TLS error EE certificate key too weak

I trying to connect two system asterisk 13 and asterisk 16 via chan_sip.so.
But without success error on 16 was
tcptls.c:173 handle_tcptls_connection: Certificate did not verify: EE certificate key too weak
error on 13 is
tcptls.c:912 ast_tcptls_client_start: Unable to connect SIP socket to X.X.X.X:5061: Connection refused
I am using self signed certificate procedure
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
Is there something new in asterisk 16 regarding TLS secure connection that has issue with asterisk 13 version?

This is not an Asterisk thing, but an operating system/OpenSSL configuration thing. You need to specify the “-b” option as shown on the page to increase the strength so it meets new requirements.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

From Ubuntu 20.04 by default is stopped support TLS1 which is essential for older version asterisk crypto voice. This message “EE certificate key too weak” was received from Ubuntu openssl . Allow TLS1 in open ssl config file /etc/ssl/openssl.cnf is fix.

Depending on your legal and or technical requirements enabling TLS 1.0 may not meet your encryption requirements.

Depending what distribution the Asterisk 13 box is on and OpenSSL version. You should be able to enable TLS 1.2 as TLS 1.2 was released before 2009 and Asterisk 13 was released in late 2014, so unless the installed Distro is seriously behind… in that instance it’s time to replace the distro, even Centos 6.8 and higher supported TLS 1.2

See tlsclientmethod in the github config for chan_sip from asterisk 13.

chan_sip is effectively obsolete now.

TLS 1.0 is still required for a lot of older hardware that does not and will never support TLS 1.2. One of the many frustrations of working with IP equipment. They always seem to lag 10 years behind TLS standards.

Fortunately, PJSIP lets you setup multiple transports. Setting up a TLS 1.0 and a TLS 1.2 transport on different ports is the way to go for maximum security and compatibility.