I am running Asterisk v16 and Freepbx v14 with a public static ip address
I have setup a PJSIP extension to operate with SIP TLS and a self signed certificate which i generated on my freepbx server.
I have test openssl by conencting to the server as follows:
openssl s_client -showcerts -connect xxx.xxx.com:5066 (yes TLS is running on port 5066)
CONNECTED(00000003)
depth=0 CN = xxx.xxx.com, O = xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = xxx.xxx.com, O = xxx
verify return:1
---
Certificate chain
0 s:/CN=xxx.xxx.com/O=xxx
i:/CN=xxx.xxx.com/O=xxx
-----BEGIN CERTIFICATE-----
MIIDXDCCAUQCAQEwDQYJKoZIhvcNAQELBQAwNjEfMB0GA1UEAwwWdGVzdHBieC50
b3Bvcm92c2t5LmNvbTETMBEGA1UECgwKVG9wb3JvdnNreTAeFw0xODExMTgxNDU5
MjFaFw0yODExMTUxNDU5MjFaMDYxHzAdBgNVBAMMFnRlc3RwYngudG9wb3JvdnNr
eS5jb20xEzARBgNVBAoMClRvcG9yb3Zza3kwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALbUdvkldmnEWQngOjydILCgsJ9RIsGvUBii15vqs/GjCMUCLmuvgK+S
Bx7OFsE5PxLzxlJvlSQ35k686mUAMH3cXNmM6E7JUHKReV7f/uqAG0dxuwItuts0
4PexPmDMd/X4n+4bVPBMLNI569A4u155ARH3q+Sv4vrWPE16Rj0hAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBAD3f0dx2h8DWFEm3dMwGQLazNa661QcJ+sGtXafyHHZF
VX+fPO8dXpyYiJEfNetpaYSsjwjRBhkXGAh2LRrrh5lBpJQBJ1hbhtdhzL0qf1bL
Z6xkyewjfha9SfgDUwE81KWJ0d+t9Scyh8qymwgEAocJf0yshENrxSp4xmTP8Mlo
WB0HmN/tWjCow19x0Qm3zVA8zCuvO5y/QkzA+7Skef0FlAP/e8HKCY4dHglVOwPq
L3NlferXrXk4hOHZdlm40oGycNaFRVHTUvoHzYYGD6JVgcrMIiJ6jSlq9E7F2Zoz
iwcWUnX1C30rWKU9XM3K7xYzwzttUzY+3zexUasle8wdkXvzHExC7m8cOJyB3cvf
++x9/g/bAKpQ1UsIUNnqCrxL6LVReT6ZYNGkXPdUfiiQ3ELH00NuQGakKXOkoRCM
rZN44ncp1OdTcf89/yeRqoW2AWtkTlyaKQP/Q+ua0/BmCKNRkOYeNWjfWw3b1JX0
U2nn6Vzj5DstHqfoZ3GGYtTGHBajiUI4eOkVdvz1hQ5o0FZhv7vRM43Y/9rGbned
eS9cr5IqAgbVeMvC2T8mzFUyVyOhvzxFU1PasVUSDBedio/xxXOFgO6Gesmijp7R
iAKquIvN1Mu60WdnI0HnCwDBhbBqYHeq0fEfo6DVdzhjwwY6TJifvmYWK1KNbMa/
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=xxx.xxx.com/O=xxx
issuer=/CN=xxx.xxx.com/O=xxx
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1411 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: A09A31CC6B1BB5157BA6C1D79CA0B566EA1D08CD6B4DD42C1CA85DF97E4ED9C3
Session-ID-ctx:
Master-Key: 1A91BF900C526132895D0511A99A0F23BE663A6032D7EA193886C7ED62018092 2785344CCDA58A2F6ABDED6E0D61DEEF
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - f5 88 ac ee bf 6e 6d a3-30 68 19 a7 1d 51 ea 12 .....nm.0h...Q..
