-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 21/06/13 01:18, johnc wrote:
Hi,
I've been interested for some time in federated secure communications systems and in particular voice systems. I am a firm believer in the right to privacy. I am appalled but not entirely surprised by the latest revelations concerning PRISM.
I recently updated Daniel-Constantin Mierla's:
http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
for kamailio 4 + jitsi, see below:
https://www.johncahill.net/wiki/index.php/Skype_like_conferencing_System
This config allows for TLS+ZRTP encrypted calls to be made between jitsi clients connected to different kamailio servers.
I would like some feedback on how to improve this config. I will flag up some failings straight away:
- Inter-domain peer to peer presence sharing doesn't work. Only
intra-domain presence sharing.
- TLS is enforced crudely by an iptables based firewall only allowing
communications on port TCP 5061 TLS
If the TCP and UDP ports are disabled in the Kamailio config, does that have a similar effect, forcing everything over TLS?
Is there any technical issue in Kamailio preventing mutual TLS validation from occurring?
One of the reasons I recommend Kamailio to people over the other SER variants is the TLS support is intended to do these things.
- The config uses DNS to establish the transport available on the
remote proxy. It doesn't use DNSSEC to do this.
I'm not sure if DNSSEC matters if the TLS certificate is valid - some people may prefer to trust the TLS cert and not place any trust in the DNSSEC trust model
I will add any improvements to to my wiki and please feel free to cut paste + share.
I would like to share working recipes in a similar way to that done by Daniel Pocock and others on this list. Thanks, you work has inspired me.
Once it is more refined, I'd be happy to integrate it with the site www.rtcquickstart.org
Have you tested calling between a Kamailio user and repro user? Ideally they should be fully interoperable and if there is any fault on the repro side, please raise it on repro-users