[SOLVED] PJSIP TLS Cert Key 'Too Small'

Hello,

I’m a beginner to Asterisk and recently set up a simple PBX with UDP transport and PJSIP configuration successfully. Now I’m attempting to switch over to TLS transport and am having some issues with doing so.

After following through the first half (about TLS transport) of the Asterisk Wiki tutorial found here, I reloaded the PJSIP, fixed some minor errors that popped up, reloaded again and found one error still persisting. After reloading the entire service, it still was showing up.

Here’s the error: [May 11 10:32:33] WARNING[4134]: pjproject: <?>: SSL STATUS_FROM_SSL_ERR (status): Level: 0 err: <336245135> <SSL routines-SSL_CTX_use_certificate-ee key too small> len: 0 peer: 192.168.2.129:51644 [May 11 10:32:33] ERROR[4134]: pjproject: <?>: ssl0x5612898e9250 Error loading certificate chain file '/etc/asterisk/keys/asterisk.crt': ee key too small

I’ve tried deleting all my certification keys and recreating them using the same methods show on the website, but to no avail. I’ve also double-checked to make sure all the appropriate files were created in the keys folder.

I wasn’t sure exactly what would be necessary to see, so I’ve provided everything I think possibly could be necessary, all below, labeled with bold titles.

Thank you for taking the time to help me puzzle through this issue!

Contents of my pjsip.conf file:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1

[karishbenkal]
type=aor
max_contacts=1
remove_existing=yes

[karishbenkal]
type=auth
auth_type=userpass
username=karishbenkal
password=1234

[karishbenkal]
type=endpoint
aors=karishbenkal
auth=karishbenkal
context=local
disallow=all
allow=g722
dtmf_mode=rfc4733
media_encryption=sdes

Initial certification file creation and output.

root@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts# ./ast_tls_cert -C 198.168.2.188 -O "CN Test" -d /etc/asterisk/keys

No config file specified, creating '/etc/asterisk/keys/tmp.cfg'
You can use this config file to create additional certs without
re-entering the information for the fields in the certificate
Creating CA key /etc/asterisk/keys/ca.key
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................................++++
..................................................................................................++++
e is 65537 (0x010001)
Enter pass phrase for /etc/asterisk/keys/ca.key:
Verifying - Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating CA certificate /etc/asterisk/keys/ca.crt
Enter pass phrase for /etc/asterisk/keys/ca.key:
Creating certificate /etc/asterisk/keys/asterisk.key
Generating RSA private key, 1024 bit long modulus (2 primes)
.....+++++
........+++++
e is 65537 (0x010001)
Creating signing request /etc/asterisk/keys/asterisk.csr
Creating certificate /etc/asterisk/keys/asterisk.crt
Signature ok
subject=CN = 198.168.2.188, O = CN Test
Getting CA Private Key
Enter pass phrase for /etc/asterisk/keys/ca.key:
Combining key and crt into /etc/asterisk/keys/asterisk.pem
root@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts#

Client Certificate Creation and Output

root@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts# ./ast_tls_cert -m client -c /etroot@ubuntu:/usr/src/asterisk-17.4.0/contrib/scripts# ./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 198.168.2.188 -O "CN Test" -d /etc/asterisk/keys -o karish

No config file specified, creating '/etc/asterisk/keys/tmp.cfg'
You can use this config file to create additional certs without
re-entering the information for the fields in the certificate
Creating certificate /etc/asterisk/keys/karish.key
Generating RSA private key, 1024 bit long modulus (2 primes)
........................................+++++
..+++++
e is 65537 (0x010001)
Creating signing request /etc/asterisk/keys/karish.csr
Creating certificate /etc/asterisk/keys/karish.crt
Signature ok
subject=CN = 198.168.2.188, O = CN Test
Getting CA Private Key
Enter pass phrase for /etc/asterisk/keys/ca.key:
Combining key and crt into /etc/asterisk/keys/karish.pem

Blink Preferences
Network/SIP Settings

TLS Cert File Settings

TLS Port Settings

Codec Settings
image

And I am certain that my username and password match the pjsip.conf file.

This is due to the OpenSSL version in use. It’s wanting a larger key. You can do this by passing “-b 2048” to the ast_tls_cert utility in recent versions.

1 Like

Okay, thank you! I’ll go ahead and try that right now. I have OpenSSL installed, would it also fix the issue if I used that to create the key?

The ast_tls_cert script uses OpenSSL underneath to create it, it’s a convenient script to do a lot of the legwork of doing so. If you want to do it yourself you can.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.