hey folks .

im not able to have Trunk UP with SRTP !!

Asterisk 13.2.0

and i have SRTP module loaded .
ip-10-227-0-136CLI> module show like srtp
Module Description Use Count Status Support Level
res_srtp.so Secure RTP (SRTP) 0 Running core
1 modules loaded
ip-10-227-0-136CLI>

sip.conf

tlscipher=ALL
tlsclientmethod=tlsv1
tlsdontverifyserver=yes
realm=proxy.poweredbydice.net
tlscertfile=/etc/asterisk/keys/cert.pem
tlscafile=/etc/asterisk/keys/ca.pem
tlsdontverifyserver=yes
tlsenable=yes
tlsbindaddr=0.0.0.0
tlsclientmethod=tlsv1

trunk settings ‘’
[poweredbydice]
disallow=all
type=peer
insecure=invite,port
nat=force_rport
allow=opus
allow=speex
allow=ulaw
host=10.227.0.221
port=443
fromuser=123
fromdomain=proxy.isp.net
secret=123456789
qualify=no
dtmfmode=rfc2833
context=default
directmedia=nonat
sendrpid=yes
trustrpid=yes
srtpcapable=yes
transport=tls
encryption=yes

cert files verification
[root@ip-10-227-0-136 keys]# openssl verify -verbose -x509_strict -CAfile ca.pem -CApath nosuchdir cert.pem
cert.pem: OK
as we see …CA with cert verification went ok .!!!

here below are the permissions
total 40
-rwxrwxr-x. 1 asterisk asterisk 167 Feb 13 2015 ca.cfg
-rwxrwxr-x 1 asterisk asterisk 1037 Jan 20 13:16 ca.crt
-rwxrwxr-x 1 asterisk asterisk 940 Jan 17 16:27 ca.key
-rwxrwxr-x 1 asterisk asterisk 1460 Jan 20 12:50 ca.pem
-rwxrwxr-x 1 asterisk asterisk 3164 Jan 20 12:50 cert.pem
-rwxrwxr-x. 1 asterisk asterisk 1249 Feb 13 2015 default.crt
-rwxrwxr-x. 1 asterisk asterisk 595 Feb 13 2015 default.csr
-rwxrwxr-x. 1 asterisk asterisk 887 Feb 13 2015 default.key
-rwxrwxr-x. 1 asterisk asterisk 2136 Feb 13 2015 default.pem
-rwxrwxr-x. 1 asterisk asterisk 138 Feb 13 2015 tmp.cfg
[root@ip-10-227-0-136 keys]# pwd
/etc/asterisk/keys
[root@ip-10-227-0-136 keys]#

and the error always on the console as below ;

==============
ip-10-227-0-136CLI>
ip-10-227-0-136CLI>
[2017-01-20 14:09:38] NOTICE[7648]: chan_sip.c:15348 sip_reg_timeout: – Registration for ‘00442030264100@10.227.0.221’ timed out, trying again (Attempt #75)
ip-10-227-0-136CLI> Enter PEM pass phrase:
== TLS/SSL ECDH initialized (secp256r1), faster PFS cipher-suites enabled
== TLS/SSL certificate ok
[2017-01-20 14:09:38] ERROR[8652]: tcptls.c:605 handle_tcptls_connection: Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[2017-01-20 14:09:38] WARNING[8652]: tcptls.c:674 handle_tcptls_connection: FILE * open failed!
ip-10-227-0-136CLI> Enter PEM pass phrase:
[2017-01-20 14:09:58] NOTICE[7648]: chan_sip.c:15348 sip_reg_timeout: – Registration for ‘00442030264100@10.227.0.221’ timed out, trying again (Attempt #76)
== TLS/SSL ECDH initialized (secp256r1), faster PFS cipher-suites enabled
== TLS/SSL certificate ok
[2017-01-20 14:09:58] ERROR[8653]: tcptls.c:605 handle_tcptls_connection: Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[2017-01-20 14:09:58] WARNING[8653]: tcptls.c:674 handle_tcptls_connection: FILE * open failed!
ip-10-227-0-136*CLI>

one more thing on linux console it always keep ask me to hit the passphrase key as below ;
[root@ip-10-227-0-136 keys]# Enter PEM pass phrase:
Enter PEM pass phrase:

guys what the hell is going on ?

thanks

You have encrypted your PEM file. Asterisk requires an unencrypted one. If it didn’t, it would require an unencrypted key, which is just as insecure.

what do you mean with “encrypted the pem file” ??

and how to remove that encryption

thank you

That is an openssl question, not an Asterisk one. PEM files can contain secret keys (Asterisk will certainly need one). The standard tools for creating them are likely to require you to specify a passphrase, to encrypt the file. You will need to use those tools to decrypt the file.

man you are an asterisk wealth

thank you so much , it worked after removing the phrase

cheers