Hi,
Currently trying to enable secure sip signalling and SRTP with self signed certificates, but coming across an error:
tcptls.c: FILE * open failed!
sip loading the self signed certificates for tls works fine:
Reloading SIP
== Parsing '/etc/asterisk/sip.conf': Found
== Parsing '/etc/asterisk/users.conf': Found
== Using SIP CoS mark 4
== TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
== TLS/SSL certificate ok
== Parsing '/etc/asterisk/sip_notify.conf': Found
also certificate has been added to server with
cp /etc/asterisk/keys/ca.crt /usr/local/share/ca-certificates/asterisk/ca.crt
update-ca-certificates
sip file looks like this:
[general]
register => xxxxxxxxx
canreinvite=no
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscafile=/etc/asterisk/keys/ca.crt
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscipher=ALL
tlsclientmethod=ALL
[extension_name]
username=xx
type=friend
context=context
allow=ulaw,alaw
secret=secret
host=dynamic
transport=tls
encryption=yes
I made sure the certificates are owned by the right group on the server. Tried to generate the self signed certificates with the ast_tls_cert script and with openssl. Both result in the same.
These were openssl commands I used to generate:
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl genrsa -out key.pem 1024
openssl req -new -key key.pem -out asterisk.csr
openssl x509 -req -days 365 -in asterisk.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out asterisk.crt
Also checked if I can connect with openssl from the command line and the status was connected:
openssl s_client -connect x.x.x.x:5061 -CAfile ca.crt -cert asterisk.pem -msg
On my soft phone I am using the ca.crt and the asterisk.pem files, tls is enabled.
Unfortunately still the same result when I try to connect. Is there a way to make the error logging for tls more verbose, as to knowing which file can not be opened or if it is a file that actually can’t be opened?