I’ve searched online, but I can’t get a definitive answer: are PJSIP transports supported in realtime? I’ve tried, and UDP and WSS transports work fine, but TLS is flaky. For one thing, I am getting:
ssl0x559bbb0b7330 Error reading CA certificates from buffer
but the endpoint still registers successfully. I was also getting:
‘Unsuitable transport selected (PJSIP_ETPNOTSUITABLE)’ sending OPTIONS request to endpoint
I got rid of that by not specifying the transport explicitly in endpoint config. But endpoints still become unreachable after some time. Looking at the logs, OPTIONS packets appear to be sent correctly, but they are not reaching the endpoint device. At the same time, responses to REGISTER requests go through just fine.
Asterisk version is 20.5.0.
The code may not prevent it, but in practice it may not work. There are some things that you just shouldn’t realtime… transports are one of them. They should rarely if ever change fundamentally, only if you’re changing a TLS certificate and then a reload should be issued.
Thanks for the info. I didn’t put the transports in realtime because I expect them to change, I just wanted to have a consistent configuration interface. Everything else is in the database, so I wanted transports there, too. From your answer, I surmise that realtime transports are not tested extensively so this behavior is probably due to bugs. I am guessing that it will probably work if I put them in realtime static config, so I will try that next.
Correct, it’s not tested extensively at all. Static realtime should be fine, it just appears as a file.
I had same error message ssl0x559bbb0b7330 Error reading CA certificates from buffer on asterisk 20.1.
I needed to add pjsip_ca_file (merged cert and key in one file with .pem extension) to the transport config, which fixed this issue.
Thanks,I really appreciate the info.
I cannot find ca_file parameter in transport config. There is ca_list_file, but it doesn’t work with that.
If by key you mean the private key, the CA private key should not be kept with the certificates. Ideally it should only be on an air gapped system only used for signing.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.