PJSIP+Realtime+transport-tls

fanofzappa · January 25, 2019, 4:15pm

Hi there folks,

I’ve been trying to configure TLS in our system but keep getting this error:

pjproject:0 <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0

I have created the 2 transports:
dev1*CLI> pjsip show transports

Transport: <TransportId…> <BindAddress…>

Transport: transport-tls tls 0 0 0.0.0.0:17061
Transport: transport-udp udp 0 0 0.0.0.0:17060

In the table ps_transports:
id: transport-tls
async_operations: NULL
bind: 0.0.0.0:17061
ca_list_file: /var/lib/asterisk/keys/ca.crt
cert_file: /var/lib/asterisk/keys/asterisk.crt
cipher: ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES256-SHA384,DHE-DSS-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256,DHE-DSS-AES256-SHA256,ECDH-RSA-AES256-GCM-SHA384,ECDH-ECDSA-AES256-GCM-SHA384,ECDH-RSA-AES256-SHA384,ECDH-ECDSA-AES256-SHA384,AES256-GCM-SHA384,AES256-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-SHA256,ECDHE-ECDSA-AES128-SHA256,DHE-DSS-AES128-GCM-SHA256,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES128-SHA256,DHE-DSS-AES128-SHA256,ECDH-RSA-AES128-GCM-SHA256,ECDH-ECDSA-AES128-GCM-SHA256,ECDH-RSA-AES128-SHA256,ECDH-ECDSA-AES128-SHA256,AES128-GCM-SHA256,AES128-SHA256
…
external_signaling_port: 17061
method: tlsv1
…
password: NULL
priv_key_file: /var/lib/asterisk/keys/asterisk.key
protocol: tls
require_client_cert: no
verify_client: NULL
verify_server: NULL
tos: NULL
cos: NULL
allow_reload: yes
symmetric_transport: NULL

In the table ps_endpoints:
id: 200
transport: transport-tls

I generated my certs using the secure calling tutorial and the openssl version I have is OpenSSL 1.0.1t 3 May 2016.

I have tried to register using grandstream as well as yealink terminals but keep getting the same error.

Any help is appreciated.

gjoseph · January 28, 2019, 2:43pm

A few things you can try…

Use “sslv23” as the method instead of “tlsv1”. This will give you the broadest protocol support.

Try using openssl to connect to the port…
$ openssl s_client --connect <pbx_ip>:17061
This will usually give good information.

Check that the phones aren’t trying to validate the server certificate or that they trust the self-signed CA certificate.

fanofzappa · January 31, 2019, 2:28pm

Thanks for the suggestion @gjoseph, I tried it with that method but it didn’t work, in the end I used “default” as well as leaving the cipher field as NULL:

*************************** 1. row ***************************
id: transport-tls
async_operations: NULL
bind: 0.0.0.0:17061
ca_list_file: NULL
cert_file: /var/lib/asterisk/keys/asterisk.crt
cipher: NULL
external_signaling_port: 17061
method: default
local_net: 192.168.0.0/255.255.248.0
password: NULL
priv_key_file: /var/lib/asterisk/keys/asterisk.key
protocol: tls
require_client_cert: no
verify_client: no
verify_server: NULL
tos: NULL
cos: NULL
allow_reload: yes
symmetric_transport: no

TLS works now as long as I leave the transport field empty in ps_endpoints. I’m able to register phones and make calls. The problem I’m facing now is that I can’t register phones in the udp port(and transport, of course) wether I put transport-udp in ps_endpoint.transport or leave it blank. The server is giving me a 401 code:

FailedRegister.txt (1.8 KB)

This is what I have for the udp-transport:
*************************** 2. row ***************************
id: transport-udp
async_operations: NULL
bind: 0.0.0.0:17060
ca_list_file: NULL
cert_file: NULL
cipher: NULL
external_signaling_port: 17060
method: default
local_net: 192.168.0.0/255.255.248.0
password: NULL
priv_key_file: NULL
protocol: udp
require_client_cert: no
verify_client: no
verify_server: NULL
tos: NULL
cos: NULL
allow_reload: yes
symmetric_transport: no
2 rows in set (0.00 sec)

I’ve tried quite a few settings in the ps_endpoints table to no avail. This whole “many transports” thing works great without realtime, getting very frustrated here

gjoseph · January 31, 2019, 2:37pm

Well, the 401 isn’t related to the transport. Either Asterisk can’t match “204” to an endpoint or it did and there’s an “auth” object defined on the endpoint. Either way, Asterisk is challenging the client for credentials.

fanofzappa · January 31, 2019, 2:45pm

What’s weird is that as soon as I change the protocol to TLS and use register to a different port, it will register the extension right away. It’s using the same credentials as before.

gjoseph · January 31, 2019, 2:52pm

Try not setting “transport” on any endpoint and see what happens.

fanofzappa · January 31, 2019, 3:09pm

That was the first test I did and actually is the only way in which I could get TLS to work(but not udp). As soon as I explicitly use a transport in that field, it stops working.