Hi,
I have a requirement to use SRTP and TLS for sip between two Asterisk servers.
I set up two Asterisk 11.2 servers, created the certificates, sip.conf as below and all worked well. On inspection of a pcap of calls from server1 to server2 both signalling and audio were encrypted.
This is the sip.conf on Server1, defining trunk to Server2
[general]
allow=all
maxexpiry = 30
defaultexpiry = 30
context=from-sip
srvlookup=no
canreinvite=no
relaxdtmf=yes
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys/
tlscipher=ALL
[dev-cs-gb-1-02]
type=peer
disallow=all
allow=alaw
sendrpid=yes
host=192.168.101.73
canreinvite=no
qualify=yes
dtmfmode=rfc2833
context=default
transport=tls
encryption=yes
Now, when preparing to install for production, we moved to asterisk V 11.4 (on server 1 only so far - server 2 is still 11.2). When Server1 starts, the sip peer is UNREACHABLE and we see the following errors at the console:
[Aug 7 09:38:12] NOTICE[21688]: chan_sip.c:29240 sip_poke_noanswer: Peer 'dev-cs-gb-1-02' is now UNREACHABLE! Last qualify: 0
dev-cs-gb-1-01*CLI> sip show peers
Name/username Host Dyn Forcerport ACL Port Status Description
dev-cs-gb-1-02 192.168.101.73 a 5061 UNREACHABLE
1 sip peers [Monitored: 0 online, 1 offline Unmonitored: 0 online, 0 offline]
SSL CA file(/etc/asterisk/keys/ca.crt)/path(/etc/asterisk/keys/) error
SSL certificate ok
[Aug 7 09:38:22] ERROR[21705]: tcptls.c:209 handle_tcptls_connection: Certificate did not verify: self signed certificate in certificate chain
dev-cs-gb-pwr-1-01*CLI> exitThe issue “Certificate did not verify: self signed certificate in certificate chain” did not occur when both Asterisks were v11.2, where the self signed certificate was accepted.
All key/certificate files & sip.conf are the same, just Asterisk version has changed.
Any suggestions on how to resolved this error would be appreciated.
Thanks,
Mark