0010 - 7b b1 7d 0f 0a f1 22 34-29 49 97 27 10 09 b9 46 {.}..."4)I.'...F
0020 - 70 c9 04 59 2b 1f f6 f3-51 23 62 3d 7e a4 ff 32 p..Y+...Q#b=~..2
0030 - 0b 36 3c 85 ae f0 66 2f-7b 95 b3 2c 94 71 b4 4b .6<...f/{..,.q.K
0040 - 14 ae 76 5f 97 01 9a 62-0b a1 87 75 d8 f5 6c 5e ..v_...b...u..l^
0050 - 4e f6 71 c1 5c 85 8c ae-e4 4a 83 27 fc de dd 09 N.q.\....J.'....
0060 - 18 85 1b f5 fb ef 47 7b-c6 0f fe bc 92 ff 0a 24 ......G{.......$
0070 - 01 43 dc cb ca 7a 1b 3d-75 d7 12 b4 16 48 ec f6 .C...z.=u....H..
0080 - a6 f0 0f f2 d6 a6 f9 9c-be 86 91 47 1f 16 03 f2 ...........G....
0090 - 4d ee 6d d8 ad 79 9e 5a-ba bd d7 50 d7 1b ae dc M.m..y.Z...P....
Start Time: 1542556245
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
​
So it connects and everything looks ok on the server side (although i does not seem to like that the certificate is self signed)
Then i went into the phone (Yealink T54S) and set the account setting according to the server and port listed above and set the transport to TLS
Then i went to security and trusted certificates – uploaded the .pem file from the server – disabled only accepted trusted certificates – confirm and reboot and i am unable to get the phone to register the extension with asterisk
i have also tried connecting the same extension using UDP and that works fine
there is some issue getting the SSL certificates to negotiate a connection – i have been working on this for a few days and really need to get this working as we can not roll out this server until we can secure calls between remote phones and the server
Since you mentioned it – i decided to delete all the keys i had previously created in the /etc/asterisk/keys folder and start again with the above instructions hoping that would resolve the issue?
So i went through the steps – created the certs again – imported the new certs into freepbx via certificate management – and then went to PJSIP Settings and chose the newly imported cert for tls/ssl/srtp
then i went back to the phone and imported the .pem file and tried to connect again
still no dice
also the error i get from ssl is slightly different than the last time around
thank you very much for helping me with this – i have been working on this for the last few days and really appreciate you taking time out to help me work this out!
openssl s_client -showcerts -connect xxx.xxx.com:5066
CONNECTED(00000003)
depth=0 CN = xxx.xxx.com, O = xxx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = xxx.xxx.com, O = xxx
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=xxx.xxx.com/O=xxx
i:/CN=Asterisk Private CA/O=xxx
-----BEGIN CERTIFICATE-----
MIIDWTCCAUECAQEwDQYJKoZIhvcNAQELBQAwMzEcMBoGA1UEAwwTQXN0ZXJpc2sg
UHJpdmF0ZSBDQTETMBEGA1UECgwKVG9wb3JvdnNreTAeFw0xODExMTgxODAyNDha
Fw0xOTExMTgxODAyNDhaMDYxHzAdBgNVBAMMFnRlc3RwYngudG9wb3JvdnNreS5j
b20xEzARBgNVBAoMClRvcG9yb3Zza3kwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAKeC1WsbFBDNoAPjerxZg7YCyCfTvcZtNtH4kgIhYt5bkIqQ0dm+TRus12ZD
4nXCaLOm7o9Gedg7gXW7G2CWWiViodJPNSLpKpGBJeqSPlLAHguUVjiZpZMIYSx4
gpIUbc6Gy/PWhmo+kpincDVuABQr2kMK9z3HDPAvL1PpwcH9AgMBAAEwDQYJKoZI
hvcNAQELBQADggIBAAndfCyLnp/kaJIK4UBohxxM/xDawVf6BVpm+Jx+yXN63b7Y
vTZcTOYuYHuo+7ud+PRrdS4PpL6/O7G5xFylI0AqjfQ6TkQ7fuPa0XlIuNmV1JxV
+9Hd5tf50gm2R+TTMENXXjTZSsHXFRRm4mvJO4rVZHRWJmJGo+srWOk5MYasdKrT
c7Qu+64wlDdjGBMQbyemVXa6qsmHrruEXzdiFk/6IZKznmKS7fampQ8CWZn4PEzA
