Asterisk pjsip sip tls

hardocp · November 18, 2018, 4:22pm

I am running Asterisk v16 and Freepbx v14 with a public static ip address

I have setup a PJSIP extension to operate with SIP TLS and a self signed certificate which i generated on my freepbx server.

I have test openssl by conencting to the server as follows:

 openssl s_client -showcerts -connect xxx.xxx.com:5066 (yes TLS is running on port 5066)
CONNECTED(00000003)
depth=0 CN = xxx.xxx.com, O = xxx
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = xxx.xxx.com, O = xxx
verify return:1
---
Certificate chain
 0 s:/CN=xxx.xxx.com/O=xxx
   i:/CN=xxx.xxx.com/O=xxx
-----BEGIN CERTIFICATE-----
MIIDXDCCAUQCAQEwDQYJKoZIhvcNAQELBQAwNjEfMB0GA1UEAwwWdGVzdHBieC50
b3Bvcm92c2t5LmNvbTETMBEGA1UECgwKVG9wb3JvdnNreTAeFw0xODExMTgxNDU5
MjFaFw0yODExMTUxNDU5MjFaMDYxHzAdBgNVBAMMFnRlc3RwYngudG9wb3JvdnNr
eS5jb20xEzARBgNVBAoMClRvcG9yb3Zza3kwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBALbUdvkldmnEWQngOjydILCgsJ9RIsGvUBii15vqs/GjCMUCLmuvgK+S
Bx7OFsE5PxLzxlJvlSQ35k686mUAMH3cXNmM6E7JUHKReV7f/uqAG0dxuwItuts0
4PexPmDMd/X4n+4bVPBMLNI569A4u155ARH3q+Sv4vrWPE16Rj0hAgMBAAEwDQYJ
KoZIhvcNAQELBQADggIBAD3f0dx2h8DWFEm3dMwGQLazNa661QcJ+sGtXafyHHZF
VX+fPO8dXpyYiJEfNetpaYSsjwjRBhkXGAh2LRrrh5lBpJQBJ1hbhtdhzL0qf1bL
Z6xkyewjfha9SfgDUwE81KWJ0d+t9Scyh8qymwgEAocJf0yshENrxSp4xmTP8Mlo
WB0HmN/tWjCow19x0Qm3zVA8zCuvO5y/QkzA+7Skef0FlAP/e8HKCY4dHglVOwPq
L3NlferXrXk4hOHZdlm40oGycNaFRVHTUvoHzYYGD6JVgcrMIiJ6jSlq9E7F2Zoz
iwcWUnX1C30rWKU9XM3K7xYzwzttUzY+3zexUasle8wdkXvzHExC7m8cOJyB3cvf
++x9/g/bAKpQ1UsIUNnqCrxL6LVReT6ZYNGkXPdUfiiQ3ELH00NuQGakKXOkoRCM
rZN44ncp1OdTcf89/yeRqoW2AWtkTlyaKQP/Q+ua0/BmCKNRkOYeNWjfWw3b1JX0
U2nn6Vzj5DstHqfoZ3GGYtTGHBajiUI4eOkVdvz1hQ5o0FZhv7vRM43Y/9rGbned
eS9cr5IqAgbVeMvC2T8mzFUyVyOhvzxFU1PasVUSDBedio/xxXOFgO6Gesmijp7R
iAKquIvN1Mu60WdnI0HnCwDBhbBqYHeq0fEfo6DVdzhjwwY6TJifvmYWK1KNbMa/
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=xxx.xxx.com/O=xxx
issuer=/CN=xxx.xxx.com/O=xxx
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1411 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: A09A31CC6B1BB5157BA6C1D79CA0B566EA1D08CD6B4DD42C1CA85DF97E4ED9C3
    Session-ID-ctx:
    Master-Key: 1A91BF900C526132895D0511A99A0F23BE663A6032D7EA193886C7ED62018092                                                                                                                                                             2785344CCDA58A2F6ABDED6E0D61DEEF
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f5 88 ac ee bf 6e 6d a3-30 68 19 a7 1d 51 ea 12   .....nm.0h...Q..
    0010 - 7b b1 7d 0f 0a f1 22 34-29 49 97 27 10 09 b9 46   {.}..."4)I.'...F
    0020 - 70 c9 04 59 2b 1f f6 f3-51 23 62 3d 7e a4 ff 32   p..Y+...Q#b=~..2
    0030 - 0b 36 3c 85 ae f0 66 2f-7b 95 b3 2c 94 71 b4 4b   .6<...f/{..,.q.K
    0040 - 14 ae 76 5f 97 01 9a 62-0b a1 87 75 d8 f5 6c 5e   ..v_...b...u..l^
    0050 - 4e f6 71 c1 5c 85 8c ae-e4 4a 83 27 fc de dd 09   N.q.\....J.'....
    0060 - 18 85 1b f5 fb ef 47 7b-c6 0f fe bc 92 ff 0a 24   ......G{.......$
    0070 - 01 43 dc cb ca 7a 1b 3d-75 d7 12 b4 16 48 ec f6   .C...z.=u....H..
    0080 - a6 f0 0f f2 d6 a6 f9 9c-be 86 91 47 1f 16 03 f2   ...........G....
    0090 - 4d ee 6d d8 ad 79 9e 5a-ba bd d7 50 d7 1b ae dc   M.m..y.Z...P....

