A wireshark session says ‘Encryped alert’ so I assume TLS works in general but handshake fails.
I guess I did something wrong with the certificates but I have no more ideas. I tried a serval things already.
I have a wildcard certificate for my domain (like: *.domain.tld) which a have implemented with the certificate-manager (from FreePBX) and set it to default.
In the SYS-Admin-Settings I set it for the HTTPS Sessions and it works without any problem. When I open the Web-Interface the right certificate is shown.
As mentioned at the following topic and in Yealink manual there are two sections of certificates at Yealink Phones:
Trusted Certificates and Server Certificates. But no matter what I’m upload here the TLS doesn’t work.
I tried the offical paid certificate (like: *.domain.tld)
I tried the certificate from ‘ast_tls_cert’-script as mentioned in asterisk wiki
I tried a self signed certificate from cert-manager of the FreePBX
Nothing worked - I still get TLS error.
What I already did:
activated TLS on 0.0.0.0 with Port 5061
set the certificate in TLS/SSL/SRTP-Settings in PJSIP-Settings
tried different SSL Methods
configure the Yealink Phone with TLS on port 5061 with the IP-address or DNS-name
Restart phone
Restart FreePBX
force TLS in extention settings in FreePBX
newest FreePBX version
newest Yealkink firmware
I searched for a solution a few days now with lots of reading and trying hours but I have no more ideas. Please help me!
Not super necessary but would be very nice to have. Sure it’s internal, but there are reasons to encyrpt the traffic (RTP is already encrypted as I wrote above).
And I have some problems to get the zulu client running. There are some certificate errors as well.
So my intension was, to get TLS with the right certificates working will solve some of the problems I have with the zulu as well.
And at the end I thought it is possible in general so I want to try it.
Well lets start at the beginning then – when you go to Admin - Certificate Management - do you see your certificate?
If yes – when you click on edit – do you see the name – is it valid – do you see the policies?
Next if yes to all above – have you installed the certificate for HTTPS – under system admin – HTTPS setup –
Again if yes – when you connect to your pbx – does your browser show a lock with a secure connection – if you click on the details are they all ok and correct – does the browser throw back any security issues or exceptions when connecting via https?
i am thinking a basic issue might be that an ssl certificate is used to protect or secure a public FQDN – you however are connecting to an internal private ip –
Well lets start at the beginning then – when you go to Admin - Certificate Management - do you see your certificate?
Yes there is only one certificate at the moment. The Wildcard certificate for my domain that I purchased.
If yes – when you click on edit – do you see the name – is it valid – do you see the policies?
Yes I see the name which I assigned. It’s just: pbx
Yes it’s vaild (2020-04-29)
Yes there are policies like this:
Policy: 2.16.840.1.114412.1.2
CPS: https://www.digicert.com/CPS
Policy: 2.23.140.1.2.1
Next if yes to all above – have you installed the certificate for HTTPS – under system admin – HTTPS setup
yes
Again if yes – when you connect to your pbx – does your browser show a lock with a secure connection – if you click on the details are they all ok and correct – does the browser throw back any security issues or exceptions when connecting via https?
yes of course only if I connect via DNS-name like https://pbx.domain.tld and there are no security issues or something else. The certificate what is shown by the browser is my wildcard-certificate.
If I connect via IP address (of course) there are security issues because of the name of the certificate.
i am thinking a basic issue might be that an ssl certificate is used to protect or secure a public FQDN – you however are connecting to an internal private ip
that’s why I tried the FQDN in server-IP settings from the yealink. Works with UDP, doesn’t work with TLS.
ok great – sorry for the basic questions – but 1) sometimes something obvious can get overlooked and 2) not everyone on the board has the same level of technical expertise
Anyway – next step
Go to settings – sip settings – pjsip tab
under the tls setttings – you should have the following:
Certificate manger: your cert
ssl method: tlsv1_2
verify client: no
verify client: yes
also under transports tls should be yes
finally the tls port to listen on should be set – typically this is 5061
Are you using an actual wildcard cert? Because that’s your problem. SIP doesn’t allow for wildcards, it wants the FQDN fully defined in the cert. So a single domain or a multi-domain cert that has a SAN defined for the SIP. A cert for *.domain.com will not work in SIP.
No, it’s Standard, so tlsv1_1. But I tried both before. Anyway I changed it now to tlsv1_2
verify client: no
No, it’s YES. Also here I tried both before. Anyway I changed it now to NO
verify client: yes
yes
also under transports tls should be yes
yes
finally the tls port to listen on should be set – typically this is 5061
yes it’s 5061
(all the actual chances didn’t get it working, same error)
Are you using an actual wildcard cert? Because that’s your problem. SIP doesn’t allow for wildcards
Ok, I didn’t know and if it’s true this should really be a problem. But on the other hand I tried a generated certficate too with no success. At the end I don’t care which certificate I’m using if it’s working.
Verify Client should be No
Verify Server should be Yes
so:
Your cert
tlsv1_2
verify client: no
verify server: yes
tls transport: yes
port: 5061
Next step – extension settings
Go to an extension and set the following items:
transport: tls (auto may work – but explicitly setting this is probably a better idea)
max contacts: 2 (not really necessary – but good to leave some room here just in case)
media used received transport: no
rtp symmetric: yes
rewrite contact: yes
force rport: yes
media encryption: srtp
so:
Your cert
tlsv1_2
verify client: no
verify server: yes
tls transport: yes
port: 5061
yes it is.
transport: tls (auto may work – but explicitly setting this is probably a better idea)
max contacts: 2 (not really necessary – but good to leave some room here just in case)
media used received transport: no
rtp symmetric: yes
rewrite contact: yes
force rport: yes
media encryption: srtp
yes it is. (max contacts is 5 but that shouldn’t be a problem)
then try and connect to the extension using the FQDN and strp and sip tls turned on