Asterisk not presenting tls client cert during tls establishment

I am having a problem with asterisk 13.10.0 pbx.
It is connecting to a SIP server and it registers okay with TLS but only because the SIP server allows connection without proper certificate checking.

When I look at the TLS setup in wireshark I can see the PBX is being requested for a certificate but it does not provide a certificate.

It has a ssl certificate and CA list installed which I believe should be correct and match the paths etc defined in the sip.conf configuration file.
The CA file has the trust chain of the client certificate.

I do see some errors on the command line ( note that TLS is being setup but without requested client certificate). The errors seem to indicate a problem with the CA file but I cannot figure out what the problem is.

[Mar 26 10:59:39] ERROR[28851]: tcptls.c:875 __ssl_setup: TLS/SSL CA file(/etc/asterisk/keys/gateway1.calist.pem)/path() error
== TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
== TLS/SSL certificate ok
[Mar 26 10:59:39] ERROR[28851]: tcptls.c:609 handle_tcptls_connection: Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Mar 26 10:59:39] WARNING[28851]: tcptls.c:684 handle_tcptls_connection: FILE * open failed!

Extract from sip.conf file

;[authentication]

tlsenable=yes ; Enable server for incoming TLS (secure) connections (default is no)
tlsbindaddr=10.192.160.5:5061
srvlookup=no
defaultexpiry=75 ; Default length of incoming/outgoing registration

tlscertfile=/etc/asterisk/keys/prodmirrorpbx.pem ;
tlsprivatekey=/etc/asterisk/keys/asterisk_private.pem ;
tlscafile=/etc/asterisk/keys/gateway1.calist.pem;
tlsdontverifyserver=yes
tlscipher=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:
@STRENGTH
tlsclientmethod=tlsv1.2

Does asterisk process have read permissions on that file ?

Can you try without the extra dot ie. change name of file from gateway1.calist.pem to gateway1-calist.pem ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.