Tls sip clients cant register

dsiemens · October 18, 2018, 1:43pm

I am trying to setup TLS in a secure way. Asterisk is ver 15.6 zoiper is ver 3.14.
At current I can make outbound calls but sip endpoints (zoiper) can’t receive a call

The status when I do a sip show peers is Unreachable it does show port 5061 which should be correct.

The sip.conf setup

tlsenable=yes
tlsbiindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=AECDH-AES256-SHA
tlsclientmethod=TLSv1_2
tlsdontverifyserver=yes
srtcpcapable=yes
tcpenable=yes
tcpbindaddr=0.0.0.0
transport=udp,tcp,tls
dtlsenable=yes
encryption=yes
externip=myip
nat=force_rport,comedia

on the console window I see the following message
[Oct 18 13:27:03] ERROR[31155]: tcptls.c:553 ast_tcptls_client_start: Unable to connect SIP socket to 10.119.101.243:5061: Connection timed out (My ip address of local station)
[Oct 18 13:27:03] ERROR[31155]: iostream.c:556 ast_iostream_close: close() failed: Bad file descriptor

david551 · October 18, 2018, 2:04pm

That’s an unusual diagnostic. My guess is that it never got an ARP response when trying to route the TCP SYN to that address, i.e. a low level network problem.

dsiemens · October 18, 2018, 2:06pm

I have ports open for tcp 5061, and my rtp of 20K - 40k. Woudl anything else need to be opened up for this traffic?

jcolp · October 18, 2018, 2:07pm

What is the configuration for the endpoint itself in Asterisk? Does it register? Are you using static hosts?

dsiemens · October 18, 2018, 2:13pm

so i have

rewrite_contact=yes
encryption=yes
transport=transport-tls
transfer=yes
threewaycalling=yes
reinvite=yes
qualify=yes
park=yes
callwaitingcallerid=yes
callwaiting=yes
callreturn=no
calllimit=8
callforward=yes
nat=no
auth=clear
requirerecalltoken=auto
trunk=no
dtmfmode=rfc2833
codecsdenied=al
codecsallowed=g729,ulaw
accessdenied=255.255.255.255/255.255.255.255
accessallowed=0.0.0.0/0.0.0.0
pickupgroup=1
callgroup=1
provision=no
devicie=softphone
name=username
port=sip
hostname=mypchostname
technology=sip

jcolp · October 18, 2018, 2:16pm

I don’t understand what that is from… it’s like DAHDI, IAX2, and SIP configuration all thrown together. Your problem, though, is likely “nat=no”. Set it to “nat=yes” for testing and try again.

dsiemens · October 18, 2018, 2:18pm

iostream.c:620 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 18 14:17:32] ERROR[31532]: iostream.c:525 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

Its a mess of a deal, so its system I inherited that I’ve been trying to fix

david551 · October 18, 2018, 2:19pm

I don’t think reinvite is valid, even as a deprecated value, and devicie is not a valid spelling, as well as not being anything I recognize. I’m not sure you have a complete set of parameters for any technology, but it s certainly not complete for chan_sip.

dsiemens · October 18, 2018, 2:19pm

I mispelled it, The table in realtime asterisk is the Userdevices table.

dsiemens · October 18, 2018, 2:21pm

What can I add to make it right for chan_sip. This is my table defination at current.

