Hello – We have Asterisk 13.26.0 with PJSIP and FreePBX. I am attempting to register a Yealink SIP-T40G phone over an encrypted connection.
We installed a Let’s Encrypt ceritificate in the asterisk using the FreePBX certificate manager. I followed the asterisk secure calling tutorial and made client certificates from the Let’s Encrypt certificate using the ast_tls_cert script and installed the appropriate files it in the Yealink phone.
When attempting to register the phone the connection is cut off by the Asterisk with a TCP FIN after the TLS handshake appears to complete. Here is the wireshark:
(the above packet capture was made with a weaker cipher suite so that the decrypted packets can be viewed. The same sequence of events occurs with the original strong cipher suite)
I went to Yealink support who only said I must look into why the server is disconnecting. Is there a way to enable enhanced CLI output to show why the Asterisk is cutting the connection?
When I turn up full verbose and debug on the Asterisk CLI I only get only the following information:
This was a learning experience – thanks for your patience. The failure was trying to use a certificate from a public trusted CA (Let’s Encrypt) in a private LAN which is incorrect use of the certificate.
After discarding the public certificate here are the successful things I did to get secure SIP calls (TLS/SRTP) going in the LAN:
I created a local CA following the Asterisk Secure Calling Tutorial using the ast_tls_cert script. I then used the OpenSSL update-ca-certificates command to install the CA on the server as described here.
I created client certificates with the ast_tls_cert script using the extension number as the Common Name, e.g., ‘1001’ (the -C option on the script is the Common Name). On the Yealink I installed the local CA cert (ca.crt) in the Trusted Certificates and the client .pem cert as the Server Certificate. I enabled “Only Accept Trusted Certificates” and “Common Name Validation” and set “CA Certificates” to “Custom”.
This worked fine as verified by the padlock on the phone and TLS and SRTP in Wireshark. If anyone has any suggestions for better practice I would appreciate it. Thank you.