TLS transport question

I am running 16.28 and in the process of enabling TLS connections to the trunk. Non-TLS calls work fine.

In my pjsip.conf I saw these attributes:
ca_list_file=/etc/asterisk/keys/ca.crt
cert_file=/etc/asterisk/keys/server.crt
priv_key_file=/etc/asterisk/keys/server.key

I used letsencrypt to issue the certificates, and this gives me 4 files:
cert.pem
chain.pem
fullchain.pem
privkey.pem

So I copy these files to /etc/asterisk/ssl and give asterisk read access to the files, and update the pjsip.conf with the following:

ca_list_file=/etc/asterisk/ssl/fullchain.pem
cert_file=/etc/asterisk/ssl/fullchain.pem
priv_key_file=/etc/asterisk/ssl/privkey.pem

Went onto the ITSP and set secure trunking to enabled and updated the origination URI to use port 5061. Firewall is open on 5061 as well.

In the console I see:

[Aug 30 12:44:34] ERROR[10327]: res_pjsip.c:738 ast_sip_set_tpselector_from_transport_name: Unable to retrieve PJSIP transport '0.0.0.0-tls'
    -- Contact twilio-na-us/sip:voice-domain.pstn.ashburn.twilio.com:5061 is now Unreachable.  RTT: 0.000 msec

My question is: what file do I need to point ca_list_file to? Apparently this file is just the certificates concatenated together so I tried merging the cert.pem, chain.pem and fullchain.pem to a new file, but I still get the “Unable to retrieve PJSIP transport '0.0.0.0-tls”.

The ITSP is Twilio if that matters, and I followed their config guide on TLS. Open to ideas.
Thanks!

The error is not encryption related.

ca_list_file should include the root certificates used by all your clients, and any intermediate certificates they don’t include in their certificate chains. Client often don’t authenticate themselves at the TLS level, so you might not need anything, unless you are operating in high security environment, but if you were, you should already know this.

1 Like

Ok from my config it does not appear the clients will use tls. Only the trunk.

Perhaps I have some bad syntax in the pjsip.conf

[global]
type=global
[0.0.0.0-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=x.x.x.109
external_signaling_address=x.x.x.109
allow_reload=no
tos=cs3
cos=3
local_net=192.168.1.0/24
local_net=192.168.2.0/24
local_net=192.168.5.0/24
local_net=192.168.50.0/24

[0.0.0.0-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
external_media_address=x.x.x.109
external_signaling_address=x.x.x.109
ca_list_file=/etc/asterisk/ssl/test_CA.pem
cert_file=/etc/asterisk/ssl/fullchain.pem
priv_key_file=/etc/asterisk/ssl/privkey.pem
method=tlsv1
verify_client=no
verify_server=no
allow_reload=no
tos=cs3
cos=3
local_net=192.168.1.0/24
local_net=192.168.2.0/24
local_net=192.168.5.0/24
local_net=192.168.50.0/24

Maybe I need to reference the FQDN that matches the certificate cn for external_media and external_signaling?

For added clarity this are the pjsip_wizard settings:


[user_defaults](!)
type = wizard
accepts_registrations = yes
sends_registrations = no
accepts_auth = yes
sends_auth = no
endpoint/context = from-internal
endpoint/tos_audio=ef
endpoint/tos_video=af41
endpoint/cos_audio=5
endpoint/cos_video=4
endpoint/allow = !all,ulaw
endpoint/dtmf_mode = rfc4733
endpoint/aggregate_mwi = yes
endpoint/use_avpf = no
endpoint/rtcp_mux = no
endpoint/bundle = no
endpoint/ice_support = no
endpoint/media_use_received_transport = no
endpoint/trust_id_inbound = yes
endpoint/media_encryption = no
endpoint/timers = yes
endpoint/media_encryption_optimistic = no
endpoint/send_pai = yes
endpoint/rtp_symmetric = yes
endpoint/rewrite_contact = yes
endpoint/force_rport = yes
endpoint/language = en


[155](user_defaults)
aor/max_contacts = 2
endpoint/callerid = Office <155>
inbound_auth/username = 155
inbound_auth/password = xxxxxx

