SSL errors with WebRTC

Hello!

I am following the WebRTC + SIPML5 tutorial: https://wiki.asterisk.org/wiki/display/AST/WebRTC+tutorial+using+SIPML5

I am running asterisk 16.6.2 in docker

I have generated the self-signed certificate and accepted it by browsing to https://myhost:8089/ws

I can see a web page showing “Upgrade Required” but the following errors are generated:

[Oct 26 04:50:31] ERROR[243]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 26 04:50:31] ERROR[243]: tcptls.c:157 handle_tcptls_connection: Unable to set up ssl connection with peer '172.21.0.1:54370'
[Oct 26 04:50:31] ERROR[243]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 26 04:50:31] ERROR[244]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 26 04:50:31] ERROR[244]: tcptls.c:157 handle_tcptls_connection: Unable to set up ssl connection with peer '172.21.0.1:54374'
[Oct 26 04:50:31] ERROR[244]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 26 04:50:32] WARNING[245]: res_http_websocket.c:791 __ast_websocket_uri_cb: WebSocket connection from '172.21.0.1:54378' could not be accepted - did not request WebSocket

When I go on to configure the sipML5 client I get the following log in addition to the ones above:

== WebSocket connection from '172.21.0.1:54390' for protocol 'sip' accepted using version '13'
[Oct 26 04:52:47] NOTICE[248]: chan_sip.c:28939 handle_request_register: Registration from '"WebRTC Client"<sip:webrtc_client@myhost>' failed for '172.21.0.1:54390' - Wrong password

Here are my relevant files:

http.conf:

[general]
enabled=yes
bindaddr=0.0.0.0
bindport=8088
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=scripts/asterisk.crt                                       
tlsprivatekey=scripts/asterisk.key

pjsip.conf:

[transport-wss]                                                                             
type=transport                                                                              
protocol=wss                                                                                
bind=0.0.0.0                                                                                
                                                                                            
[webrtc_client]                                                                             
type=aor                                                                                    
max_contacts=1                                                                              
remove_existing=yes                                                                         
                                                                                            
[webrtc_client]                                                                             
type=auth                                                                                   
auth_type=userpass                                                                          
username=webrtc_client                                                                      
password=webrtc_client                                                                      
                                                                                            
[webrtc_client]                                                                             
type=endpoint                                                                               
aors=webrtc_client                                                                          
auth=webrtc_client                                                                          
dtls_auto_generate_cert=yes                                                                 
webrtc=yes                                                                                                                                                         
context=test_webrtc                                                                         
disallow=all                                                                                
allow=opus,ulaw

Any help will be appreciated.

The chan_sip module is picking up the Websocket connection instead of chan_pjsip. Ensure that either chan_sip is not loaded in modules.conf or set “websocket_enabled” to “no” in sip.conf.

Thank you @jcolp. When removing sip.conf The connection was successful but I am still getting the SSL errors.

[Oct 26 06:07:39] ERROR[141]: iostream.c:633 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 26 06:07:39] ERROR[141]: tcptls.c:157 handle_tcptls_connection: Unable to set up ssl connection with peer '172.23.0.1:33146'
[Oct 26 06:07:39] ERROR[141]: iostream.c:538 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
  == WebSocket connection from '172.23.0.1:33150' for protocol 'sip' accepted using version '13'
    -- Added contact 'sips:webrtc_client@172.23.0.1:33150;transport=ws;rtcweb-breaker=no' to AOR 'webrtc_client' with expiration of 200 seconds
  == Endpoint webrtc_client is now Reachable

I tried using a pem certificate, instead of the .crt and .key files based on the instructions in the http config file:

To produce a certificate you can e.g. use openssl. This places both the cert and                           
; private in same .pem file.                                                                                 
; openssl req -new -x509 -days 365 -nodes -out /tmp/foo.pem -keyout /tmp/foo.pem

It seems that 16.6.2 only accepts .pem:

;tlscertfile=</path/to/certificate.pem>  ; path to the certificate file (*.pem) only.

The messages don’t appear to be causing a failure, as your WebRTC endpoint does register. Are you using a self-signed certificate that you then had to accept? That can sometimes cause such messages.

Yes, this is a self signed certificate which I accepted.

Thanks for your help, will mark as answered.