SSL Issue with certain PJSIP Endpoints

Hello everyone,

I am facing a strange issue with some of my endpoints. I am using TLS for both media and transports. Asterisk 18.4 with PJSIP.

I am getting regular ssl error messages as follows;
[2021-06-02 17:31:13] WARNING[47835]: pjproject: <?>: SSL 6 [SSL_ERROR_ZERO_RETURN] (Read) ret: 0 len: 65535

Moreover extensions seem indefinitely register and get deleted.

A trace of the debug output, transport and endpoint confing are being attached.

config.txt (8.9 KB)
debug_log.txt (42.2 KB)

Kind regards,
Gordon

After some more debugging, I found that the issue is related to a specific SSL message which occurs specifically when the softphone is exited (Completely exited, not account deactivation). I have traced the issue using wireshark and the packet below is triggering the error;

TLSv1.2 Record Layer: Encrypted Alert
Content Type: Alert (21)
Version: TLS 1.2 (0x0303)
Length: 26
Alert Message: Encrypted Alert

It does not seem that issue is service impacting. The PJSIP traces I provided before seem to be network related. However Id like to confirm if the issue can be resolved or if these messages can be safely ignored.

Thank you in advance for your assistance.

Failed long shot;

I am using Let’s Encrypt certificates. I have read and observed that these are not trusted by older phone models. I thought this may be related and I replaced the certificate with one issued by a commercial CA.

Same behaviour was observed. Issue does not seem to be related.

You are running into a problem numerous people are now running into. The SSL/TLS standards changed in 2020 every vendor has been deprecating and removed anything that is TLS1.0 or less. Certain encryption algorithms, ciphers, etc. where removed as they were found to be lax and vulnerabilities were exposed in them. Basically anything TLS1.0 in considered insecure and both TLS1.1 and 1.0 are considered EOL for the last couple years.

They have also stepped up the version releases. TLS 1.2 was released in 2008, TLS1.3 was released in 2018 but they have said versions will not have 10 year gaps like this again.

So what is happening with you is that you are now getting certs that have couple algorithms removed and updated ciphers. Your devices will now need to support TLS1.2 and if they are out of date/EOL old devices that aren’t getting updates. They are done using TLS in any modern format.

Like I said, you’re not the only one. I’m seeing numerous people posting/talking about their 10 year old phones no longer working with TLS after a new cert/renewal was done.

Hello, thanks for the info provided. At the moment I am forcing the use of TLS1.2, Im not forcing the user of any specific ciphers though. Also, I am connecting via soft phone, specifically MicroSip 3.20 which is very “modern”.

Are you aware of a configuration or device combination which is not effected by these errors? At the moment I have around 300 extensions, and while I don’t have any operational issues, the cli is flooded with these errors. Im looking to scale tenfold and I’d like to make sure that nothing is wrong with my setup.

In the meantime, I will test with other softphones/deskphones and will update this post accordingly.

Thank you very much for your assistance.

Gordon

Asterisk doesn’t consider this to be an error.

It looks to me as though it is PJPROJECT, rather than Asterisk that is deciding to log a warning.

The condition simply means that the peer sent an indication that it had finished with the SSL, when it wasn’t required to finish the connection.

I think you will need to take this up with the PJPROJECT people, if you want the message suppressed, or downgraded.