[255](user_defaults)
aor/max_contacts = 2
endpoint/callerid = Test User <255>
inbound_auth/username = 255
inbound_auth/password = xxxxx


[355](user_defaults)
aor/max_contacts = 2
endpoint/callerid = user1 <355>
inbound_auth/username = 355
inbound_auth/password = xxxxx


[trunk_defaults](!)
type = wizard
endpoint/transport=0.0.0.0-tls
endpoint/allow = !all,ulaw
endpoint/t38_udptl=no
endpoint/t38_udptl_ec=none
endpoint/fax_detect=no
endpoint/trust_id_inbound=no
endpoint/t38_udptl_nat=no
endpoint/direct_media=no
endpoint/rewrite_contact=yes
endpoint/rtp_symmetric=yes
endpoint/dtmf_mode=rfc4733
endpoint/allow_subscribe = no
aor/qualify_frequency = 60
endpoint/media_encryption = sdes

[twilio-na-us](trunk_defaults)
sends_auth = yes
sends_registrations = no
remote_hosts = voice-domain.pstn.ashburn.twilio.com:5061
outbound_auth/username = ast-pbx
outbound_auth/password = xxxxxxxx
endpoint/context = from-pstn
aor/qualify_frequency = 60

Appears it can’t find the transport:

pjsip show transport 0.0.0.0-tls
Unable to find object 0.0.0.0-tls.

If I comment out the cert attributes the transport loads.

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  0.0.0.0-tls               tls      3     96  0.0.0.0:5061
Transport:  0.0.0.0-udp               udp      3     96  0.0.0.0:5060

Objects found: 2
ParameterName              : ParameterValue
 =======================================================
 allow_reload               : false
 allow_wildcard_certs       : No
 async_operations           : 1
 bind                       : 0.0.0.0:5061
 ca_list_file               : 
 ca_list_path               : 
 cert_file                  : 
 cipher                     : 
 cos                        : 3
 domain                     : 
 external_media_address     : voice.example.com
 external_signaling_address : voice.example.com
 external_signaling_port    : 0
 local_net                  : 192.168.1.0/255.255.255.0
 local_net                  : 192.168.2.0/255.255.255.0
 local_net                  : 192.168.5.0/255.255.255.0
 local_net                  : 192.168.50.0/255.255.255.0
 method                     : tlsv1
 password                   : 
 priv_key_file              : 
 protocol                   : tls
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 96
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

When I add them back in, it no longer see’s the transport. So something about the certificate files it does not like.

Here again is what I am using:

cert_file=/etc/asterisk/ssl/fullchain.pem
priv_key_file=/etc/asterisk/ssl/privkey.pem

What the console shows:

[Aug 30 15:19:11] ERROR[575]: res_pjsip.c:1578 endpt_send_request: Error 320047 'No answer record in the DNS response (PJLIB_UTIL_EDNSNOANSWERREC)' sending OPTIONS request to endpoint twilio-na-us

This is with the certs commented out.

I read somewhere that Twilio uses wildcard certs, yet I see in the transport

allow_wildcard_certs       : No

Could this be the issue?

Is there a way to allow wildcard certs? I am using a FQDN certificate married to the FQDN of the Asterisk instance.

Tried a self signed cert for giggles, and I get the notion I need to use the Twilio cert for this transport.

The self signed cert I get this in the console:

[Aug 30 16:16:51] NOTICE[1238]: res_pjsip/pjsip_transport_events.c:179 verify_log_result: Transport '0.0.0.0-tls' to remote 'voice-domain.pstn.ashburn.twilio.com' - The server identity does not match to any identities specified in the certificate
  == Endpoint twilio-na-us is now Reachable

So I will try with the Twilio wildcard cert and see what shakes out.

That error says you have DNS problems, not TLS ones.

Yes, it seems I need to use the ITSP wildcard cert for this transport. At least this is my hunch at the moment. Will update with my findings.

Ok, well using the ITSP cert bundle helped for outbound calling. Still sorting out the inbound calling.

Now I may be way off on this, but it appears to me that the ca_list_file is for the trunk provider when connecting outbound calls to the trunk. So I have mine set as:

ca_list_file=/etc/asterisk/ssl/ca-bundle.crt

Using their cert bundle I am seeing the warning about wildcard certs:

....does not allow TLS wildcard certificates. Advise your SIP provider, please!