    Start Time: 1542556245
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)

So it connects and everything looks ok on the server side (although i does not seem to like that the certificate is self signed)

Then i went into the phone (Yealink T54S) and set the account setting according to the server and port listed above and set the transport to TLS

Then i went to security and trusted certificates – uploaded the .pem file from the server – disabled only accepted trusted certificates – confirm and reboot and i am unable to get the phone to register the extension with asterisk

i have also tried connecting the same extension using UDP and that works fine

there is some issue getting the SSL certificates to negotiate a connection – i have been working on this for a few days and really need to get this working as we can not roll out this server until we can secure calls between remote phones and the server

Can you please help me?

BlazeStudios · November 18, 2018, 4:32pm

You need to show a REGISTER attempt that fails over TLS.

asterisk -rvvvv
pjsip set logger on

Make the phone try to register and past the output here from the Asterisk console.

hardocp · November 18, 2018, 5:30pm

rebooted the phone so that it would try and register – did not see any logs in the cli for that pjsip endpoint

no failures – no messages – nothing

only thing i get is on the phone it says register fail

tm1000 · November 18, 2018, 5:31pm

This is a self signed certificate.

hardocp · November 18, 2018, 6:19pm

Roger that –

I used these instructions to create the certificate

https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

Since you mentioned it – i decided to delete all the keys i had previously created in the /etc/asterisk/keys folder and start again with the above instructions hoping that would resolve the issue?

So i went through the steps – created the certs again – imported the new certs into freepbx via certificate management – and then went to PJSIP Settings and chose the newly imported cert for tls/ssl/srtp

then i went back to the phone and imported the .pem file and tried to connect again

still no dice

also the error i get from ssl is slightly different than the last time around

thank you very much for helping me with this – i have been working on this for the last few days and really appreciate you taking time out to help me work this out!

