Pjsip tls registration

ghost00 · March 26, 2020, 3:43pm

Hi all ,
I hope all is ok for you
I am try to register an extension from an asterisk 13 to an asterisk 18 in tls mode.
It’s ok without certificat verification.
But if i enable verification the request seems not transmiss to server.

13 config

[transUDP]
type=transport
protocol=udp
bind=0.0.0.0:5060

[transTLS]
type=transport
protocol=tls
bind=0.0.0.0:5061
verify_server=yes
ca_list_file=/etc/asterisk/server_certs.pem
cert_file=/etc/asterisk/keys/xellip2.pem
priv_key_file=/etc/asterisk/keys/xellip2.key
cipher=ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA,ECDHE-ECDSA-AES256-SHA

[ExtServer3!1]
type=registration
transport=transTLS
outbound_auth=ExtServer3!1
server_uri=sip:192.168.0.31:5061
client_uri=sip:6001@192.168.0.31:5061
expiration=3600
contact_user=6001#||#app-model=12241
outbound_proxy=sip:192.168.0.31:5061\;transport=tls\;lr
auth_rejection_permanent=false
max_retries=9000
retry_interval=60
forbidden_retry_interval=60
fatal_retry_interval=60

Asterisk 18

[transport-udp]
type=transport
protocol=udp    ;udp,tcp,tls,ws,wss,flow
bind=0.0.0.0

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
require_client_cert=true
verify_client=true
;cert_file=/path/mycert.crt
;priv_key_file=/path/mykey.key
cipher=ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA,ECDHE-ECDSA-AES256-SHA
method=tlsv1



[6001]
type=endpoint
transport=transport-tls
context=from-internal
disallow=all
allow=ulaw
allow=gsm
auth=6001
aors=6001

[6001]
type=auth
auth_type=userpass
password=6001
username=6001

[6001]
type=aor
max_contacts=1
contact=sip:6001@192.168.0.34:5061

And the wireshark tls

Thanks lot

G

jcolp · March 27, 2020, 12:19pm

Does anyone appear on the Asterisk console? Have you confirmed the certificate is valid according to the configured certificate authority?

ghost00 · March 27, 2020, 12:30pm

On the asterisk 13 console :
[Mar 27 13:28:03] WARNING[6539]: res_pjsip_outbound_registration.c:805 schedule_retry: No response received from ‘sip:192.168.0.31:5061’ on registration attempt to ‘sip:6001@192.168.0.31:5061’, retrying in ‘60’
Nothing from asterisk 18

ghost00 · March 30, 2020, 1:05pm

Hi all
This command seems ok :
openssl s_client -servername 192.168.0.31 -CAfile /etc/asterisk/keys/ca.crt -connect 192.168.0.31:5061 -cert /etc/asterisk/keys/xellip2.pem

ghost00 · April 1, 2020, 6:54am

Hella all ,
Issue resolve with this add in pjsip.conf of asterisk 18 server : ca_list_file

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
ca_list_file=/etc/asterisk/keys/ca.crt
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
require_client_cert=true
verify_client=true
;cert_file=/path/mycert.crt
;priv_key_file=/path/mykey.key
cipher=ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA,ECDHE-ECDSA-AES256-SHA
method=tlsv1

The cipher and method not required.

Thx all
Bye

system · May 1, 2020, 6:54am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.