This is as expected.

Now for inbound calling, I have pjsip looking at the self signed certificate and getting the following:

[Aug 30 16:33:29] NOTICE[1383]: res_pjsip/pjsip_transport_events.c:179 verify_log_result: Transport '0.0.0.0-tls' to remote 'voice-domain.pstn.ashburn.twilio.com' - The server identity does not match to any identities specified in the certificate

But the transport at least loads now, so calling that progress at the moment. I will try a few more combinations to see what cert goes where. I gather I need one cert for outbound calls to the trunk provider, and another for ingress calls from the trunk.

Thanks for the tips Dave, much appreciated. At the cost of a little sanity I will get my head around this thing lol

Here is the pjsip config as of the last tests:

ca_list_file=/etc/asterisk/ssl/ca-bundle.crt
cert_file=/etc/asterisk/ssl/fullchain.pem
priv_key_file=/etc/asterisk/ssl/privkey.pem
method=tlsv1_2

ca_list_file is the ITSP wildcard bundle, working for outbound calls
cert_file is the letsencrypt cert for my domain “voice.example.com
priv_key is the letsencrypt key

So the culprit at the moment is the endpoint name is not found.

[Aug 30 17:11:10] NOTICE[1910]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:hello@voice-domain.pstn.twilio.com>' failed for '54.172.60.3:45440' (callid: 152326ee84a10a83b87d16c8ca5f59a7@0.0.0.0) - No matching endpoint found

If I use the ITSP cert I get “The server identity does not match to any identities specified in the certificate”.

I will look into changing the endpoint string for origination again.

My origination URI is: sip:voice.example.com;transport=tls;edge=us1

ca-list-file is used for inbound TLS connections. They could be from phones, as well as providers.

1 Like

Hmm, if for inbound, this is where I have issues. Maybe I have them reversed.

For my latest ‘what-if’ I am using a self signed cert with the (what I thought was) endpoint for “voice-example.pstn.twilio.com” - on an inbound test call I get:

No matching endpoint found

The endpoint it should go to as before this TLS rabbit-hole.

Endpoint:  twilio-na-us                                         Not in use    0 of inf
    OutAuth:  twilio-na-us-oauth/asterisk-pbx
        Aor:  twilio-na-us                                       0
      Contact:  twilio-na-us/sip:voice-example.pstn.twi c916157022 Avail        21.939
  Transport:  0.0.0.0-tls               tls      3     96  0.0.0.0:5061
   Identify:  twilio-na-us-identify/twilio-na-us
        Match: 54.172.60.2:5061/32
        Match: 54.172.60.1:5061/32
        Match: 54.172.60.0:5061/32
        Match: 54.172.60.3:5061/32

Relevant endpoint in pjsip.conf

[twilio-na-us](trunk_defaults)
sends_auth = yes
sends_registrations = no
remote_hosts = voice-example.pstn.twilio.com:5061

Still not understanding how the endpoint or remote host values would need to be changed just enabling TLS, but I think I understand it. It’s about matching up the cert names to each end of the trunk.

So the ca_list_file is for the ingress trunk connections, (currently not working) and the cert_file is for egress to the trunk. If I have that right. Outbound calls are fine, inbound - no matching endpoint.

Forgot to add the full invite logged:

