webRTC connection using self-signed certificate generated using Asterisk

Asterisk Asterisk WebRTC
#1

Hi,

Is there possible to realize a webRTC connection using Asterisk’s self-signed certificate? I’ve tried to use this generated certificate in my setup, but I’ve encountered the following errors in the Asterisk’s CLI:

ERROR[4278]: tcptls.c:695 handle_tcptls_connection: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
WARNING[4278]: tcptls.c:782 handle_tcptls_connection: FILE * open failed!

Setup: Asterisk 13.17.2 in Ubuntu 20.04.2 VM and the VM’s private IP address as the domain for the certificate.

#2

Asterisk 13 is well past end of life.

Did you install the CA certificate in the browser machine?

Self signed certificate is not technically correct. All root CA’s are self signed. The Asterisk certificate generation scripts create a private CA, which then signs the certificate for Asterisk, which is, therefore, not, itself self signed. The browser needs to trust the CA certificate, so that must be installed in its root CA store.

#3

Hi @david551,

Yes, I’ve installed the CA certificate that was generated using Asterisk’s script in my Google Chrome and Firefox browsers. I’ll try to make a setup using a newer version of Asterisk and I will be back with a response and a detailed setup and the steps I’ve done in case of a similar error in establishing the ssl connection. Thanks in advance for your response.

#4

Try accessing the SIPS port on the Asterisk box as HTTPS. You may have to override safeties on the browser, designed to stop you making HTTPS connections to ports associated with other services. I had to do that when checking a certificate, here, using Firefox. I can’t remember the Firefox option to disable them.

#5

Hi @david551,

Thank you for the advice. With this, I’ve found that the problem was related to the unset transport over web sockets in my sip definition. But this solves the problem only related to the call from a software SIP phone with a SIP extension to the webRTC sipml5 client on the Google Chrome browser. In the other case, the call is not possible and I’ve received some errors in the CLI like:

ERROR[21027][C-00000005]: netsock2.c:303 ast_sockaddr_resolve: getaddrinfo("df7jal23ls0d.invalid", "(null)", ...): Temporary failure in name resolution
WARNING[20940]: chan_sip.c:4151 retrans_pkt: Retransmission timeout reached on transmission 41f4ebba333ced98194d6f520ca3fee8@192.168.0.114:5060 for seqno 102 (Critical Request) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

    -- SIP/3000-00000007 requested media update control 26, passing it to SIP/1000-00000006
  == Spawn extension (internal, 3000, 1) exited non-zero on 'SIP/1000-00000006'

My setup is as follows:

sip.conf

[general]
context=default    ; Default context for incoming calls
disallow=all       ; First disallow all codecs
allow=ulaw
allow=alaw         ; Allow codecs in order of preference
allow=gsm
allow=ilbc
allow=h264
allow=h263
realm=192.168.0.114
udpbindadddr=192.168.0.114
bindaddr=192.168.0.114
transport=tcp,udp,ws,wss

[1000]
type=friend
host=dynamic
secret=1234
context=internal
dtmfmode=rfc2833
nat=yes
canreinvite=no
videosupport=yes
allow=h264
allow=h263
[1001]
type=friend
host=dynamic
secret=1234
context=internal
dtmfmode=rfc2833
nat=yes
canreinvite=no
videosupport=yes
allow=h264
allow=h263

[3000]
host=dynamic
secret=3000
context=default
type=friend
encryption=yes
avpf=yes
force_avp=yes
icesupport=yes
directmedia=no
transport=tcp,udp,ws,wss
disallow=all
allow=opus
allow=ulaw
dtlsenable=yes
dtlsverify=fingerprint
dtlscertfile=/etc/asterisk/keys/asterisk.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
rtcp_mux=yes

iax.conf

[general]
disallow=all	
allow=ulaw
allow=alaw
allow=gsm
allow=ilbc		

[2000]
type=friend
host=dynamic
secret=1234
context=internal
qualify=yes
dtmfmode=rfc2833

extensions.conf

[general]
static=yes
writeprotect=n
[internal]

exten => 611,1, Answer()
   same => 2, Playback(demo-echotest)
   same => 3, Echo()
   same => 4, Playback(demo-echodone)
   same => 5, Hangup()

exten => 1000,1,Dial(SIP/1000,20)
exten => 1001,1,Dial(SIP/1001,20)
exten => 3000,1,Dial(SIP/3000,20)

exten => 2000,1,Dial(IAX2/2000,20)

http.conf

[general]
enabled=yes
bindaddr=0.0.0.0
bindport=8088
tlsenable=yes
tlsbindaddr=0.0.0.0:8089
tlscertfile=/etc/asterisk/keys/asterisk.pem

pjsip.conf

[transport-wss]
type=transport
protocol=wss
bind=0.0.0.0

[3000]
type=aor
max_contacts=1
remove_existing=yes
  
[3000]
type=auth
auth_type=userpass
username=3000
password=3000 ; This is a completely insecure password!  Do NOT expose this
                       ; system to the Internet without utilizing a better password.
 
[3000]
type=endpoint
aors=3000
auth=3000
; Setting webrtc=yes is a shortcut for setting the following options:
use_avpf=yes
media_encryption=dtls
dtls_ca_file=/etc/asterisk/keys/ca.crt
dtls_cert_file=/etc/asterisk/keys/asterisk.pem
dtls_verify=fingerprint
dtls_setup=actpass
ice_support=yes
media_use_received_transport=yes
rtcp_mux=yes
context=default
disallow=all
allow=opus
allow=ulaw

rtp.conf

[general]
rtpstart=10000
rtpend=20000
icesupport=true
stunaddr=stun.l.google.com:19302

The sipml5 client setup on the advanced settings part:

image
image1321×759 34.4 KB

Also, I mention that after trying to call the number 1000 for example, the sipml5 client will be disconnected automatically. I think that the problem is with the setup realized on the sipml5 client. Thanks in advance for the response.

#6

You’re likely to find the setup is easier in newer versions of Asterisk with chan_pjsip instead of chan_sip. Ubuntu 20 provides Asterisk 16 packages out-of-the-box and Asterisk 20 compiles fine on Ubuntu 20.

Also worth a try is side-stepping a lot of the cert issue and instead using public DNS entries with Let’s Encrypt.

1 Like
#7

Hi @penguinpbx,

Thank you for the suggestion. Now, I’m using Asterisk 16 with SIP channel for the webRTC connection. I will try to make a setup with the newly launched PJSIP channels in the future with the newest Asterisk version. Also, I will try to migrate to a public domain for my Asterisk PBX.

#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.