Pjsip.conf - tls confusing config issue

_fuz · July 12, 2018, 10:54pm

Hi there.

I have this transport config:

[tls-natted]
type=transport
protocol=tls
method=tlsv1
bind=192.168.1.51:5061 ; default tls port
;cert_file=certificate
tls_verify_server=no
tls_verify_client=no
local_net=192.168.1.0/24

Note that tls_verify_server and tls_verify_client are not mentioned this way in the docs, the are called verify_server and verify_client there.
With this config my cli shows “Registered” using “pjsip show registrations”. When I use
verify_server=no
verify_client=no
instead, “pjsip show registrations” shows “Rejected” after a while (looks like tls connection is trying to connect and finally running into a timeout).

Does anybody know what is happening? Am I on TLS or not? I found these options whit pjsipua (command line sip client).

And: If I watch my tcpdump, I can see that SIP packages are coming and leaving through Port 5060. Is it true that this is happing with tls enabled and a config pointing to 5061 also? I mean is communication for tls is made over 5061 and after that is established, regular sip port is used for sip packages? Or is this an indication I am not on tls? Btw: When commented out these 2 options status is “Rejected” again…

I do not understand, please help.

Thanks,
_fuz

jcolp · July 13, 2018, 9:28am

Your configuration is incomplete. You haven’t specified any certificate information or certificate authority. The correct options are “verify_server” and “verify_client”. The wiki has an example[1] and details on how to generate certificate stuff if needed. Endpoints and other things (including outbound registration) have to be explicitly configured to use TLS. This is done by adding a “;transport=tls” to their URI, or if an inbound registration then the other endpoint has to be configured to use TLS. You can’t just configure the transport in Asterisk and then everything uses it.

[1] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial?focusedCommentId=22773871#SecureCallingTutorial-Asteriskchan_pjsipconfiguration

_fuz · July 13, 2018, 4:46pm

Thanks, jcolp.
So do you think asterisk just ignored the wrong configuration statements and I am registered but not on TLS?

Thanks.

jcolp · July 13, 2018, 4:50pm

It’s possible. There was also a bug with TLS discovered this morning that may be causing it. I have no further details yet on it.