Asterisk shutting down connection with FIN to PJSIP TLS phones

Asterisk Asterisk SIP
1

I have an asterisk server 13.23.1 running on CentOS 7 64bit on which I can’t use PJSIP peers with TLS. After few minutes, the connection drops and I see the message:

[2018-10-24 15:28:50] VERBOSE[2939] res_pjsip_registrar.c: Removed contact ‘sip:105-AA@64.183.170.34:62702;transport=TLS’ from AOR ‘105-AA’ due to transport shutdown

Browsing past messages, I read it was caused by the underlying TCP being interrupted, so I start sniffing the packets and discovered it was the asterisk server to send to the phone a FIN packet. In this example I have IP 192.168.75.172 being the asterisk server (behind NAT) and 64.183.170.34 being the TLS phone.

Any idea about the reason?

15:28:48.301051 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [S], seq 2266015870, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 1], length 0
15:28:48.301103 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [S.], seq 2281072057, ack 2266015871, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
15:28:48.394515 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 1, win 2920, length 0
15:28:48.802368 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [P.], seq 1:119, ack 1, win 2920, length 118
15:28:48.802416 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [.], ack 119, win 229, length 0
15:28:48.802624 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [.], seq 1:2761, ack 119, win 229, length 2760
15:28:48.802666 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [P.], seq 2761:2831, ack 119, win 229, length 70
15:28:48.888256 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 1381, win 4300, length 0
15:28:48.888660 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 2761, win 5680, length 0
15:28:48.888683 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 2831, win 5680, length 0
15:28:49.250706 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], seq 119:1499, ack 2831, win 5680, length 1380
15:28:49.256499 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [P.], seq 1499:3584, ack 2831, win 5680, length 2085
15:28:49.256536 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [.], ack 3584, win 284, length 0
15:28:49.262413 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [P.], seq 2831:4217, ack 3584, win 284, length 1386
15:28:49.354870 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 4211, win 7060, length 0
15:28:49.354905 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 4217, win 7060, length 0
15:28:49.799647 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [P.], seq 3584:4245, ack 4217, win 7060, length 661
15:28:49.813391 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [P.], seq 4217:4835, ack 4245, win 306, length 618
15:28:49.896120 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 4835, win 8440, length 0
15:28:49.903251 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [P.], seq 4245:5178, ack 4835, win 8440, length 933
15:28:49.925962 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [P.], seq 4835:5405, ack 5178, win 327, length 570
15:28:49.930361 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [P.], seq 5405:5943, ack 5178, win 327, length 538
15:28:50.031505 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [.], ack 5943, win 8440, length 0
15:28:50.041858 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [P.], seq 5178:5711, ack 5943, win 8440, length 533
15:28:50.042241 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [F.], seq 5943, ack 5711, win 349, length 0
15:28:50.121339 IP 64.183.170.34.62702 > 192.168.75.172.5071: Flags [P.], seq 5711:6116, ack 5944, win 8440, length 405
15:28:50.121391 IP 192.168.75.172.5071 > 64.183.170.34.62702: Flags [R], seq 2281078001, win 0, length 0
2

What are the phones in use? Have you decoded the traffic in Wireshark as SSL to see what precisely is going on? Are there other messages in the CLI stating that an SSL error occurred?

3

The phone is a Yealink SIP-T29G 46.82.0.30. I am not good enough to be able to decode the SSL traffic in Wireshark, I followed guides found on Internet, but I was unable. Is there a safe place where I can send you the private key used and the pcap? (my private email is ldardini@gmail.com)

In the CLI, I have only the reported message. After few seconds, the phone registers again.

4

I have tried upgrading to asterisk 15.6.1 and while I have the same “shutdown” problem, this time I got an interesting message: “unknown ca”

[2018-10-26 04:01:10] WARNING[24593]: pjproject:0 <?>: SSL SSL_ERROR_SSL (Read): Level: 0 err: <336151576> <SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca> len: 32000
– Removed contact ‘sip:288-vt@181.143.176.171:57172;transport=TLS;rinstance=baee9e0f7a7eb751’ from AOR ‘288-vt’ due to transport shutdown
== Contact 288-vt/sip:288-vt@181.143.176.171:57172;transport=TLS;rinstance=baee9e0f7a7eb751 has been deleted

I have tried using a self signed certificate and a real certificate (Let’s Encrypt), but the error is showing in both cases.

I have verified and on the peers, the “transport” is set to “” (empty) and it is the client selecting to use TLS (rewrite_contact=yes).

5

Have you installed Lets Encrypts root certificate?

6

That “tlsv1 alert unknown ca” is from the remote side I believe, you’d need to check the settings on the Yealink.