Problem Asterisk with TLS

hi , i need a help
I try to build VoIP small network with asterisk and have a plan to using TLS+SRTP for securing my communications.
im using asterisk 16.6.1 on ubuntu 20.04.2 LTS (on virtualbox)
im traying to configure TLS on asterisk may times but still not working
this is my asterisk logs;

Connected to Asterisk 16.6.1 currently running on arwadhahri-VirtualBox (pid = 1124)
arwadhahri-VirtualBoxCLI> reload
Asterisk Queue Logger restarted
[Apr 13 23:34:42] NOTICE[2708]: cdr.c:4517 cdr_toggle_runtime_options: CDR simple logging enabled.
[Apr 13 23:34:42] NOTICE[2709]: sorcery.c:1334 sorcery_object_load: Type ‘system’ is not reloadable, maintaining previous values
[Apr 13 23:34:42] WARNING[2708]: res_phoneprov.c:1230 get_defaults: Unable to find a valid server address or name.
[Apr 13 23:34:42] NOTICE[2708]: chan_skinny.c:8459 config_load: Configuring skinny from skinny.conf
Reloading SIP
[Apr 13 23:34:42] ERROR[2708]: ari/config.c:312 process_config: No configured users for ARI
[Apr 13 23:34:42] NOTICE[2708]: cel_custom.c:95 load_config: No mappings found in cel_custom.conf. Not logging CEL to custom CSVs.
Added CEL CSV mapping for 0 files.
== Using SIP CoS mark 4
[Apr 13 23:34:42] WARNING[1224]: chan_sip.c:31690 build_peer: ‘tls’ is not a valid transport type when tlsenable=no. If no other is specified, the defaults from general will be used.
[Apr 13 23:34:42] WARNING[1224]: chan_sip.c:31690 build_peer: ‘tls’ is not a valid transport type when tlsenable=no. If no other is specified, the defaults from general will be used.
== Setting global variable ‘CONSOLE’ to ‘Console/dsp’
== Setting global variable ‘IAXINFO’ to ‘guest’
Reloading MGCP
== Setting global variable ‘TRUNK’ to ‘DAHDI/G2’
== Setting global variable ‘TRUNKMSD’ to ‘1’
Reloading unistim.conf…
== Setting global variable ‘CONSOLE-AEL’ to ‘“Console/dsp”’
== Setting global variable ‘IAXINFO-AEL’ to ‘guest’
== Setting global variable ‘OUTBOUND-TRUNK’ to ‘“Zap/g2”’
== Setting global variable ‘OUTBOUND-TRUNKMSD’ to ‘1’
[Apr 13 23:34:42] NOTICE[2708]: app_queue.c:9144 reload_queue_rules: queuerules.conf has not changed since it was last loaded. Not taking any action.
arwadhahri-VirtualBox
CLI>

my sip.conf
[general]
tlsenable=yes
tlsbindaddr=0.0.0.0:5061
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys
tlsprivatekey=/etc/asterisk/keys/asterisk.key
tlsclientmethod=tlsv1

[6007]
type=friend
host=dynamic
dtmfmode=rfc2833
disallow=all
allow=g722
fullname = arwa
username = arwa
secret=0001
context = work
transport=tls

[6006]
type=friend
host=dynamic
dtmfmode=rfc2833
disallow=all
allow=g722
fullname = abir
username = abir
secret=1234
context = work
transport=tls


my extensions.conf
[work]
exten => _6XXX,1,Dial(SIP/${EXTEN},20)
exten => _6XXX,2,Hangup()

This suggests to me that it is a new installation. In that case there is no point in pursuing a problem configuring chan_sip as you should be using chan_pjsip. chan_sip will be removed in the near future.

(I have a feeling that TLSv1 is no longer supported - as it is no longer considered secure.)

TLSv1 is supported, but on a new Debian installation TLS 1.2 is the minimum by default.

I have to manually roll this back because some of my ATAs only support TLS 1.0, so it’s either TLS 1.0 or bust. Here’s how to fix this:

sed -i 's/TLSv1.2/TLSv1.0/g' /etc/ssl/openssl.cnf
sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf

Reboot the server and TLS 1.0 should work. Confirmed working with the latest version of Asterisk (18.3).

Also, chan_sip is disabled by default in 18, you will need to change noload => chan_sip to noload => chan_pjsip in modules.conf.