[Aug 30 19:37:35] ERROR[3336]: pjproject: <?>:      tlsc0x7f3730247808 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please![Aug 30 19:37:35] NOTICE[3336]: res_pjsip/pjsip_transport_events.c:179 verify_log_result: Transport '0.0.0.0-tls' to remote 'example.pstn.twilio.com' - The certificate is untrusted
[Aug 30 19:37:35] NOTICE[3336]: res_pjsip/pjsip_transport_events.c:179 verify_log_result: Transport '0.0.0.0-tls' to remote 'example.pstn.twilio.com' - The server identity does not match to any identities specified in the certificate
  == Endpoint twilio-na-us is now Reachable
    -- Contact twilio-na-us/sip:example.pstn.twilio.com:5061 is now Reachable.  RTT: 122.903 msec
[Aug 30 19:38:12] NOTICE[3337]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:hello@example.pstn.twilio.com>' failed for '54.172.60.2:54646' (callid: c2c0f69acf890eb05a24a753e4786b24@0.0.0.0) - No matching endpoint found
[Aug 30 19:38:27] NOTICE[3337]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:+1530xxxxxxx@example.pstn.twilio.com;isup-oli=62;pstn-params=808481808882>' failed for '54.172.60.1:44638' (callid: 4fe5342b8c3a74055a0b52b43cd787b2@0.0.0.0) - No matching endpoint found
[Aug 30 19:38:45] NOTICE[3337]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:+1530xxxxxxx@example.pstn.twilio.com;isup-oli=62;pstn-params=808481808882>' failed for '54.172.60.2:54646' (callid: 157934ae9ae25933a58ea17cf1d41b13@0.0.0.0) - No matching endpoint found

[Aug 30 21:52:10] NOTICE[3772]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:hello@voice-example.pstn.twilio.com>' failed for '54.172.60.1:36642' (callid: 03a42700d8d5f2a4ef5f510061c1a194@0.0.0.0) - No matching endpoint found


[Aug 30 21:58:23] ERROR[3901]: pjproject: <?>:      tlsc0x7f50c425c578 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!

[Aug 30 21:58:23] NOTICE[3901]: res_pjsip/pjsip_transport_events.c:179 verify_log_result: Transport '0.0.0.0-tls' to remote 'voice-example.pstn.twilio.com' - The server identity does not match to **any identities specified in the certificate**
  == Endpoint twilio-na-us is now Reachable
    -- Contact twilio-na-us/sip:voice-example.pstn.twilio.com:5061 is now Reachable.  RTT: 130.314 msec


openssl x509 -in cert.crt -text -noout

cert:
CN = **voice-example.pstn.twilio.com**

This is using the self signed cert - not ideal, but part of the learning process for me.

Not sure what cert to use yet, it’s seeing the invites, just no endpoint. I don’t have an identify section, not sure why this would change just enabling tls? Will continue digging.

So just by changing the transport to tls, seems to break endpoint matching.

Probably need to take this up with Twilio, since following their suggestions doesn’t seem to work in practice for me. Sharing here in case someone has seen the same.

I did a few test calls and gathered the trace output for amusement. All ppi scrubbed I hope…

This test is just an extension to extension call to gather a baseline:


