TLS & RSTP for Telekom DeutschlandLAN sip trunk

civi · November 13, 2018, 8:42am

Hi,

I’ve got trouble setting up the Telekom sip trunk using TLS and RSTP. Without encryption the setup is ok.

Here are my config details:
[general]
context=sip-trunk.telekom.de ; Default context for incoming calls
bindport=5060 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup=yes ; Enable DNS SRV lookups on outbound calls
tcpenable=yes
language=de
callevents=yes
limitonpeers=yes
videosupport = yes
defaultexpiry=3600
register => tcp://+49CALLERID@sip-trunk.telekom.de:PASSWORD:LOGIN@reg.sip-trunk.telekom.de:5060
;register => tls://+49CALLERID@sip-trunk.telekom.de:PASSWORD:LOGIN@reg.sip-trunk.telekom.de:5061
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys/trustedcas
tlscipher=ALL
tlsclientmethod=ALL
;tlscipher=RSA:+HIGH
;tlsclientmethod=TLSv1_2
encryption=yes

[sip-trunk.telekom.de]
type=peer
insecure=invite
srvlookup=yes
transport=tcp
;transport=tls
username=LOGIN
fromdomain=sip-trunk.telekom.de
secret=PASSWORD
host=reg.sip-trunk.telekom.de
qualify=yes
canreinvite=no
registertimeout=600
dtmfmode=rfc2833
session-timers=refuse
context = pstn
disallow = all
allow = gsm
allow = alaw
allow = ulaw

When I change to TLS mode, I just get these messages:
Reloading SIP
== Using SIP CoS mark 4
== TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
== TLS/SSL certificate ok
== TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
== TLS/SSL certificate ok
[Nov 13 08:55:55] ERROR[1054]: iostream.c:620 ast_iostream_start_tls: Problem setting up ssl connection: error:00000005:lib(0):func(0):DH lib, Underlying BIO error: Connection reset by peer
[Nov 13 08:55:55] ERROR[1054]: iostream.c:525 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Nov 13 08:55:59] NOTICE[4096]: chan_sip.c:30235 sip_poke_noanswer: Peer ‘sip-trunk.telekom.de’ is now UNREACHABLE! Last qualify: 9
== TLS/SSL ECDH initialized (automatic), faster PFS ciphers enabled
== TLS/SSL certificate ok

I used self-signed certs for asterisk, but these look to load ok, aren’t they?

I added the certificates of Telekom to the tlscapath folder and renamed the files to match the hashes.

I used these documentation of Telekom:
https://www.telekom.de/hilfe/downloads/1tr118_v10_.pdf
https://geschaeftskunden.telekom.de/blobCache/umn/uti/454420_1540380035000/blobBinary/SIP-Trunk-Technische-Unterlage.ps

How can I debug the SSL negotiation or find the cause of the Internal SSL error?

Thanks in advance!
Christoph

nodorgrom · November 13, 2018, 8:56am

Could you please provide netstat -lanp | grep 506[01] ?

civi · November 13, 2018, 9:03am

Hello nodogrom,

here’s the output as requested:
tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 1201/asterisk
tcp 0 0 0.0.0.0:5061 0.0.0.0:* LISTEN 1201/asterisk
tcp 0 0 192.168.133.5:44576 217.0.15.67:5060 CONNECTED 1201/asterisk
udp 0 0 0.0.0.0:5060 0.0.0.0:* 1201/asterisk

Thanks
Christoph

david551 · November 13, 2018, 9:07am

It looks like they chose not to talk to you. How did you provide your certificates to them?

civi · November 13, 2018, 9:36am

Hi david551,
Ok, good question, I didn’t. So I will contact Telekom support to check if they accept officially signed certificates automatically or if I need to send them my self-signed cert.
So the error message is just telling me that the certificate exchange failed? Is there a debug command I can use to see the failed handshake or something more meaningful than this Internal SSL error?

Thanks.

david551 · November 13, 2018, 9:43am

The internal error is that they dropped the connection without warning.

nodorgrom · November 13, 2018, 9:54am

I see that you use tlsenable=yes through transport=tcp
Try to use transport=tls with tlsbindaddr=0.0.0.0:5061 (tlsbindaddr=your_external_interface_ip:5061)

dsiemens · November 16, 2018, 4:41pm

You can try to disable the tls validation. If you turn if off and it works then you would at least know its your cert. or there cert,
I believe its tlsdontverifyserver=yes and tlsdontverifyclient=yes

civi · November 28, 2018, 4:02pm

Thanks to all for your suggestions.
I finally managed to get Asterisk working with the Telekom SIP-Trunk.

I upgraded to Asterisk 16.0.1, I was using 15.6.1 before, but I think that didn’t cause any problems.
Here are the sip.conf settings that worked for me:

[general]
context=sip-trunk.telekom.de ; Default context for incoming calls
bindport=5060 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup=yes ; Enable DNS SRV lookups on outbound calls
tcpenable=yes
language=de
callevents=yes
limitonpeers=yes
videosupport = yes
defaultexpiry=3600
register => tls://+49CALLERID@sip-trunk.telekom.de:PASSWORD:LOGIN@reg.sip-trunk.telekom.de:5061
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys/trustedcas
tlscipher=ALL
tlsclientmethod=ALL
tlsdontverifyserver=yes
encryption=yes

[sip-trunk.telekom.de]

type=peer
insecure=port,invite
srvlookup=yes
media_encryption=sdes
encryption=yes
transport=tls
username=LOGIN
fromdomain=sip-trunk.telekom.de
secret=PASSWORD
host=reg.sip-trunk.telekom.de
canreinvite=no
registertimeout=600
dtmfmode=rfc2833
session-timers=refuse
context = pstn
disallow = all
allow = gsm
allow = alaw
allow = ulaw

In rtp.conf I used ports 15000:30000, but it looks like Telekom and Asterisk aren’t using only these ports, so I needed to change the outgoing firewall rules to allow these ports
tcp 5061
udp 10000:30000

I also used these Telekom certs:
mkdir /etc/asterisk/keys/trustedcas/
cd /etc/asterisk/keys/trustedcas/
wget https: //www.telesec.de/de/sbca/support/ca-zertifikate/category/96-shared-business-ca-4?download=323:shared-business-ca-4 -O Shared_Business_CA4.der
wget https: //www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/58-deutsche-telekom-root-ca-2?download=363:download-deutsche-telekom-root-ca-2-zertifikat-der-codiert -O dt-root-ca-2.der
openssl x509 -inform der -in dt-root-ca- 2 .der -out dt-root-ca- 2 .pem
openssl x509 -in dt-root-ca- 2 .pem -noout -hash
mv dt-root-ca- 2 .pem 812e17de
openssl x509 -inform der -in Shared_Business_CA4.der -out Shared_Business_CA4.pem
openssl x509 -in Shared_Business_CA4.pem -noout -hash
mv Shared_Business_CA4.pem 3bfa626d
rm -rf *.der

Regards
Christoph