Cisco SPA3XX and SPA5XX not register with PJSIP TLS and LE certs

I trying to migrate from asterisk 13 chan_sip to asterisk 18 with pjsip channel driver. I has ~300 Cisco SPA devices with 7.6.2e like a SR5 firmware

i has three test enviroments(LetsEncrypt certs ):

  1. (prod)VM CentOS7 + asterisk 13 ( chan_sip ) - not register problems
    chan_sip configured with tlsdontverifyserver=no, tlsclientmethod=tlsv1

  2. (test)VM with latest FreePBX distro ( asterisk 18.13 + FreePBX 14)
    pjsip driver by default works with param: method=tlsv1_2 and when phone connects to asterisk i got error:
    SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol

after change to method=sslv23, devices registers without problems

  1. (test)VM Debian 11(5.10.0-21-amd64 #1 SMP Debian 5.10.162-1) + Asterisk 18 installed from source
    in any param method(default, sslv23, tlsv1, tlsv1_2) console says:
    SSL routines-tls_early_post_process_client_hello-unsupported protocol

Please describe right direction to fix it.

Additional test:
asterisk 18.16 and asterisk 18.17
root@AsteriskX:~# openssl s_client -connect 127.0.0.1:5061

CONNECTED(00000003)
139877373261120:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1543:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

asterisk-certified-18.9-cert4:

root@AsteriskX:~# openssl s_client -connect 127.0.0.1:5061

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = voip-test.domain.com
verify return:1
---
Certificate chain
0 s:CN = voip-test.domain.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Build options:

apt -y install build-essential libnewt-dev libssl-dev libncurses5-dev subversion libsqlite3-dev libjansson-dev libxml2-dev uuid-dev default-libmysqlclient-dev

contrib/scripts/get_mp3_source.sh
contrib/scripts/install_prereq install
./configure
make && make install

I make new fresh install native asterisk on CentOS Linux release 7.9.2009 (Core)
and no problem working with phones on firmware 7.6.2e!!

Possible a pjsip build bug on Debian 11 with 5.10 kernel only

Issue created, but closed(
https://issues.asterisk.org/jira/browse/ASTERISK-30470

I don’t use Debian 11, but some quick Googling shows that the minimum configured TLS protocol for OpenSSL is 1.2. As your devices don’t support that you would need to determine how to configure OpenSSL to allow lower to be used. I was able to find a blog post[1] that talks about changing an older version of Debian to support lower, but I don’t know what is required for your specific phones/situation.

[1] Re-Enable TLS 1.0 for OpenSSL-based Clients on Debian Buster

MinProtocol change on openssl.conf resolves my problem. Thx for help! and sorry for my mistake

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.