In order to use SRTP, you also need to add:

encryption = yes

to your users.

SIP won’t be removed until Asterisk 21 which is likely still a few years away at this point. My understanding is that there are still some things missing from PJSIP before it is on par with SIP. I haven’t had any good experiences experimenting with PJSIP yet myself but sooner or later I will have to look into the migration. My opinion is that SIP is much easier to get working though so it’s a good starting place.

1 Like

first thnx for your help
I know that chan_sip will be deleted in the future but I personally prefer to work with it because it is simpler than chan_pjsip (note: I will be using asterisk for a short period only for my graduation project)
I tried to use the commands you mount; the asterisk logger is changed but when I write ‘sip show settings’ the ‘tls sip bindaddress = disabled’

arwadhahri-VirtualBoxCLI> reload
– Reloading module ‘extconfig’ (Configuration)
– Reloading module ‘logger’ (Logger)
Asterisk Queue Logger restarted
– Reloading module ‘res_config_sqlite3.so’ (SQLite 3 realtime config engine)
– Reloading module ‘res_statsd.so’ (Statsd client support)
– Reloading module ‘cdr’ (CDR Engine)
[Apr 14 23:19:57] NOTICE[1917]: cdr.c:4517 cdr_toggle_runtime_options: CDR simple logging enabled.
– Reloading module ‘cel’ (CEL Engine)
– CEL logging disabled.
– Reloading module ‘dnsmgr’ (DNS Manager)
– Reloading module ‘dsp’ (DSP)
– Reloading module ‘enum’ (ENUM Support)
– Reloading module ‘features’ (Call Features)
– Reloading module ‘http’ (Built-in HTTP Server)
– Reloading module ‘indications’ (Indication Tone Handling)
– Reloading module ‘acl’ (Named ACL system)
– Reloading module ‘manager’ (Asterisk Manager Interface)
– Reloading module ‘plc’ (PLC)
– Reloading module ‘udptl’ (UDPTL)
– Reloading module ‘res_pjproject.so’ (PJPROJECT Log and Utility Support)
– Reloading module ‘res_pjsip.so’ (Basic SIP resource)
[Apr 14 23:19:57] NOTICE[1952]: sorcery.c:1334 sorcery_object_load: Type ‘system’ is not reloadable, maintaining previous values
– Reloading module ‘res_pjsip_authenticator_digest.so’ (PJSIP authentication resource)
– Reloading module ‘res_pjsip_endpoint_identifier_ip.so’ (PJSIP IP endpoint identifier)
– Reloading module ‘res_phoneprov.so’ (HTTP Phone Provisioning)
[Apr 14 23:19:57] WARNING[1917]: res_phoneprov.c:1230 get_defaults: Unable to find a valid server address or name.
– Reloading module ‘res_crypto.so’ (Cryptographic Digital Signatures)
– Reloading module ‘res_smdi.so’ (Simplified Message Desk Interface (SMDI) Resource)
– Reloading module ‘res_rtp_asterisk.so’ (Asterisk RTP Stack)
– Reloading module ‘res_musiconhold.so’ (Music On Hold Resource)
– Reloading module ‘res_stun_monitor.so’ (STUN Network Monitor)
– Reloading module ‘res_pjsip_outbound_publish.so’ (PJSIP Outbound Publish Support)
– Reloading module ‘res_pjsip_publish_asterisk.so’ (PJSIP Asterisk Event PUBLISH Support)
– Reloading module ‘res_pjsip_mwi.so’ (PJSIP MWI resource)
– Reloading module ‘chan_sip.so’ (Session Initiation Protocol (SIP))
– Reloading module ‘chan_skinny.so’ (Skinny Client Control Protocol (Skinny))
[Apr 14 23:19:57] NOTICE[1917]: chan_skinny.c:8459 config_load: Configuring skinny from skinny.conf
Reloading SIP
– Reloading module ‘chan_mgcp.so’ (Media Gateway Control Protocol (MGCP))
– Reloading module ‘chan_iax2.so’ (Inter Asterisk eXchange (Ver 2))
– Reloading module ‘res_fax.so’ (Generic FAX Applications)
– Reloading module ‘res_adsi.so’ (ADSI Resource)
– Reloading module ‘res_ari.so’ (Asterisk RESTful Interface)
