Kamailio, TLS, and LetsEncrypt

If you don’t know me… my name is Fred, and I’m a Kamailian. Kamailians are users of Kamailio— an open source SIP server capable of building large scale Voice platforms.

It’s a great product, and in a different post I discuss why I love Kamailio. Today, I want to talk about TLS, Kamailio, and Lets Encrypt.

TLS stands for Transport Layer Security, the successor of SSL (aka what you consider safe web browsing).

The primary goal of TLS is privacy. And that’s what we’re going after here… increasing the privacy of your communication.

Kamailio supports TLS, but in the past, people have found it difficult to deploy and there were two main options:

1. Use a purchased certificate
   • Pro: easy to deploy on client side
   • Cons: expensive, painful acquisition model
2. Use a self-signed certificate
   • Pro: free
   • Cons: difficult to deploy on client side

With a self-signed certificate, clients (end users) would generally receive a message indicating that the TLS connection was not trusted; making them question the security and just basically causing unneeded drama.

Let’s Encrypt Makes it Better

Now, with Let’s Encrypt, we have a very quick, easy way to add TLS to your communications. Let’s Encrypt is a new certificate authority that provides free certificates very quickly. Since the certificates are recognized/trusted by your end users, the solution because free, fast, and easy to deploy.

Thanks to the default Kamailio config file, you can add TLS in less than 5 minutes.

First, install Let’s Encrypt and create a certificate.

cd /usr/local/src
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help

./letsencrypt-auto certonly --standalone -d MYDOMAIN

Simple, right? At the end of this, you’re going to have a certificate recognized by your clients.

Next, let’s add TLS to our kamailio.cfg.

If you haven’t built the TLS module, make and install it.

If you’re working from the default kamailio.cfg file, uncomment the TLS section as follows:

# *** To enable TLS support execute:
# - adjust CFGDIR/tls.cfg as needed

#!define WITH_TLS

Next, create a file called tls.cfg as follows:

[server:default]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/MYDOMAIN/privkey.pem
certificate = /etc/letsencrypt/live/MYDOMAIN/fullchain.pem

(Of course replace MYDOMAIN with your domain name and make sure the location matches where your certificates were stored)

Save your tls.cfg file in the same location as your kamailio.cfg file.

Now, let’s make one last change in the kamailio.cfg file. Where your listen= command is located, add the following:

listen=tls:IPADDRESS:5061

Bonus… behind NAT with a static public IP?

listen=tls:PRIVATEIP:5061 advertise PUBLICIP:5061

Test your kamailio file for typos or major errors with kamailio -c and then restart Kamailio.

It’s that simple.

Additional Reading:

• SIP & TLS – Security in a peer to peer world by Olle E Johansson
• Kamailio – Secure Communication by
  Daniel-Constantin Mierla