Asterisk 1.8/10.1 + Yealink T28P "unreachable" with TLS

Asterisk Asterisk Support
1

I have a Yealink T28P with v61 firmware.

I am running Asterisk 10.1.2 (compiled from source) and have also tried 1.8.9.2 with the same results.

Phone is directly connected to Asterisk via LAN - no NAT is used.

In TLS mode the phone shows as “UNREACHABLE” with “sip show peers”.
I can make calls from the phone but I can’t receive calls.

In UDP mode it is reachable and works fine.

It is not a firewall issue. Even with firewall disabled it makes no difference.

I have installed the PBX CA cert on the phone. I have not installed a server cert though (I tried this and it caused a lot of problems).

sip.conf as follows:

[general]
context = default
registerattempts = 0
registertimeout = 20
allowoverlap = no
srvlookup = no
language = en
rtptimeout = 60
rtpholdtimeout = 300

disallow = all
allow = g722
allow = alaw
allow = ulaw

allowsubscribe = yes
notifyringing = yes
notifybusy = yes
notifyhold = yes

tlsenable = yes
tlsbindaddr = 192.168.0.13
tlscertfile = /etc/asterisk/certs/server.pem
tlscafile = /etc/asterisk/certs/ca.crt
tlsdontverifyserver = yes

[100]
type = friend
context = extn100
host = dynamic
transport = udp,tls
encryption = yes
username = DELETED
secret = DELETED
insecure = invite
nat = no
dtmfmode = rfc2833
directmedia = no
disallow = all
allow = g722
qualify = yes
mailbox = 100
accountcode = 100
language=en_NZ
subscribecontext = subscribe-blf
call-limit = 1
callgroup = 1
pickupgroup = 1

2

I have now also tried 10.1.2 with the same results.

This seems to be an ongoing problem:

issues.asterisk.org/view.php?id=15896

3

That issue is shown as fixed in all current versions.

4

I have now tested this with Blink VoIP client and I am still getting the same result - plus this error:

tcptls.c:235 handle_tcptls_connection: FILE * open failed

5

If someone has successfully got Asterisk and TLS working with a SIP client or VoIP phone (Not Asterisk to Asterisk), could they please share:

  1. Version of Asterisk
  2. Version of OpenSSL
  3. Client or VoIP phone used
6

I think you can assume that irakla7777777 has (based on the posting immediately before your latest)!

7

I have followed the “official” directions on configuring TLS and also various configuration tweaks others have suggested on IRC and Google search results.

It is not a networking problem. The phone is connected directly to the PBX. I can ping the phone and Nmap shows the relevant port is open to TCP connections.

Therefore it must be a problem with the phone, the asterisk box or both.

The only option left I can think of is to test if there is an issue with the version of Asterisk or Open SSL used. There isn’t much room to move on the phone as it is already running the latest firmware, and there is no configuration option I can find that is significant beyond the SIP server (host.domain), port (5061) and type (TLS). I installed the Asterisk server CA cert and a cert on the phone.

In short I would have to say I am at my wits end. I place this up there with one of the most troublesome problems ever.