“Field”	“Type”	“Null”	“Key”	“Default”	“Extra”
“technology”	“enum(‘IAX2’,‘SIP’)”	“NO”	“PRI”	“SIP”	“”
“hostname”	“varchar(64)”	“NO”	“PRI”	\N	“”
“port”	“enum(‘iax’,‘sip’)”	“NO”	“PRI”	“sip”	“”
“name”	“varchar(32)”	“NO”	“MUL”	\N	“”
“device”	“enum(‘IAXy’,‘Polycom’,‘softphone’)”	“NO”	“”	“Polycom”	“”
“provision”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“macaddress”	“varchar(12)”	“YES”	“UNI”	\N	“”
“callgroup”	“tinyint(3) unsigned”	“NO”	“”	“1”	“”
“pickupgroup”	“tinyint(3) unsigned”	“NO”	“”	“1”	“”
“defaultip”	“varchar(15)”	“YES”	“”	\N	“”
“accessallowed”	“varchar(32)”	“NO”	“”	\N	“”
“accessdenied”	“varchar(32)”	“NO”	“”	“0.0.0.0/0.0.0.0”	“”
“codecsallowed”	“varchar(32)”	“NO”	“”	“ulaw,gsm”	“”
“codecsdenied”	“varchar(32)”	“NO”	“”	“all”	“”
“dtmfmode”	“enum(‘auto’,‘inband’,‘rfc2833’)”	“NO”	“”	“rfc2833”	“”
“trunk”	“enum(‘yes’,‘no’)”	“NO”	“”	“no”	“”
“requirecalltoken”	“enum(‘yes’,‘no’,‘auto’)”	“NO”	“”	“auto”	“”
“auth”	“enum(‘clear’,‘md5’,‘rsa’)”	“NO”	“”	“clear”	“”
“secret”	“varchar(12)”	“NO”	“”	\N	“”
“nat”	“enum(‘yes’,‘no’,‘never’,‘route’)”	“NO”	“”	“no”	“”
“callforward”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“calllimit”	“tinyint(3) unsigned”	“NO”	“”	“8”	“”
“callreturn”	“enum(‘yes’,‘no’)”	“NO”	“”	“no”	“”
“callwaiting”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“callwaitingcallerid”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“park”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“qualify”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“reinvite”	“enum(‘yes’,‘no’,‘nonat’,‘update’)”	“NO”	“”	“yes”	“”
“threewaycalling”	“enum(‘yes’,‘no’)”	“NO”	“”	“yes”	“”
“transfer”	“enum(‘yes’,‘no’,‘mediaonly’)”	“NO”	“”	“no”	“”
“transport”	“enum(‘Yes’,‘No’,‘TLS Only’,‘transport-tls’)”	“YES”	“”	\N	“”
“encryption”	“enum(‘SRTP Only’,‘Yes’,‘No’)”	“YES”	“”	\N	“”
“rewrite_contact”	“enum(‘yes’,‘no’)”	“YES”	“”	\N	“”

david551 · October 18, 2018, 2:39pm

In the text file configuration, chan_sip needs a host= parameter, which should either be “dynamic”, or the host name of the peer. It should not, normally, be your own host name.

dsiemens · October 18, 2018, 2:40pm

Changing it to dynamic and reloading

dsiemens · October 18, 2018, 2:41pm

Results
ERROR[31748]: iostream.c:620 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[Oct 18 14:40:40] ERROR[31748]: iostream.c:525 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

dsiemens · October 18, 2018, 2:56pm

Another change is now I’m getting a SIP 503, Certificate Validation falure in zoiper.

dsiemens · October 24, 2018, 3:35pm

So I’m now getting closer

To get a good cert I did the following,
Generated a key at 4096 lenght,
Generated a csr
Had a cert issues
used the trusted chain as the CA
User the cert to make my asterisk.pem file

I’m now focused on getting security set high

for tlsclientmethod = TLSv1_2
for tlscipher RSA:+HIGH

Rescanning now.

dsiemens · October 24, 2018, 4:29pm

I didn’t notice this but my zoiper client is failing on inbound calls with a

SIP 2 - Can’t find matching codec in sdp service or option not implemented, unspecified.

I have g729, ulaw enabled. what now?

dsiemens · October 24, 2018, 6:33pm

I have a lot of issues still Has anyone done a good write up to secure asterisk properly? I must be missing something as the more I do to set good ciphers and tlsv1_2 I’m not getting what I shoudl be getting.

traud · August 5, 2019, 8:03am

When it comes to SIP over TLS with SDES-sRTP, I recommend to sniff the whole network traffic via tools like Wireshark. Wireshark can even decrypt TLS/SSL traffic, when a non-PFS based cipher suite was negotiated. For this, you add your private key via Wireshark → Preferences → Protocols → TLS (or SSL) → RSA keys: any/5061/sip.tcp

This cipher suite is not supported by many VoIP/SIP clients because it does not involve certificates (Anonymous Cipher Suite). For testing with Wireshark, I recommend AES128-GCM-SHA256:AES128-SHA. For a production system ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:AES128-SHA is a good starter.

My Zoiper Premium 3.21.1 for iPhone still does not support DTLS-sRTP, just SDES-sRTP. Therefore, I would set that to the default value ‘no’.