 openssl s_client -showcerts -connect xxx.xxx.com:5066
CONNECTED(00000003)
depth=0 CN = xxx.xxx.com, O = xxx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = xxx.xxx.com, O = xxx
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=xxx.xxx.com/O=xxx
   i:/CN=Asterisk Private CA/O=xxx
-----BEGIN CERTIFICATE-----
MIIDWTCCAUECAQEwDQYJKoZIhvcNAQELBQAwMzEcMBoGA1UEAwwTQXN0ZXJpc2sg
UHJpdmF0ZSBDQTETMBEGA1UECgwKVG9wb3JvdnNreTAeFw0xODExMTgxODAyNDha
Fw0xOTExMTgxODAyNDhaMDYxHzAdBgNVBAMMFnRlc3RwYngudG9wb3JvdnNreS5j
b20xEzARBgNVBAoMClRvcG9yb3Zza3kwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAKeC1WsbFBDNoAPjerxZg7YCyCfTvcZtNtH4kgIhYt5bkIqQ0dm+TRus12ZD
4nXCaLOm7o9Gedg7gXW7G2CWWiViodJPNSLpKpGBJeqSPlLAHguUVjiZpZMIYSx4
gpIUbc6Gy/PWhmo+kpincDVuABQr2kMK9z3HDPAvL1PpwcH9AgMBAAEwDQYJKoZI
hvcNAQELBQADggIBAAndfCyLnp/kaJIK4UBohxxM/xDawVf6BVpm+Jx+yXN63b7Y
vTZcTOYuYHuo+7ud+PRrdS4PpL6/O7G5xFylI0AqjfQ6TkQ7fuPa0XlIuNmV1JxV
+9Hd5tf50gm2R+TTMENXXjTZSsHXFRRm4mvJO4rVZHRWJmJGo+srWOk5MYasdKrT
c7Qu+64wlDdjGBMQbyemVXa6qsmHrruEXzdiFk/6IZKznmKS7fampQ8CWZn4PEzA
F/SkQDUSH9dxyXE6jdCVA43GY3ToWz6Hk/jxd7CX0BQ3z6/8Tfb6Xqd+rMuMz1E/
HxepKvGxCvmMvoCzQPsyiTwT3sWzb9KhiENmGyDMivu8E1qhxYIls+wvEaxYhoR1
nCXrIHDHzaPG4Xo34TAfsa4ZZJJak2wLqNVZSKVWXAOPk6sgKhs1mWNxJEEn5Ojz
I9AtYqqGFBQTCZZRnc98fqVtZjVDStQpxAHbnWX1gPZlxmWoYXS+eM6052ll+/9p
0V7wZcIFCmIhjCjD4h8CcYw4N9O7Mil5UmOaHWHsr9L+VqL756Hr+TJaVwHYw+IC
do0ZTXS4UK4w9JBV7x4422OjJldt8rnnloyR28wJW+8vozg2uL7KE0D4QZHctGhk
hHz6bsCan+EkNMuQss97hG6aytgZZbE2i3rK3B4dHcJcRtnUYguHN9E2E3C6
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=xxx.xxx.com/O=xxx
issuer=/CN=Asterisk Private CA/O=xxx
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1408 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 0FF1B58FCF134C88700E6EBE0DD031153C64563771DF624871C35F5602914F86
    Session-ID-ctx:
    Master-Key: 07410F0E28A4CAB4EB9FEC6C4C773262AC4B238A87F53DC32762782E6FA8ADFCE21BC1207E68C078EFF18646DFF500F0
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 84 80 98 a5 03 13 74 1f-96 0a ea b6 b2 95 2d 57   ......t.......-W
    0010 - d4 1d 64 3b ff 4d 07 73-3d 88 f7 40 68 2b 74 b6   ..d;.M.s=..@h+t.
    0020 - 47 ae b3 13 10 49 39 c0-ac 07 76 80 a9 59 5d 62   G....I9...v..Y]b
    0030 - b0 19 89 b1 4c ad c5 fd-7e 85 60 06 1c 58 cb 35   ....L...~.`..X.5
    0040 - 8a 10 17 83 0f 03 7a 53-38 0b a3 2f 29 d1 f2 76   ......zS8../)..v
    0050 - 53 ea 91 88 c2 75 46 03-28 eb 08 c6 98 85 64 97   S....uF.(.....d.
    0060 - 46 42 85 15 e1 02 d6 37-91 f8 74 11 c4 38 f2 8d   FB.....7..t..8..
    0070 - eb ac 32 ea 5b 17 c1 eb-e2 23 ca 33 36 cd f1 16   ..2.[....#.36...
    0080 - e4 86 2a 05 58 63 c1 37-5b e9 02 c4 98 ab b8 5e   ..*.Xc.7[......^
    0090 - 14 03 3e 18 af 2e 1c 0f-1c dc 25 40 a2 68 1a e7   ..>.......%@.h..