[Aug 31 18:26:09] NOTICE[4681]: res_pjsip_geolocation.c:194 handle_incoming_request:  PJSIP/355-00000000: Endpoint has no geoloc_incoming_call_profile. Done.
    -- Executing [155@from-internal:1] NoOp("PJSIP/355-00000000", "Call for main desk") in new stack
    -- Executing [155@from-internal:2] Dial("PJSIP/355-00000000", "PJSIP/155,20") in new stack
    -- Called PJSIP/155
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
[Aug 31 18:26:09] NOTICE[4681]: res_pjsip_geolocation.c:497 handle_outgoing_request:  PJSIP/155-00000001: Endpoint has no geoloc_outgoing_call_profile. Skipping.
[Aug 31 18:26:09] WARNING[4681]: res_pjsip_pubsub.c:3394 pubsub_on_rx_publish_request: No registered publish handler for event presence from 355
    -- PJSIP/155-00000001 is ringing
  == Spawn extension (from-internal, 155, 2) exited non-zero on 'PJSIP/355-00000000'
[Aug 31 18:26:11] WARNING[4681]: res_pjsip_pubsub.c:3394 pubsub_on_rx_publish_request: No registered publish handler for event presence from 355
[Aug 31 18:27:06] WARNING[4682]: res_pjsip_pubsub.c:3394 pubsub_on_rx_publish_request: No registered publish handler for event presence from 355
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
[Aug 31 18:27:06] NOTICE[4681]: res_pjsip_geolocation.c:194 handle_incoming_request:  PJSIP/355-00000002: Endpoint has no geoloc_incoming_call_profile. Done.
    -- Executing [155@from-internal:1] NoOp("PJSIP/355-00000002", "Call for main desk") in new stack
    -- Executing [155@from-internal:2] Dial("PJSIP/355-00000002", "PJSIP/155,20") in new stack
    -- Called PJSIP/155
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
[Aug 31 18:27:06] NOTICE[4681]: res_pjsip_geolocation.c:497 handle_outgoing_request:  PJSIP/155-00000003: Endpoint has no geoloc_outgoing_call_profile. Skipping.
    -- PJSIP/155-00000003 is ringing
    -- PJSIP/155-00000003 answered PJSIP/355-00000002
    -- Channel PJSIP/155-00000003 joined 'simple_bridge' basic-bridge <508ab5e3-bc99-42b1-ae9d-886a7412cfdd>
    -- Channel PJSIP/355-00000002 joined 'simple_bridge' basic-bridge <508ab5e3-bc99-42b1-ae9d-886a7412cfdd>
[Aug 31 18:27:09] NOTICE[4682]: res_pjsip_geolocation.c:497 handle_outgoing_request:  PJSIP/155-00000003: Endpoint has no geoloc_outgoing_call_profile. Skipping.
[Aug 31 18:27:09] NOTICE[4681]: res_pjsip_geolocation.c:497 handle_outgoing_request:  PJSIP/355-00000002: Endpoint has no geoloc_outgoing_call_profile. Skipping.
    -- Channel PJSIP/155-00000003 left 'native_rtp' basic-bridge <508ab5e3-bc99-42b1-ae9d-886a7412cfdd>
    -- Channel PJSIP/355-00000002 left 'native_rtp' basic-bridge <508ab5e3-bc99-42b1-ae9d-886a7412cfdd>
[Aug 31 18:27:13] NOTICE[4682]: res_pjsip_geolocation.c:497 handle_outgoing_request:  PJSIP/355-00000002: Endpoint has no geoloc_outgoing_call_profile. Skipping.
  == Spawn extension (from-internal, 155, 2) exited non-zero on 'PJSIP/355-00000002'
[Aug 31 18:27:13] WARNING[4681]: res_pjsip_pubsub.c:3394 pubsub_on_rx_publish_request: No registered publish handler for event presence from 355


All seems to work fine.

This test is from itsp, using the udp transport:

[Aug 31 18:27:59] NOTICE[4681]: res_pjsip_geolocation.c:194 handle_incoming_request:  PJSIP/twilio-na-us-00000004: Endpoint has no geoloc_incoming_call_profile. Done.
    -- Executing [+14155551212@from-pstn:1] Dial("PJSIP/twilio-na-us-00000004", "PJSIP/355") in new stack
    -- Called PJSIP/355
  == Using SIP RTP Audio TOS bits 184
  == Using SIP RTP Audio TOS bits 184 in TCLASS field.
  == Using SIP RTP Audio CoS mark 5
[Aug 31 18:27:59] NOTICE[4681]: res_pjsip_geolocation.c:497 handle_outgoing_request:  PJSIP/355-00000005: Endpoint has no geoloc_outgoing_call_profile. Skipping.
    -- PJSIP/355-00000005 is making progress passing it to PJSIP/twilio-na-us-00000004
    -- PJSIP/355-00000005 answered PJSIP/twilio-na-us-00000004
    -- Channel PJSIP/355-00000005 joined 'simple_bridge' basic-bridge <8f7943c0-d388-404f-9f89-48b6bdbcdd54>
    -- Channel PJSIP/twilio-na-us-00000004 joined 'simple_bridge' basic-bridge <8f7943c0-d388-404f-9f89-48b6bdbcdd54>
[Aug 31 18:28:03] WARNING[4681]: res_pjsip_pubsub.c:3394 pubsub_on_rx_publish_request: No registered publish handler for event presence from 355
    -- Channel PJSIP/355-00000005 left 'native_rtp' basic-bridge <8f7943c0-d388-404f-9f89-48b6bdbcdd54>
    -- Channel PJSIP/twilio-na-us-00000004 left 'native_rtp' basic-bridge <8f7943c0-d388-404f-9f89-48b6bdbcdd54>
  == Spawn extension (from-pstn, +14155551212, 1) exited non-zero on 'PJSIP/twilio-na-us-00000004'
[Aug 31 18:28:36] WARNING[4681]: res_pjsip_pubsub.c:3394 pubsub_on_rx_publish_request: No registered publish handler for event presence from 355

