TLS Handshake Failure with Linphone and Asterisk: SSL_ERROR_SSL (tlsv1 alert protocol version)

Hello Community,

I am facing issues with TLS configuration between my Asterisk server and Linphone client. The TLS handshake fails with the error SSL_ERROR_SSL (tlsv1 alert protocol version) on the Asterisk side, and the Linphone client is unable to register. Below are the details of my configuration and the corresponding logs:


Asterisk Configuration

pjsip.conf:

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/newkey/asterisk.crt
priv_key_file=/etc/asterisk/newkey/asterisk.key
ca_list_file=/etc/asterisk/newkey/ca.crt
method=tlsv1_2

[100]
type=aor
max_contacts=20
qualify_frequency=60

[100]
type=auth
auth_type=userpass
username=100
password=100

[100]
type=endpoint
aors=100
auth=100
context=genea
disallow=all
allow=opus,g722,ulaw,vp8,vp9,h264
transport=transport-tls
max_audio_streams=2
max_video_streams=2
direct_media=no
rtp_timeout=90
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes

Asterisk Logs

On the Asterisk server, I see the following warnings repeatedly during connection attempts from Linphone:

plaintext

Copy code

[Nov 17 21:03:36] WARNING[576]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <167773230> <error:0A00042E:SSL routines::tlsv1 alert protocol version> len: 0 peer: 172.19.192.1:64639
[Nov 17 21:04:36] WARNING[576]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <167773230> <error:0A00042E:SSL routines::tlsv1 alert protocol version> len: 0 peer: 172.19.192.1:64661

Linphone Logs

On the Linphone client, the following error appears during the registration attempt:

plaintext

Copy code

ERROR Channel [000001B532339A30]: SSL handshake failed : SSL - Handshake protocol not within min/max boundaries
ERROR Cannot connect to [TLS://172.19.202.105:5061]

What I Have Tried

  1. Verified that the certificates (asterisk.crt, asterisk.key, and ca.crt) are valid and correctly placed.
  2. Ensured that method=tlsv1_2 is configured in the transport section of pjsip.conf.
  3. Checked that port 5061 is open and accessible.
  4. Tested the connection using openssl:

bash

openssl s_client -connect 172.19.202.105:5061 -tls1_2

This command succeeds, and the server presents the expected certificate.


Environment Details

  • Asterisk Version: 18.x
  • Linphone Version: 5.3.41
  • TLS Certificates: Self-signed, properly generated using OpenSSL.

Questions

  1. What could be causing the tlsv1 alert protocol version error during the handshake between Linphone and Asterisk?
  2. Is there a specific TLS setting in Linphone that needs to be adjusted to match the Asterisk configuration?
  3. Are there any known compatibility issues between Linphone and Asterisk’s TLS implementation that I should be aware of?

Any help in resolving this issue would be greatly appreciated. Thank you in advance!

“tlsv1 alert” always means the other end encountered an issue, in this case, “protocol version” which makes sense given what Linphone reported.

It’s been a very long time since I installed Linphone but yes…
Since you’re using a self-signed certificate, you need to tell linphone to trust the CA that signed it. Edit ~/.config/linphone/linphonerc and in the [sip] section, set verify_server_certs=0 and verify_server_cn=0

If you want to have other accounts whose certificates you do want to verify, you can add…

[global]
tls-certificates-ca-file = /etc/asterisk/newkey/ca.crt

to the top of the file and set verify_server_certs=1 but you still need to set verify_server_cn=0 because the CN in the cert probably won’t match the hostname in the server URI.

There are probably ways to do this on a connection-by-connection basis but I haven’t looked.

If you still get the protocol version error, make sure you’re using the latest version of Asterisk. What version of OpenSSL is installed on the server? Are you using pjproject-bundled?


Oh, one thing I forgot to mention… Your endpoint config uses the tls transport so SIP signalling is encrypted but you don’t have media encryption enabled.

In linphonerc, you need to add the following to the [sip] section…

media_encryption=srtp
supported_encryptions=sdes
srtp_crypto_suites= AES_CM_128_HMAC_SHA1_32

and set media_encryption = sdes on your asterisk endpoint.

1 Like

I don’t think it’s a good idea to set a setting that will make it trust every self-signed cert that it receives.

Better to create your own CA cert, have it trust that, and sign your certs with that. I did a search, and found this GitHub item that mentions the [sip]root_ca= property, which sounds like what you want.

You can even use lets encrypt for free for asterisk

1 Like

Whilst I don’t think the use of a corporate CA (which is what the Asterisk scripts effect), or even an actual self signed working certificate is the real problem here; I think it more likely that OpenSSL is refusing to implement V1, because it is considered compromised. There may be OpenSSL settings to force it to work with obsolete versions.

However, a corporate CA is likely to be more secure than a LetsEncrypt one, in the typical situation, where the common name, for the phone, is not being checked, as it means that only phones with certificates provided by the organisation will work.

1 Like

Well whatever CA you choose, I can say the latest Linphone (both linux desktop and android) is requesting TLS 1.2 in the client hello and it’s working fine with Asterisk 22 and OpenSSL 3.2.2 with LetsEncrypt certs.

1 Like