Asterisk Trunk Security: Removing ‘insecure=very’

TL;DR

The insecure=very setting in your Asterisk trunk configuration disables important security checks. This guide shows you how to remove it and configure secure trunks using TLS (Transport Layer Security) for safe voice communication.

Step-by-step Guide

1. Understand the Risk: insecure=very tells Asterisk to ignore certificate validation errors. This means a malicious actor could potentially intercept your calls and eavesdrop on sensitive information. It’s strongly recommended to avoid this setting in production environments.
   • Why it exists: Often used for testing or with providers who haven’t issued proper certificates, but should be replaced with secure configurations as soon as possible.
2. Check Your Current Configuration: Examine your pjsip.conf file (usually located in /etc/asterisk/). Look for the trunk definition that uses insecure=very.

   grep "insecure=very" /etc/asterisk/pjsip.conf

3. Obtain TLS Certificates from Your Provider: Contact your VoIP provider to get their TLS certificates (usually a CA certificate and potentially client certificates). They will provide instructions on how to download them.
4. Configure the Trunk with TLS: Replace insecure=very with proper TLS settings in your pjsip.conf file. Here’s an example:

   [your_trunk_name]
   type=endpoint
   context=from-internal
   sock=tls
   callerid=
   username=
   password=
   host=
   port=5061
   ca=/etc/asterisk/certs/provider_ca.pem
   

   • type=endpoint: Defines this as a PJSIP endpoint (trunk).
   • sock=tls: Specifies TLS transport.
   • ca=/etc/asterisk/certs/provider_ca.pem: Points to the CA certificate file provided by your provider. Important: Replace this path with the actual location of your certificate!
5. If Your Provider Requires Client Certificates (Optional): If your provider also requires a client certificate, add these lines:

   client_cert=/etc/asterisk/certs/your_client.pem
   client_key=/etc/asterisk/certs/your_private.key

6. Reload Asterisk: After making changes to pjsip.conf, reload the PJSIP module.

   asterisk -rx "pjsip reload"

7. Verify the Configuration: Check the Asterisk logs (usually in /var/log/asterisk/full) for any TLS-related errors. Look for messages indicating successful certificate validation.

   tail -f /var/log/asterisk/full | grep tls

8. Test the Trunk: Make a test call through the trunk to ensure it’s working correctly. Monitor call quality and check for any issues.