When I connect from the client then I see below error in the Asterisk logs.
ERROR[3175] iostream.c: Problem setting up ssl connection: error:00000001:lib(0)::reason(1), Internal SSL error
ERROR[3175] tcptls.c: Unable to set up ssl connection with peer 'peer-ip-address:40748'
ERROR[3175] iostream.c: SSL_shutdown() failed: error:00000001:lib(0)::reason(1), Internal SSL error
My SIP client application is implemented using sip.js 0.16.0 JavaScript library.
I have created one simple HTML page and I am loading that page in a browser.
I have a local node.js server, which server the page over HTTPS using self-signed certificates.
I have followed the Google Chrome process to accept the certificate both of local serve and Asterisk.
I have all the required ports open in the EC2 security group.
I did gone through some of the posts related to the same error but did not find anything which can solve this errors, please guide.
Is this error caused because I am connecting to Asterisk using the self signed local web page?
Or do I missing any configuration on the server side.
Unfortunately OpenSSL doesn’t really give much information here, but there should be no problem, at the Asterisk end using a corporate root CA, or even with the degenerate case of the client or server being its own CA, as long as you install the appropriate, trusted, CA certificate.
(Most people seem to use self signed to mean a corporate CA, rather than one typically built into browsers and OSes, but all root CAs are self signed, even Verisign’s, and is possible to self sign a certificate that is used for actual traffic.)
Yes, I am using certificate/keys generated by the Asterisk utility. I have just copied these certificate/key files in the ‘/etc/asterisk/keys’ folder, that’s it.
Do I need to perform any signing procedure?
Also do I need to register these keys anywhere in the server system where I have asterisk running?
Can please explain more on below line from your post:
“as long as you install the appropriate, trusted, CA certificate”.
Have you configured Asterisk to validate the peer? If so have you installed the certificate of the authority used to sign the clients’ certificates in Asterisk’s ca_list_path or ca_list_file? Again, if so, have you installed both signed certificate and private key on the clients? Have you installed the CA certificate created when making the certificates for Asterisk, onto the clients?
Asterisk manages all its key material through the files listed in pjsip.conf; it doesn’t rely on, or use any from the OS.
For a public key infrastructure system to validate certificates from another system, it must hold a copy of at least one of the certificates in the chain from the root certificate for that system, to its working certificate (and the other system must supply not only the working certificate, but all those in the chain at least as far towards the root as the one held by the validating system.
PKS is symmetrical, even though, with web sites it is vanishingly rare for the browser to supply a certificate and the server to validate it. For VoIP one is more likely to at least validate that the phone has a trusted signature, although it is less common to check that that signature identifies it as the device it claims to be.
As far as I know, Asterisk does not use TLS to authenticate the client. It is the client that uses it to authenticate the server. For this purpose, the client needs the CA cert that was used to sign the cert that Asterisk is using.
That ast_tls_cert script included in the Asterisk source seems a bit complicated—it might be written for earlier versions of OpenSSL. As of OpenSSL 3, there is a new “micro CA” mode that makes things much simpler. I have a walkthrough of the procedure here. That example code does two-way authentication; you would only need one-way TLS authentication for Asterisk.
Asterisk can generate client certificates as well, and I believe it is possible to configure Asterisk so that those are actually checked. There would be no need for ca_list_path or cal_list_file, if it never validated remote certificates for, at least, signature.
The big weakness of the Asterisk scripts is that they are setup to run on machine running Asterisk, but the secret keys for the CA and any clients really should not be there. The secret key of the CA should be on an air gapped matchine used only for certificate generation, and the secret keys of the clients, ideally, should never leave the client, or if that is not possible should be on an air gapped system, or even destroyed on all but the client, once installed there.