WildIx Phones -- TLS/SSL Error

SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <67702888> len: 0 peer: 10.2.0.178:3907
[Oct 16 10:40:08] WARNING[9190]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 1 err: <337096827> len: 0 peer: 10.2.0.178:3907

Using either tlsv1_2 or sslv23, this error shows for only some of the more “complex” wildIx phones when trying to register.

PJsip config:
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
cert_file=/etc/asterisk/cert/STAR_org.crt
priv_key_file=/etc/asterisk/cert/STAR_org.key
ca_list_file=/etc/asterisk/cert/My_CA_Bundle.ca-bundle
cipher=TLS_AES_256_GCM_SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, DHE-DSS-AES256-GCM-SHA384, DHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-CCM8, ECDHE-ECDSA-AES256-CCM, DHE-RSA-AES256-CCM8, DHE-RSA-AES256-CCM, ADH-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-SHA384, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA256, DHE-DSS-AES256-SHA256, DHE-DSS-CAMELLIA256-SHA256, ADH-AES256-SHA256, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, DHE-RSA-CAMELLIA256-SHA, DHE-DSS-CAMELLIA256-SHA, AECDH-AES256-SHA, ADH-AES256-SHA, ADH-CAMELLIA256-SHA, ECDHE-ECDSA-AES128-SHA, ECDHE-RSA-AES128-SHA, DHE-RSA-AES128-SHA, DHE-RSA-SEED-SHA, AECDH-AES128-SHA, ADH-AES128-SHA, ADH-SEED-SHA, RSA-PSK-AES256-GCM-SHA384, DHE-PSK-AES256-GCM-SHA384, DHE-PSK-CHACHA20-POLY1305, DHE-PSK-AES256-CCM8, DHE-PSK-AES256-CCM, AES256-GCM-SHA384, AES256-CCM8, AES256-CCM
method=sslv23
require_client_cert=no
verify_client=no
verify_server=no

I have tried all sorts of stuff but can’t seem to find the root cause of this error.

OpenSSL evaluation:
Server certificate
subject=CN =

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA


Acceptable client certificate CA names
C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 6696 bytes and written 437 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 782CD9F2DA3701B99133A888A2FE991A9753DCE18ACF5ED426F2EE4A7CB74D5D
Session-ID-ctx:
Resumption PSK: B21F648BB9AB49314F0EF0C3D228AA9238D7D290A1332A958F2C76F0BA6A901B000CEDB02C92564C1BB000BCD60BD1A5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - f4 6b 60 83 a7 f5 ee cb-53 09 12 55 13 32 9c 27 .k`…S…U.2.’
0010 - ce b0 87 95 fb 24 a1 46-a4 0a 0d 5c b7 31 f7 e1 …$.F….1…

Start Time: 1697470944
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: C89E7A5862461DB391FAABC3CB3E430196A9A316E843D04FE3E1FA36EAA1F032
Session-ID-ctx:
Resumption PSK: 045D852F616B9F81DEADA072099DAD23C3F3F7A90E07B5B71E25CC1BDE01D34D672404E0B1BE6FFB2854272B504D162C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - d3 ad 92 32 4d 2d 11 ed-3b 5d 67 dd 35 e6 88 2b …2M-…;]g.5…+
0010 - 4d 88 4e 31 60 79 d2 4b-24 c7 a6 02 a8 9f 6a 8a M.N1`y.K$…j.

Start Time: 1697470944
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

read R BLOCK

closed

Seems everything is in order but seeing those errors from only certain phones.

Maybe try to shorten the cipher list ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.