I have a requirement to use SRTP and TLS for sip between two Asterisk servers.
I set up two Asterisk 11.2 servers, created the certificates, sip.conf as below and all worked well. On inspection of a pcap of calls from server1 to server2 both signalling and audio were encrypted.
This is the sip.conf on Server1, defining trunk to Server2
[general] allow=all maxexpiry = 30 defaultexpiry = 30 context=from-sip srvlookup=no canreinvite=no relaxdtmf=yes tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscapath=/etc/asterisk/keys/ tlscipher=ALL [dev-cs-gb-1-02] type=peer disallow=all allow=alaw sendrpid=yes host=192.168.101.73 canreinvite=no qualify=yes dtmfmode=rfc2833 context=default transport=tls encryption=yes
Now, when preparing to install for production, we moved to asterisk V 11.4 (on server 1 only so far - server 2 is still 11.2). When Server1 starts, the sip peer is UNREACHABLE and we see the following errors at the console:
[Aug 7 09:38:12] NOTICE: chan_sip.c:29240 sip_poke_noanswer: Peer 'dev-cs-gb-1-02' is now UNREACHABLE! Last qualify: 0 dev-cs-gb-1-01*CLI> sip show peers Name/username Host Dyn Forcerport ACL Port Status Description dev-cs-gb-1-02 192.168.101.73 a 5061 UNREACHABLE 1 sip peers [Monitored: 0 online, 1 offline Unmonitored: 0 online, 0 offline] SSL CA file(/etc/asterisk/keys/ca.crt)/path(/etc/asterisk/keys/) error SSL certificate ok [Aug 7 09:38:22] ERROR: tcptls.c:209 handle_tcptls_connection: Certificate did not verify: self signed certificate in certificate chain dev-cs-gb-pwr-1-01*CLI> exit
The issue “Certificate did not verify: self signed certificate in certificate chain” did not occur when both Asterisks were v11.2, where the self signed certificate was accepted.
All key/certificate files & sip.conf are the same, just Asterisk version has changed.
Any suggestions on how to resolved this error would be appreciated.