Sip tls error ssl connection: error:00000001:lib(0):func(0):reason(1)


#1

I am currently testing asterisk on tls mode. Over the last few day I have been blocked by the same error message over and over again. The same error appears on three different setup systems.
Basicity every time i try to register over tls transport following error occurs:

##sip reload message on CLI terminal

Reloading SIP
== Parsing ‘/etc/asterisk/sip.conf’: Found
== Parsing ‘/etc/asterisk/users.conf’: Found
== Using SIP CoS mark 4
== TLS/SSL ECDH initialized (secp256r1), faster PFS cipher-suites enabled
== TLS/SSL certificate ok
== Parsing ‘/etc/asterisk/sip_notify.conf’: Found
ERROR[6550]: tcptls.c:693 handle_tcptls_connection: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
ERROR[6550]: tcptls.c:693 handle_tcptls_connection: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
WARNING[6550]: tcptls.c:780 handle_tcptls_connection: FILE * open failed!
WARNING[6550]: tcptls.c:780 handle_tcptls_connection: FILE * open failed!

##CLI end the the error goes on

##sip.conf
[general]
udpenable=yes
tlsenable=yes
tcpenable=yes
bindaddr=192.168.X.X ;run on the local IP
tlsbindaddr=192.168.X.X ;as above
tlsbindport=5061
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlsprivatekey=/etc/asterisk/keys/asterisk.key
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys
tlscipher=ADH-AES256-SHA,ADH-AES128-SHA
tlsclientmethod=TLSv1
tlsdontverifyserver=yes,no ; doesn’t ma any difference

[100]
type=friend
context=phones
transport=tls
port=5061
disallow=all
allow=ulaw,alaw
sercet=bla_bla
host=dynamic
dtmfmode=rfc2833
encryption=yes

[200]
type=friend
context=phones
transport=tls
port=5061
disallow=all
allow=ulaw,alaw
sercet=bla_bla
host=dynamic
dtmfmode=rfc2833
encryption=yes
##sip.conf end

self-signed certificates generated by ast_tls_cert script found in asterisk contrib/scripts folder.
According to the documentation form:
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
The error repeated on debian9 with asterisk 14.7.4 (virtualbox), also on debian9 workstation and centos7 (run on virtualbox) all over the same error.
Any register without tls, base on tcp, or udp works fine. Testing form softphone (blink)
I am guessing is is some extra tiny configuration missing somewhere.
Is any expert around this issue I happy to have a look in it.
Highly appreciate any help and suggestions.


#2

adding self-signed certificate to the “trusted list” (debian)

cp /etc/asterisk/keys/ca.crt /usr/local/share/ca-certificates/asterisk/ca.crt
update-ca-certificates

does update the crt list but didn’t help


#3

Today gets even more interesting. On virtualbox (runs debian 9) after reinstalling asterisk shows (log including debugging 10):

iostream.c:602 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
iostream.c:507 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
iostream.c:602 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
iostream.c:507 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

Shark analysis showed error on handshake failure (server => client) . Sip stats reports tons of (404 not found) responds.
I am pretty sure this problem is trivial.
So far I am writing to myself but maybe one day…


#4

OK
Here we go.
There is definitely something on the table. Any clean fresh installation ends up with iosteram error. Currently I have one physical debian 9 and two virtualbox (debian 9, and centos 7) all of the shows the same SSL_shutdown() failed.

###CLI terminal

ERROR[16552]: iostream.c:602 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
ERROR[16552]: iostream.c:507 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
ERROR[16553]: iostream.c:602 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
ERROR[16553]: iostream.c:507 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

###CLI end

The only thing that I could find is the error that I have reported early (404 respond) that where related to SIP without maibox, we can ignored.


#5

I have finally managed it.
It is not perfect solution, but a form of temporary one.
in general section correct two positions:

tlsclientmethod=ALL
tlscipher=ALL

it does work on tls including encrypted phone calls, but protection … better than nothing.