I am facing issues with TLS configuration between my Asterisk server and Linphone client. The TLS handshake fails with the error SSL_ERROR_SSL (tlsv1 alert protocol version) on the Asterisk side, and the Linphone client is unable to register. Below are the details of my configuration and the corresponding logs:
“tlsv1 alert” always means the other end encountered an issue, in this case, “protocol version” which makes sense given what Linphone reported.
It’s been a very long time since I installed Linphone but yes…
Since you’re using a self-signed certificate, you need to tell linphone to trust the CA that signed it. Edit ~/.config/linphone/linphonerc and in the [sip] section, set verify_server_certs=0 and verify_server_cn=0
If you want to have other accounts whose certificates you do want to verify, you can add…
to the top of the file and set verify_server_certs=1 but you still need to set verify_server_cn=0 because the CN in the cert probably won’t match the hostname in the server URI.
There are probably ways to do this on a connection-by-connection basis but I haven’t looked.
If you still get the protocol version error, make sure you’re using the latest version of Asterisk. What version of OpenSSL is installed on the server? Are you using pjproject-bundled?
Oh, one thing I forgot to mention… Your endpoint config uses the tls transport so SIP signalling is encrypted but you don’t have media encryption enabled.
In linphonerc, you need to add the following to the [sip] section…
I don’t think it’s a good idea to set a setting that will make it trust every self-signed cert that it receives.
Better to create your own CA cert, have it trust that, and sign your certs with that. I did a search, and found this GitHub item that mentions the [sip]root_ca= property, which sounds like what you want.
Whilst I don’t think the use of a corporate CA (which is what the Asterisk scripts effect), or even an actual self signed working certificate is the real problem here; I think it more likely that OpenSSL is refusing to implement V1, because it is considered compromised. There may be OpenSSL settings to force it to work with obsolete versions.
However, a corporate CA is likely to be more secure than a LetsEncrypt one, in the typical situation, where the common name, for the phone, is not being checked, as it means that only phones with certificates provided by the organisation will work.
Well whatever CA you choose, I can say the latest Linphone (both linux desktop and android) is requesting TLS 1.2 in the client hello and it’s working fine with Asterisk 22 and OpenSSL 3.2.2 with LetsEncrypt certs.