TLS doesn't work with one phone and one server only

I’m having an issue connecting an OBi302 to only one of my Asterisk 20.5.0 servers.

The output of the following is identical on each server, except for bind IPs in the transport and default_realm in settings:
pjsip show transport transport-tls
pjsip show aor obi302
pjsip show auth obi302
pjsip show endpoint obi302
pjsip show settings

The OBi will connect to one server but not the other. Other non-OBi devices will connect to both servers via the same transport. When the OBi tries to connect to the problem server, this appears on the CLI:

[2023-11-23 21:19:24] WARNING[128080]: pjproject: <?>: 	                   SSL SSL_ERROR_SSL (Read): Level: 0 err: <50331800> <error:03000098:digital envelope routines::invalid digest> len: 65535 peer: my.ho.me.ip:5604
[2023-11-23 21:19:24] WARNING[128080]: pjproject: <?>: 	                   SSL SSL_ERROR_SSL (Read): Level: 1 err: <109576198> <error:06880006:asn1 encoding routines::EVP lib> len: 65535 peer: my.ho.me.ip:5604

When testing, I change the OBi’s ProxyServer and nothing else.

In case it’s relevant: I’m using self-signed certificates and I have installed the CA on the OBi. I’ve verified it’s the same CA for both servers and no certificates are expired. I’m using a non-standard SIP port.

Any suggestions would be appreciated. I’ll be delighted to provide any other information necessary that I didn’t think to include here. Thanks in advance.

Not sure if any of this is relevant.

On the working server: OpenSSL 1.1.1k FIPS 25 Mar 2021
On the server that doesn’t work: OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

On the OBi’s syslog immediately following its REGISTER attempt:

KERN.DEBUG: TCP:Broken Connection(spreg) 39 -1\n\000

Newer OpenSSL versions, and distribution versions, will change what is considered secure. Asterisk is just a user of OpenSSL, so it is beholden to what it permits. In this case since the output mentions digest, the older RSA-1 digest signature may be in use which OpenSSL may have disabled. You would need to switch to a different digest for the certificate, but also ensure it is supported by the other devices involved. There may also be options in the OpenSSL configuration itself to allow the older, but I’m not familiar with them.

2 Likes

I got it to work thanks to a tip from jcolp. Will post the full solution shortly in case anyone else runs into the same.

There may also be options in the OpenSSL configuration itself to allow the older, but I’m not familiar with them.

jcolp is correct and with some more Googling I found the following:

update-crypto-policies --set LEGACY

According to redhat.com, this is what I did:

SHA-1 is allowed to be used as TLS hash, signature, and algorithm. CBC-mode ciphers are allowed to be used with SSH. Applications using GnuTLS allow certificates signed with SHA-1. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long.

This, followed by a reboot, allows the OBi to register. Of course, the best solution would be upgrading the OBi so that it uses the latest policies, but it’s already using the latest firmware and its end of engineering support date is less than a month away.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.