[Apr 14 23:19:57] ERROR[1917]: ari/config.c:312 process_config: No configured users for ARI
– Reloading module ‘res_pjsip_phoneprov_provider.so’ (PJSIP Phoneprov Provider)
– Reloading module ‘res_pjsip_outbound_registration.so’ (PJSIP Outbound Registration Support)
– Reloading module ‘res_pjsip_notify.so’ (CLI/AMI PJSIP NOTIFY Support)
– Reloading module ‘app_confbridge.so’ (Conference Bridge Application)
– Reloading module ‘app_agent_pool.so’ (Call center agent pool applications)
– Reloading module ‘res_calendar.so’ (Asterisk Calendar integration)
– Reloading module ‘res_parking.so’ (Call Parking Resource)
– Reloading module ‘cdr_csv.so’ (Comma Separated Values CDR Backend)
– Reloading module ‘cdr_custom.so’ (Customizable Comma Separated Values CDR Backend)
– Reloading module ‘cdr_manager.so’ (Asterisk Manager Interface CDR Backend)
– Reloading module ‘cel_custom.so’ (Customizable Comma Separated Values CEL Backend)
[Apr 14 23:19:57] NOTICE[1917]: cel_custom.c:95 load_config: No mappings found in cel_custom.conf. Not logging CEL to custom CSVs.
Added CEL CSV mapping for 0 files.
– Reloading module ‘cel_manager.so’ (Asterisk Manager Interface CEL Backend)
– Reloading module ‘chan_unistim.so’ (UNISTIM Protocol (USTM))
– Reloading module ‘app_amd.so’ (Answering Machine Detection Application)
– Reloading module ‘app_minivm.so’ (Mini VoiceMail (A minimal Voicemail e-mail System))
– Reloading module ‘pbx_config.so’ (Text Extension Configuration)
== Setting global variable ‘CONSOLE’ to ‘Console/dsp’
== Setting global variable ‘IAXINFO’ to ‘guest’
== Setting global variable ‘TRUNK’ to ‘DAHDI/G2’
== Setting global variable ‘TRUNKMSD’ to ‘1’
– Including switch ‘DUNDi/e164’ in context ‘dundi-e164-switch’
– Including switch ‘DUNDi/e164’ in context ‘ael-dundi-e164-switch’
– Time to scan old dialplan and merge leftovers back into the new: 0.000181 sec
– Time to restore hints and swap in new dialplan: 0.000004 sec
– Time to delete the old dialplan: 0.000084 sec
– Total time merge_contexts_delete: 0.000269 sec
– pbx_config successfully loaded 51 contexts (enable debug for details).
– Reloading module ‘pbx_dundi.so’ (Distributed Universal Number Discovery (DUNDi))
– Reloading module ‘app_alarmreceiver.so’ (Alarm Receiver for Asterisk)
– Reloading module ‘app_voicemail.so’ (Comedian Mail (Voicemail System))
– Reloading module ‘app_followme.so’ (Find-Me/Follow-Me Application)
– Reloading module ‘res_clialiases.so’ (CLI Aliases)
– Reloading module ‘pbx_ael.so’ (Asterisk Extension Language Compiler)
== Setting global variable ‘CONSOLE-AEL’ to ‘“Console/dsp”’
== Setting global variable ‘IAXINFO-AEL’ to ‘guest’
== Setting global variable ‘OUTBOUND-TRUNK’ to ‘“Zap/g2”’
== Setting global variable ‘OUTBOUND-TRUNKMSD’ to ‘1’
– Including switch ‘DUNDi/e164’ in context ‘ael-dundi-e164-switch’
– Including switch ‘DUNDi/e164’ in context ‘dundi-e164-switch’
– Time to scan old dialplan and merge leftovers back into the new: 0.000389 sec
– Time to restore hints and swap in new dialplan: 0.000004 sec
– Time to delete the old dialplan: 0.000083 sec
– Total time merge_contexts_delete: 0.000476 sec
– pbx_ael successfully loaded 51 contexts (enable debug for details).
– Reloading module ‘app_playback.so’ (Sound File Playback Application)
– Reloading module ‘app_queue.so’ (True Call Queueing)
[Apr 14 23:19:57] NOTICE[1917]: app_queue.c:9144 reload_queue_rules: queuerules.conf has not changed since it was last loaded. Not taking any action.
Reloading MGCP
Reloading unistim.conf…
arwadhahri-VirtualBox
CLI> exit
Asterisk cleanly ending (0).
Executing last minute cleanups