I trying to migrate from asterisk 13 chan_sip to asterisk 18 with pjsip channel driver. I has ~300 Cisco SPA devices with 7.6.2e like a SR5 firmware
i has three test enviroments(LetsEncrypt certs ):
-
(prod)VM CentOS7 + asterisk 13 ( chan_sip ) - not register problems
chan_sip configured with tlsdontverifyserver=no, tlsclientmethod=tlsv1 -
(test)VM with latest FreePBX distro ( asterisk 18.13 + FreePBX 14)
pjsip driver by default works with param: method=tlsv1_2 and when phone connects to asterisk i got error:
SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol
after change to method=sslv23, devices registers without problems
- (test)VM Debian 11(5.10.0-21-amd64 #1 SMP Debian 5.10.162-1) + Asterisk 18 installed from source
in any param method(default, sslv23, tlsv1, tlsv1_2) console says:
SSL routines-tls_early_post_process_client_hello-unsupported protocol
Please describe right direction to fix it.
Additional test:
asterisk 18.16 and asterisk 18.17
root@AsteriskX:~# openssl s_client -connect 127.0.0.1:5061
CONNECTED(00000003)
139877373261120:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1543:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
asterisk-certified-18.9-cert4:
root@AsteriskX:~# openssl s_client -connect 127.0.0.1:5061
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = voip-test.domain.com
verify return:1
---
Certificate chain
0 s:CN = voip-test.domain.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Build options:
apt -y install build-essential libnewt-dev libssl-dev libncurses5-dev subversion libsqlite3-dev libjansson-dev libxml2-dev uuid-dev default-libmysqlclient-dev
contrib/scripts/get_mp3_source.sh
contrib/scripts/install_prereq install
./configure
make && make install