I’ve got trouble setting up the Telekom sip trunk using TLS and RSTP. Without encryption the setup is ok.
Here are my config details:
[general] context=sip-trunk.telekom.de ; Default context for incoming calls
bindport=5060 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup=yes ; Enable DNS SRV lookups on outbound calls
tcpenable=yes
language=de
callevents=yes
limitonpeers=yes
videosupport = yes
defaultexpiry=3600
register => tcp://+49CALLERID@sip-trunk.telekom.de:PASSWORD:LOGIN@reg.sip-trunk.telekom.de:5060
;register => tls://+49CALLERID@sip-trunk.telekom.de:PASSWORD:LOGIN@reg.sip-trunk.telekom.de:5061
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys/trustedcas
tlscipher=ALL
tlsclientmethod=ALL
;tlscipher=RSA:+HIGH
;tlsclientmethod=TLSv1_2
encryption=yes
Hi david551,
Ok, good question, I didn’t. So I will contact Telekom support to check if they accept officially signed certificates automatically or if I need to send them my self-signed cert.
So the error message is just telling me that the certificate exchange failed? Is there a debug command I can use to see the failed handshake or something more meaningful than this Internal SSL error?
I see that you use tlsenable=yes through transport=tcp
Try to use transport=tls with tlsbindaddr=0.0.0.0:5061 (tlsbindaddr=your_external_interface_ip:5061)
You can try to disable the tls validation. If you turn if off and it works then you would at least know its your cert. or there cert,
I believe its tlsdontverifyserver=yes and tlsdontverifyclient=yes
Thanks to all for your suggestions.
I finally managed to get Asterisk working with the Telekom SIP-Trunk.
I upgraded to Asterisk 16.0.1, I was using 15.6.1 before, but I think that didn’t cause any problems.
Here are the sip.conf settings that worked for me:
[general] context=sip-trunk.telekom.de ; Default context for incoming calls
bindport=5060 ; UDP Port to bind to (SIP standard port is 5060)
bindaddr=0.0.0.0 ; IP address to bind to (0.0.0.0 binds to all)
srvlookup=yes ; Enable DNS SRV lookups on outbound calls
tcpenable=yes
language=de
callevents=yes
limitonpeers=yes
videosupport = yes
defaultexpiry=3600
register => tls://+49CALLERID@sip-trunk.telekom.de:PASSWORD:LOGIN@reg.sip-trunk.telekom.de:5061
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscapath=/etc/asterisk/keys/trustedcas
tlscipher=ALL
tlsclientmethod=ALL
tlsdontverifyserver=yes
encryption=yes
In rtp.conf I used ports 15000:30000, but it looks like Telekom and Asterisk aren’t using only these ports, so I needed to change the outgoing firewall rules to allow these ports
tcp 5061
udp 10000:30000
I also used these Telekom certs: mkdir /etc/asterisk/keys/trustedcas/ cd /etc/asterisk/keys/trustedcas/ wget https://www.telesec.de/de/sbca/support/ca-zertifikate/category/96-shared-business-ca-4?download=323:shared-business-ca-4 -O Shared_Business_CA4.der wget https://www.telesec.de/de/public-key-infrastruktur/support/root-zertifikate/category/58-deutsche-telekom-root-ca-2?download=363:download-deutsche-telekom-root-ca-2-zertifikat-der-codiert -O dt-root-ca-2.der openssl x509 -inform der -in dt-root-ca-2.der -out dt-root-ca-2.pem openssl x509 -in dt-root-ca-2.pem -noout -hash mv dt-root-ca-2.pem 812e17de openssl x509 -inform der -in Shared_Business_CA4.der -out Shared_Business_CA4.pem openssl x509 -in Shared_Business_CA4.pem -noout -hash mv Shared_Business_CA4.pem 3bfa626d
rm -rf *.der