Pjsip tls trouble

Hi all!

Trying to migrate from chan_sip to pjsip.
I’m having trouble getting tls to run with pjsip.
I’m using Asterisk 13.19.2 with pjsip 2.7.1 under gentoo (built with --with-pjproject-bundled) using openssl-1.0.2n .

  • TLS is working for all my devices under chan_sip (Handshake converges to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA cipher suite)
  • TLSv1 handshake fails with pjsip for all my devices (I’m trying to debug with CSipSimple 1.02.03)
  • I see TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA offered in CSipSimple’s TLSv1 Client Hello message (in a tcpdump captured trace)
  • I see asterisk responding with a Handshake failure
  • The asterisk console claims no overlap in supported ciphers “WARNING[9241]: pjproject:0 <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0”

This behaviour is consistent whether I omit the ‘cipher’ parameter or whether I specify cipher=ECDHE-RSA-AES256-SHA (which according to https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER_STRINGS corresponds to TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) explicitely in my transport definition.

My [transport] reads:

asterisk.pem is the single file containing both the key and the certificate.

pjsip show transport transport-tls shows - as expected:
Transport: transport-tls tls 0 0
ParameterName : ParameterValue

allow_reload : false
async_operations : 1
bind :
ca_list_file :
ca_list_path :
cert_file : /etc/asterisk/keys/asterisk.pem
cipher : ECDHE-RSA-AES256-SHA
cos : 0
domain :
external_media_address :
external_signaling_address :
external_signaling_port : 0
local_net :
method : tlsv1
password :
priv_key_file :
protocol : tls
require_client_cert : No
symmetric_transport : false
tos : 0
verify_client : No
verify_server : No
websocket_write_timeout : 100

‘pjsip list ciphers’ lists a plethora of suites (amongst them: ECDHE-RSA-AES256-SHA )

To my understanding, everything should be working… but unfortunately, nothing is… so I’m hoping that the error message delivered is simply not expressive and that the real problem lies in my configuration. Any suggestions?

“pjsip list ciphers” list all available ciphers regardless of whether they’re supported by the method chosen for the transport. Try “openssl ciphers -s -tls1” to see the actual ciphers that can be used by tls v1. While not recommended for production use, you can also using sslv23 for the transport method just to see what happens.

Hi gjoseph!
Thank you for your reply!

With “file”'s help (IRC), I was able to figure out that the error message (“no shared cipher”) was misleading. The cipher was in fact supported and configured. The problem was the key configuration:
While chan_sip supports the specification of a .pem file containing both key and cert (please remember: I’m migrating from chan_sip to pjsip), pjsip requires the explicit specification in individual files with individual entries in pjsip.conf .

From my perspective it’d make sense to output a more specific error message in this case and/or take note of this explicitely in the Wiki. :slight_smile:


Hi guys
kodomo2 try:
cipher=ADH-AES128-SHA256 ; it should reload pjsip without any errors,
To find proper cipher try list all cipher form openssl by command:

openssl ciphers -v ‘ALL’ | grep “TLSv1”

asterisk CLI mode hit:

pjsip list ciphers

It should helps with the ciphers, but i don’t thing it helps with the problem that you are facing for good
I just recently running some test with the encryption pjsip and sip and it seems like something is not clicking between asterisk and pjsip modul/s. I tried the testing ver:openssl 1.1.1 - no luck. Even then you try debugging - no any additional info. Wireshark trace shows problems on server sites. It seems like asterisk can not load/pass the certificates.