Hello. I’m trying to configure tls transport. OS is ubuntu 20.04. Asterisk 16.23.0
pjsip.conf
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
ca_list_file=/etc/asterisk/certificate/ca.crt
cert_file=/etc/asterisk/certificate/asterisk.pem
method=tlsv1
asterisk.pem was generated using:
./ast_tls_cert -C webrtc-hr-denovo.supportyourapp.com -O "Supportyourapp" -d /etc/asterisk/certificate
and looks like ast_tls_cert script used 4096 encrypted lengh.
asterisk is running as asterisk user and group
and chown -R asterisk: /etc/asterisk/certificate/ done.
the same configuration and approach is work at the Centos.
so looks like ubuntu has more secure openssl configuration
I’ve tried to changed
/usr/lib/ssl/openssl.cnf
added to begin
openssl_conf = default_conf
and to the end
[ default_conf ]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.1
CipherString = DEFAULT:@SECLEVEL=1
and recompile pjsipproject and asterisk
the issue resolved changed /usr/lib/ssl/openssl.cnf
Feb 1 15:17:45] WARNING[36240]: pjproject: <?>: SSL STATUS_FROM_SSL_ERR (status): Level: 0 err: <336245135> <SSL routines-SSL_CTX_use_certificate-ee key too small> len: 0 peer: 212.58.160.196:5071
[Feb 1 15:17:45] ERROR[36240]: pjproject: <?>: ssl0x558a6517b590 Error loading certificate chain file '/etc/asterisk/certificate/asterisk.pem': ee key too small
-- Contact lifecell/sip:380938094300@csbc.lifecell.ua:5071 is now Unreachable. RTT: 0.000 msec
for now issue:
[Feb 1 15:42:20] WARNING[36799]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151568> <SSL routines-ssl3_read_bytes-sslv3 alert handshake failure> len:
0 peer: 212.58.160.196:5071
[Feb 1 15:43:20] WARNING[36799]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151568> <SSL routines-ssl3_read_bytes-sslv3 alert handshake failure> len:
0 peer: 212.58.160.196:5071
Please help how to resolve that issue.