F/SkQDUSH9dxyXE6jdCVA43GY3ToWz6Hk/jxd7CX0BQ3z6/8Tfb6Xqd+rMuMz1E/
HxepKvGxCvmMvoCzQPsyiTwT3sWzb9KhiENmGyDMivu8E1qhxYIls+wvEaxYhoR1
nCXrIHDHzaPG4Xo34TAfsa4ZZJJak2wLqNVZSKVWXAOPk6sgKhs1mWNxJEEn5Ojz
I9AtYqqGFBQTCZZRnc98fqVtZjVDStQpxAHbnWX1gPZlxmWoYXS+eM6052ll+/9p
0V7wZcIFCmIhjCjD4h8CcYw4N9O7Mil5UmOaHWHsr9L+VqL756Hr+TJaVwHYw+IC
do0ZTXS4UK4w9JBV7x4422OjJldt8rnnloyR28wJW+8vozg2uL7KE0D4QZHctGhk
hHz6bsCan+EkNMuQss97hG6aytgZZbE2i3rK3B4dHcJcRtnUYguHN9E2E3C6
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=xxx.xxx.com/O=xxx
issuer=/CN=Asterisk Private CA/O=xxx
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1408 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 0FF1B58FCF134C88700E6EBE0DD031153C64563771DF624871C35F5602914F86
Session-ID-ctx:
Master-Key: 07410F0E28A4CAB4EB9FEC6C4C773262AC4B238A87F53DC32762782E6FA8ADFCE21BC1207E68C078EFF18646DFF500F0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 84 80 98 a5 03 13 74 1f-96 0a ea b6 b2 95 2d 57 ......t.......-W
0010 - d4 1d 64 3b ff 4d 07 73-3d 88 f7 40 68 2b 74 b6 ..d;.M.s=..@h+t.
0020 - 47 ae b3 13 10 49 39 c0-ac 07 76 80 a9 59 5d 62 G....I9...v..Y]b
0030 - b0 19 89 b1 4c ad c5 fd-7e 85 60 06 1c 58 cb 35 ....L...~.`..X.5
0040 - 8a 10 17 83 0f 03 7a 53-38 0b a3 2f 29 d1 f2 76 ......zS8../)..v
0050 - 53 ea 91 88 c2 75 46 03-28 eb 08 c6 98 85 64 97 S....uF.(.....d.
0060 - 46 42 85 15 e1 02 d6 37-91 f8 74 11 c4 38 f2 8d FB.....7..t..8..
0070 - eb ac 32 ea 5b 17 c1 eb-e2 23 ca 33 36 cd f1 16 ..2.[....#.36...
0080 - e4 86 2a 05 58 63 c1 37-5b e9 02 c4 98 ab b8 5e ..*.Xc.7[......^
0090 - 14 03 3e 18 af 2e 1c 0f-1c dc 25 40 a2 68 1a e7 ..>.......%@.h..
Start Time: 1542564436
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
The status of the certificate means nothing if the device is not even sending the requests to the PBX. You have the proper IP and port in the phone’s “host/proxy” settings?
Well that’s part of your problem. TLS and UDP cannot share the same port in PJSIP. Really, not even Chan_SIP. With PJSIP you need to have a port for UDP, TCP and TLS if you’re going to use any or all of them.
Change your UDP or TLS transport port, then try again.
The public ip address of the machine is x.x.164.187
The local network is x.x.164.0/24
The machine is hosted on a linode vm with direct public access – no firewalls or NAT
The phone / endpoint is remote to the machine – in another location and is connecting over the public internet to the hosted asterisk vm – thus the reason for wanting to use TLS and SRTP –
Don’t give the entire public subnet at Linode access to the machine.
You don’t have local networks, the PBX is in the cloud and has a public IP already. Remove those it will mess with how the PBX treats requests with those IPs in them.
Just pay the $9 or whatever and get a real public CA cert from Commodo or some place and stop messing around with wondering if your cert is being handled properly.
This is for a business and TLS certs are rather cheap for a year, might as well just do it right.
Good point, should do something more a long the lines of a tcpdump to make sure the requests are getting in.
However, I stand by my suggestion that this should just have a standard TLS cert on it. Self-signed really don’t “save” anymore as the cost of certs is low or in some cases free.