Currently trying to enable secure sip signalling and SRTP with self signed certificates, but coming across an error:
tcptls.c: FILE * open failed!
sip loading the self signed certificates for tls works fine:
Reloading SIP == Parsing '/etc/asterisk/sip.conf': Found == Parsing '/etc/asterisk/users.conf': Found == Using SIP CoS mark 4 == TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled == TLS/SSL certificate ok == Parsing '/etc/asterisk/sip_notify.conf': Found
also certificate has been added to server with
cp /etc/asterisk/keys/ca.crt /usr/local/share/ca-certificates/asterisk/ca.crt
sip file looks like this:
[general] register => xxxxxxxxx canreinvite=no tlsenable=yes tlsbindaddr=0.0.0.0 tlscafile=/etc/asterisk/keys/ca.crt tlscertfile=/etc/asterisk/keys/asterisk.pem tlscipher=ALL tlsclientmethod=ALL [extension_name] username=xx type=friend context=context allow=ulaw,alaw secret=secret host=dynamic transport=tls encryption=yes
I made sure the certificates are owned by the right group on the server. Tried to generate the self signed certificates with the ast_tls_cert script and with openssl. Both result in the same.
These were openssl commands I used to generate:
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl genrsa -out key.pem 1024 openssl req -new -key key.pem -out asterisk.csr openssl x509 -req -days 365 -in asterisk.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out asterisk.crt
Also checked if I can connect with openssl from the command line and the status was connected:
openssl s_client -connect x.x.x.x:5061 -CAfile ca.crt -cert asterisk.pem -msg
On my soft phone I am using the ca.crt and the asterisk.pem files, tls is enabled.
Unfortunately still the same result when I try to connect. Is there a way to make the error logging for tls more verbose, as to knowing which file can not be opened or if it is a file that actually can’t be opened?