in any way. It is possible only if your software (PBX/SBC) is storing key for each TLS session but still this feature is not supported. The only solution is to change the cipher suite to use anything else than diffie hellman cipher suites.


Download

Link to beta version: http://download.voipmonitor.org/voipmonitor-tls

Or compile from source (git develop branch)

Configuration

add to the voipmonitor.conf

ssl_ipport = 10.0.0.1 : 5061 /etc/private.key

where 10.0.0.1 is server with TLS port 5061. Private key is in /etc/private.key and it is in PEM format (starting with -----BEGIN RSA PRIVATE KEY-----)