Test call from itsp using the tls transport



[Aug 31 18:33:31] NOTICE[4784]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:hello@voice-example.pstn.twilio.com>' failed for '54.172.60.3:52374' (callid: f8e74ffdb8c660b7c2ad316a3c5b6902@0.0.0.0) - No matching endpoint found

Following this guide: https://assets.cdn.prod.twilio.com/documents/TwilioElasticSIPTrunking-AsteriskPBX-Configuration-Guide-Version2-1-FINAL-09012018.pdf

I’m curious if changing the dialplan to the different “from '<sip:hello@voice-example.pstn.” will then match my endpoint defined in the dialplan.

Dialplan for reference:

[from-pstn]
exten => _+1NXXXXXXXXX,1,Dial(PJSIP/355)

pjsip log of call from itsp:


PJSIP Logging enabled
<--- Received SIP request (1501 bytes) from TLS:54.172.60.3:43780 --->
INVITE sip:+14155551212@x.x.x.109;edge=us1;transport=tls SIP/2.0
Record-Route: <sip:54.172.60.3:5061;transport=tls;r2=on;lr>
Record-Route: <sip:54.172.60.3;r2=on;lr>
CSeq: 1 INVITE
From: <sip:hello@voice-example.pstn.twilio.com>;tag=33196707_c3356d0b_08c5a5a4-1aa2-4f17-8a50-def2dae27c87
To: <sip:+14155551212@x.x.x.109;edge=us1;transport=tls>
Max-Forwards: 63
X-OhSip-Sas-Id: 719f5bad-ab35-4729-ab73-5261a50ee1fb
X-OhSIP-Servlet: SipCallOut
X-OhSIP-Remote-Test-Id: sip-call-out_802
Diversion: <sip:+14155551212@twilio.com>;reason=unconditional
Call-ID: 1c65ea08c01acd32b4d7e91dac0a30f4@0.0.0.0
Via: SIP/2.0/TLS 54.172.60.3:5061;branch=z9hG4bKaeca.a86dd6428ca76818ad3a7b87ad7040bd.0
Via: SIP/2.0/UDP 172.25.13.87:5060;rport=5060;branch=z9hG4bK08c5a5a4-1aa2-4f17-8a50-def2dae27c87_c3356d0b_548-18446140832366326829
Contact: <sip:hello@172.25.13.87:5060;transport=udp>
Allow: INVITE,ACK,CANCEL,OPTIONS,BYE,REFER,NOTIFY
X-Twilio-AccountSid: AC4e4a4c6833fe0b62305c5fa8aa44b519
User-Agent: Twilio Gateway
Content-Type: application/sdp
X-Twilio-CallSid: CA0c0ca9e6d6bac81f7a0623c92db2815e
Content-Length: 362

v=0
o=root 597706680 597706680 IN IP4 172.18.159.207
s=Twilio Media Gateway
c=IN IP4 34.203.251.191
t=0 0
m=audio 19484 RTP/SAVP 0 8 101
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:Ll7rnINkn+cgwwx2ek1Fsah8Knd//udj9AkbEotg
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=ptime:20
a=maxptime:20
a=sendrecv

