[solved] Yealink and TLS resolution

Asterisk Asterisk Support
1

I tested this mainly with Asterisk 10.1.2, though I also tested 1.8.9.2 and 10.2.0-rc2.

Most testing was done with Asterisk built against OpenSSL 1.0.0g, though I also tested with OpenSSL 0.9.8t.

In all instances these were both compiled from source.

I did not notice any difference in respect of this issue regardless of Asterisk / Open SSL version used.

Symptoms:

Phone (T28P) works fine in UDP mode.

In TCP or TLS mode it will usually register, but Asterisk will show phone as “status UNREACHABLE” and refuse to send calls to the phone.

Calls from the phone can be made as normal. The phone can be pinged and a NMap TCP portscan shows the expected port(s) (5060 - 5065) are open.

Asterisk CLI spits out weird errors that are difficult to trace and obtain support through Asterisk forums, IRC and Google.

This includes:
tcptls.c:235 handle_tcptls_connection: FILE * open failed

I do not know how these errors relate to the problem with the phone.

Problem:

Version 61 of the firmware (From the international site) is seriously flawed. I have tested 2.61.70 and 2.61.80 with identical results.

Solution:

All of these steps MUST be taken:

  1. Unregister the phone from Asterisk with the command “sip unregister [peer]” Simply unplugging the phone for a few minutes had no effect in the test scenario.

  2. Do a factory reset on the phone. If this step is not taken v60 will have the same problems.

  3. Downgrade to v60.

  4. Reconfigure the phone from scratch.

I have confirmed 2.60.110 and 2.60.140 work.

Additionally, I have found (regardless of firmware versions) it is strongly advisable to change the “Login expire” and “Subscribe period” settings under Accounts - Advanced.

I have set login expire to 600 seconds and subscribe period to 300 seconds. This considerably reduces the period it takes for the phone (in TLS mode) to come “live” again after a Asterisk restart.

Following is an example of a working config:

sip.conf

[general]

tlsenable = yes
tlsbindaddr = 0.0.0.0
tlscertfile = /etc/asterisk/certs/server.pem

Choose ONE of these two options to suit
tlscadir = /etc/asterisk/certs/ca
tlscafile = /etc/asterisk/certs/ca.crt

tlsdontverifyserver = yes
tlsclientmethod = tlsv1
tlscipher = ALL

[peer]
transport = tls

The following is optional and works in any transport mode:
encryption = yes
If this is used, Asterisk must be compiled with libSRTP and SRTP = yes set on the phone.

Self signed or CA provided certs can be used. For self signed I used the “ast_tls_cert” script in the contrib/scripts directory of the Asterisk distribution source code.