    Start Time: 1542564436
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

BlazeStudios · November 18, 2018, 6:35pm

The status of the certificate means nothing if the device is not even sending the requests to the PBX. You have the proper IP and port in the phone’s “host/proxy” settings?

hardocp · November 18, 2018, 6:41pm

yes

if i switch the port to 5065 and the transport to UDP the phone connects fine

It just when i use 5066 and TLS that i have no connection

BlazeStudios · November 18, 2018, 6:49pm

Well that’s part of your problem. TLS and UDP cannot share the same port in PJSIP. Really, not even Chan_SIP. With PJSIP you need to have a port for UDP, TCP and TLS if you’re going to use any or all of them.

Change your UDP or TLS transport port, then try again.

hardocp · November 18, 2018, 6:51pm

Im not sure i follow you – they are on different ports

UDP is on 5065

TLS is on 5066

BlazeStudios · November 18, 2018, 7:06pm

That’s on me. I didn’t catch that. So if you swap them, do you still have the same issue or is the UDP traffic not showing up on 5066…

hardocp · November 18, 2018, 7:19pm

I swapped the ports – UDP is now on 5066 TLS on 5065

UDP connect on 5066 fine – TLS still no dice on 5065

BlazeStudios · November 18, 2018, 7:23pm

SSH in to the PBX and go to /etc/asterisk and get the relative pjsip conf files liie transport etc for this setup.

Lets see how it is really configured.

hardocp · November 18, 2018, 7:32pm

#include pjsip.endpoint_custom.conf

[101]
type=endpoint
aors=101
auth=101-auth
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
allow=ulaw,alaw,gsm,g726,g722
context=from-internal
callerid=Test <101>
dtmf_mode=auto
mailboxes=101@device
mwi_subscribe_replaces_unsolicited=yes
transport=0.0.0.0-tls
aggregate_mwi=yes
use_avpf=no
rtcp_mux=no
bundle=no
ice_support=no
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=sdes
timers=yes
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en
one_touch_recording=on
record_on_feature=apprecord
record_off_feature=apprecord

#include pjsip.transports_custom.conf

[0.0.0.0-udp]
type=transport
protocol=udp
bind=0.0.0.0:5066
external_media_address=x.x.x.187
external_signaling_address=x.x.x.187
allow_reload=yes
tos=cs3
cos=3
local_net=x.x.x.0/24
local_net=172.27.224.0/21
local_net=172.27.232.0/21
local_net=192.168.128.0/17

[0.0.0.0-tls]
type=transport
protocol=tls
bind=0.0.0.0:5065
external_media_address=x.x.x.187
external_signaling_address=x.x.x.187
ca_list_file=/etc/pki/tls/certs/ca-bundle.crt
cert_file=/etc/asterisk/keys/asterisk.pem
priv_key_file=/etc/asterisk/keys/asterisk.key
method=default
verify_client=yes
verify_server=yes
allow_reload=yes
tos=cs3
cos=3
local_net=x.x.x.0/24
local_net=172.27.224.0/21
local_net=172.27.232.0/21
local_net=192.168.128.0/17

BlazeStudios · November 18, 2018, 7:49pm

What is this? A public subnet? And are you trying to connect locally or remotely to the PBX?

hardocp · November 18, 2018, 7:55pm

The public ip address of the machine is x.x.164.187

The local network is x.x.164.0/24

The machine is hosted on a linode vm with direct public access – no firewalls or NAT

The phone / endpoint is remote to the machine – in another location and is connecting over the public internet to the hosted asterisk vm – thus the reason for wanting to use TLS and SRTP –

BlazeStudios · November 18, 2018, 8:03pm

Don’t give the entire public subnet at Linode access to the machine.
You don’t have local networks, the PBX is in the cloud and has a public IP already. Remove those it will mess with how the PBX treats requests with those IPs in them.
Just pay the $9 or whatever and get a real public CA cert from Commodo or some place and stop messing around with wondering if your cert is being handled properly.