[Aug 31 19:30:52] NOTICE[5167]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'INVITE' from '<sip:hello@voice-example.pstn.twilio.com>' failed for '54.172.60.3:43780' (callid: 1c65ea08c01acd32b4d7e91dac0a30f4@0.0.0.0) - No matching endpoint found
<--- Transmitting SIP response (873 bytes) to TLS:54.172.60.3:43780 --->
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS 54.172.60.3:5061;rport=43780;received=54.172.60.3;branch=z9hG4bKaeca.a86dd6428ca76818ad3a7b87ad7040bd.0
Via: SIP/2.0/UDP 172.25.13.87:5060;rport=5060;branch=z9hG4bK08c5a5a4-1aa2-4f17-8a50-def2dae27c87_c3356d0b_548-18446140832366326829
Record-Route: <sip:54.172.60.3:5061;transport=tls;lr;r2=on>
Record-Route: <sip:54.172.60.3;lr;r2=on>
Call-ID: 1c65ea08c01acd32b4d7e91dac0a30f4@0.0.0.0
From: <sip:hello@voice-example.pstn.twilio.com>;tag=33196707_c3356d0b_08c5a5a4-1aa2-4f17-8a50-def2dae27c87
To: <sip:+14155551212@x.x.x.109;edge=us1>;tag=z9hG4bKaeca.a86dd6428ca76818ad3a7b87ad7040bd.0
CSeq: 1 INVITE
WWW-Authenticate: Digest realm="asterisk",nonce="1693524652/cfba32ff8747ee5f65cf6765b9e41f59",opaque="3f345c585add65fe",algorithm=MD5,qop="auth"
Server: Asterisk PBX 16.28.0~dfsg-0+deb11u3
Content-Length:  0


<--- Received SIP request (470 bytes) from TLS:54.172.60.3:43780 --->
ACK sip:+14155551212@x.x.x.109;edge=us1;transport=tls SIP/2.0
CSeq: 1 ACK
From: <sip:hello@voice-example.pstn.twilio.com>;tag=33196707_c3356d0b_08c5a5a4-1aa2-4f17-8a50-def2dae27c87
To: <sip:+14155551212@x.x.x.109;edge=us1>;tag=z9hG4bKaeca.a86dd6428ca76818ad3a7b87ad7040bd.0
Max-Forwards: 63
Call-ID: 1c65ea08c01acd32b4d7e91dac0a30f4@0.0.0.0
Via: SIP/2.0/TLS 54.172.60.3:5061;branch=z9hG4bKaeca.a86dd6428ca76818ad3a7b87ad7040bd.0
Content-Length: 0


<--- Transmitting SIP request (523 bytes) to TLS:54.172.60.3:5061 --->
OPTIONS sip:voice-example.pstn.ashburn.twilio.com:5061 SIP/2.0
Via: SIP/2.0/TLS x.x.x.109:5061;rport;branch=z9hG4bKPjf9ea7df4-3b12-434a-8467-35cf05b6488d;alias
From: <sip:twilio-na-us@192.168.50.24>;tag=c87cc16b-1891-44d3-a7f2-75db1f5ffd9c
To: <sip:voice-example.pstn.ashburn.twilio.com>
Contact: <sip:twilio-na-us@x.x.x.109:5061;transport=TLS>
Call-ID: 514c6427-a2bb-42b4-880b-8f385db5d70b
CSeq: 45994 OPTIONS
Max-Forwards: 70
User-Agent: Asterisk PBX 16.28.0~dfsg-0+deb11u3
Content-Length:  0


<--- Received SIP response (441 bytes) from TLS:54.172.60.3:5061 --->
SIP/2.0 200 OK
Via: SIP/2.0/TLS x.x.x.109:5061;rport=53563;branch=z9hG4bKPjf9ea7df4-3b12-434a-8467-35cf05b6488d;alias;received=x.x.x.109
From: <sip:twilio-na-us@192.168.50.24>;tag=c87cc16b-1891-44d3-a7f2-75db1f5ffd9c
To: <sip:voice-example.pstn.ashburn.twilio.com>;tag=eda7d35dc3bcd50d5f50b21ba87e2918.5f4b4cf6
Call-ID: 514c6427-a2bb-42b4-880b-8f385db5d70b
CSeq: 45994 OPTIONS
Server: Twilio Gateway
Content-Length: 0

Found a few other posts with the same issue, such as Example of a working pjsip.conf for Twilio with TLS/SRTP? - #4 by ajgnet and I still can’t figure out what I did wrong or need to add.

You can’t do this, because the media key is being transmitted over an insecure link.

Dang, good catch! Ok got it, and that is coming from the trunk provider correct? I will recheck those settings, but should be on 5061. I checked the origination uri, and it has the ;transport=tls; as per the docs. I will try to reach out to them, I don’t even see 5061 packets coming into the firewall, only 5060 ingress.

Nothing at all about this in their docs:

Contact: <sip:hello@172.25.13.87:5060;transport=udp>