This is for a business and TLS certs are rather cheap for a year, might as well just do it right.

tm1000 · November 18, 2018, 8:12pm

What? You won’t see requests on asterisk if TLS negotiation can’t happen because of an invalid certificate.

BlazeStudios · November 18, 2018, 8:14pm

Good point, should do something more a long the lines of a tcpdump to make sure the requests are getting in.

However, I stand by my suggestion that this should just have a standard TLS cert on it. Self-signed really don’t “save” anymore as the cost of certs is low or in some cases free.

hardocp · November 18, 2018, 8:48pm

ok – i went to into freepbx and generated a CSR

then went to commodo and got a free 90 day cert

downloaded the certificate to /etc/asterisk/keys

went to CHAN PJSIP settings and changed the cert to this new one

downloaded the cert to the Yealink –

confirmed all – rebooted all

now i get this in the cli

WARNING[22573]: pjproject:0 <?>:  SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> 
asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 32000

openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

hardocp · November 18, 2018, 9:48pm

Fixed the SSL certificate issue as follows:

// Enable the CA trust capability
/usr/bin/update-ca-trust enable

// Copy/Move the Issuer CA certificates to /etc/pki/ca-trust/source/anchors/

// Update the CA trust
/usr/bin/update-ca-trust extract

openssl s_client -showcerts -connect xxx.xxx.com:5065

CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Free SSL, CN = testpbx.toporovsky.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=Free SSL/CN=xxx.xxx.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIGbDCCBVSgAwIBAgIQWwYc+ELRys6X9ddO7NFBdzANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xODExMTgwMDAwMDBaFw0xOTAyMTYyMzU5NTlaMFcxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDERMA8GA1UECxMIRnJlZSBTU0wxHzAdBgNV
BAMTFnRlc3RwYngudG9wb3JvdnNreS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDTJ5s8pMPVxsXgYfMdmvETrW635ojzl0/NsomwQiXXarC8KbTL
+3HyudcjsYBi0QXDpwZQJ0ZYK5zUfHIR8EIe/Nb49Td6SM8ZSPg1gnMlIGXDHmr8
oM15sT5GRCu4dCuY2Y5oaMqMn9p8aa5wxcqYuKKZNzxuCHP92eyOCtnJGOleY+7B
0W3cZTHpL9G70/2sIJtnU0Z4gWBTIxeA63RFxkm00We5D0IPehWKvgKfmt7w1eoV
bReSTXZYOfKeE9FX1FcFzaDYJZP8NL4r2+q6GlY4CNgjSmiZCxBuDp60PDOh3OM8
uOFCYKzuJioRzRcZzQnHmGjJLHP52sSXpJvDAgMBAAGjggL4MIIC9DAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUhKvPYC/wzK8y0Cz0
Ocl1x5WRwSwwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMD0GA1UdEQQ2MDSC
FnRlc3RwYngudG9wb3JvdnNreS5jb22CGnd3dy50ZXN0cGJ4LnRvcG9yb3Zza3ku
Y29tMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcA7ku9t3XOYLrhQmkfq+GeZqMP
fl+wctiDAMR7iXqo/csAAAFnKHnoUgAABAMASDBGAiEAxkhBzciCQ/AkQ0ACu7d+
mBh6DNVVD/E/Rn8VA2Dvt1sCIQCvcI2WovKXZuVXmDzznfnjaceSc312hVWhL2xH
t/6z0AB2AHR+2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABZyh56FIA
AAQDAEcwRQIgA+yoKUxJx/NXV8vdANGCzYGkUsA890g33xLq9x5ZLNUCIQDYIPFw
pzAVmXZ1lPUyyA/6Tu6X9dPEWnT9RyoX+ZlDjjANBgkqhkiG9w0BAQsFAAOCAQEA
HxYUcSl+nnKyPO0B1ukh83S9A+dRF/RrNQYdfj3BdNedK+T1SoLCuhj0Sj57Fr0F
1EOIGqzcaRng//5dLFHBb6+Ci6HW4W49BPpwLJYtJJ/J5bY2g1UiSQMdiSZcy/6X
4B92prTZ+nWNc4uq0NsxzMW8W62WTohcwH21/is4l0lPKzMuQDMzl0KOFZyxwLDW
iFRz1cjsW+MC7DrJ9Ld/SbgofRXxgqu2uoMqv/1ghd+/5n+E6vxzwEBAfBFZ+a/a
uQY6x6VnymAFJ/EkCCYm9u8fPH9WaiotK+LMo6hR2VDQBuKqVym/tJbZSrCVgIiC
8T7FMkGxMCnj6Orv5uHA2A==
-----END CERTIFICATE-----
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV
BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy
MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT
EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR
Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh
bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh
bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0
Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6
ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51
UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n
c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY
MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz
30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG
BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv
bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB
AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E
T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v
ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p
mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/
e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps
P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY
dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc
2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG
V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4
HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX
j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII
0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap
lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf
+AZxAeKCINT+b72x
-----END CERTIFICATE-----
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD
VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw
AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6
2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr
ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt
4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq
m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/
vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT
8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE
IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO
KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO
GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/
s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g
JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD
AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9
MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy
bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6
Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ
zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj
Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY
Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5
B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx
PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR
pu/xO28QOG8=
-----END CERTIFICATE-----
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Free SSL/CN=xxx.xxx.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6362 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: BFC9345298F4C1227FF36E2AB5E6A5F65B8232EF2664CC452E93B0E8EF20FA07
    Session-ID-ctx:
    Master-Key: 171CA2C54A70AE949625EFF3D5B85476F675019B147E8B8B867D49F806C4355C1261C36EB519C243981CD8FEF4BE970A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 7a 0c 0b 05 7d ca 19 db-2e d0 ed 3a 10 e0 66 2a   z...}......:..f*
    0010 - 38 99 01 3d f4 6b 04 50-2d ed 2b 0c 3b 08 52 40   8..=.k.P-.+.;.R@
    0020 - 34 d8 4d b6 03 a3 5a 1e-f3 b7 66 b5 5c ee 5f 3c   4.M...Z...f.\._<
    0030 - 09 d8 bf 08 59 d8 6b b7-cf c3 66 66 9f 41 48 49   ....Y.k...ff.AHI
    0040 - 02 a0 73 27 2c 76 38 39-dd 3f d6 21 e2 b1 6e b1   ..s',v89.?.!..n.
    0050 - 4a 02 ad a7 7d 87 e6 c7-73 ac d3 3b 31 52 c1 0a   J...}...s..;1R..
    0060 - a3 31 d5 4e e3 75 1b 3f-a4 5f 68 c5 2d 0d aa 0a   .1.N.u.?._h.-...
    0070 - 6e 1d d8 51 17 95 09 8b-23 f9 df 10 4f cf b6 01   n..Q....#...O...
    0080 - 3a 3d 71 53 69 f1 9f 81-22 ce ba 21 cd d7 e1 80   :=qSi..."..!....
    0090 - 75 fc c7 f5 d6 14 1b a7-6a c7 f3 96 a0 b8 d7 87   u.......j.......

    Start Time: 1542577545
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

ok

but it still can not get this darn phone to make an SSL/TLS connection

I am going crazy here trying to figure this out