Can't register on 5061 TLS

Dexter_23 · March 3, 2022, 8:04am

Hi guys

I have pjsip tls listen on 5061, i try to configure app on my smartphone Gswave to configure but can’t register, with 5060 udp is working, but i want to register with 5061 tls more secure, with tcpdump i see the request arrive from my smartphone on port 5061

Here is a tcpdump capture:
09:01:57.113739 IP smartphoneip.59590 > 172.29.49.80.5061: Flags [.], ack 1, win 685, options [nop,nop,TS val 46399 ecr 55331419], length 0
09:01:57.118028 IP smartphoneip.59590 > 172.29.49.80.5061: Flags [P.], seq 1:308, ack 1, win 685, options [nop,nop,TS val 46399 ecr 55331419], length 307
09:01:57.118048 IP 172.29.49.80.5061 > smartphoneip.59590: Flags [.], ack 308, win 235, options [nop,nop,TS val 55331485 ecr 46399], length 0
09:01:57.123810 IP 172.29.49.80.5061 > smartphoneip.59590: Flags [P.], seq 1:8, ack 308, win 235, options [nop,nop,TS val 55331491 ecr 46399], length 7
09:01:57.123873 IP 172.29.49.80.5061 > smartphoneip.59590: Flags [F.], seq 8, ack 308, win 235, options [nop,nop,TS val 55331491 ecr 46399], length 0
09:01:57.189508 IP smartphoneip.59590 > 172.29.49.80.5061: Flags [.], ack 8, win 685, options [nop,nop,TS val 46406 ecr 55331491], length 0
09:01:57.190801 IP smartphoneip.59590 > 172.29.49.80.5061: Flags [F.], seq 308, ack 9, win 685, options [nop,nop,TS val 46406 ecr 55331491], length 0
09:01:57.190823 IP 172.29.49.80.5061 > smartphoneip.59590: Flags [.], ack 309, win 235, options [nop,nop,TS val 55331558 ecr 46406], length 0
09:02:18.255574 IP smartphoneip.59591 > 172.29.49.80.5061: Flags [S], seq 61602061, win 65535, options [mss 1460,sackOK,TS val 48511 ecr 0,nop,wscale 7], length 0
09:02:18.255635 IP 172.29.49.80.5061 > smartphoneip.59591: Flags [S.], seq 1248114350, ack 61602062, win 28960, options [mss 1460,sackOK,TS val 55352623 ecr 48511,nop,wscale 7], length 0
09:02:18.320198 IP smartphoneip.59591 > 172.29.49.80.5061: Flags [.], ack 1, win 685, options [nop,nop,TS val 48519 ecr 55352623], length 0
09:02:18.320984 IP smartphoneip.59591 > 172.29.49.80.5061: Flags [P.], seq 1:308, ack 1, win 685, options [nop,nop,TS val 48519 ecr 55352623], length 307
09:02:18.320996 IP 172.29.49.80.5061 > smartphoneip.59591: Flags [.], ack 308, win 235, options [nop,nop,TS val 55352688 ecr 48519], length 0
09:02:18.330244 IP 172.29.49.80.5061 > smartphoneip.59591: Flags [P.], seq 1:8, ack 308, win 235, options [nop,nop,TS val 55352697 ecr 48519], length 7
09:02:18.330305 IP 172.29.49.80.5061 > smartphoneip.59591: Flags [F.], seq 8, ack 308, win 235, options [nop,nop,TS val 55352697 ecr 48519], length 0
09:02:18.412582 IP smartphoneip.59591 > 172.29.49.80.5061: Flags [.], ack 8, win 685, options [nop,nop,TS val 48528 ecr 55352697], length 0
09:02:18.413372 IP smartphoneip.59591 > 172.29.49.80.5061: Flags [F.], seq 308, ack 9, win 685, options [nop,nop,TS val 48529 ecr 55352697], length 0
09:02:18.413385 IP 172.29.49.80.5061 > smartphoneip.59591: Flags [.], ack 309, win 235, options [nop,nop,TS val 55352780 ecr 48529], length 0

UPDATE:

This is the log of /var/log/asterisk/full

[2022-03-03 09:21:01] WARNING[2489] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: smartphoneip:59615

Seems a problem with certificate, how can i fix that?

Dexter_23 · March 4, 2022, 9:48am

Update:

So the problem is this if i check the asterisk LOG:
WARNING[2489] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: 172.29.49.30:58793

This is the Ciphers Suite on the Client:

This is the output of openssl ciphers -v on the FreePBX Server
https://termbin.com/1vyw

The protocol use on the client is tls1.0 on freebpx15 in Asterisk SIP Settings i see only this option avaible:

Dexter_23 · March 7, 2022, 9:16am

Hi guys

I have try with linphone softphone and it works on port 5061, so the problem seems to be on the gswave applications, maybe the smartphone not know the let’s encrypt certificate on the server?

dicko · March 7, 2022, 2:36pm

Is your sip server set to my.url.com:5061 ?

Dexter_23 · March 7, 2022, 3:02pm

@dicko

Yes

dicko · March 7, 2022, 3:02pm

next step, logs

Dexter_23 · March 7, 2022, 3:05pm

@dicko

What logs? can you more specific?

Thanks

dicko · March 7, 2022, 3:07pm

a capture of a registration attempt from your gs phone to your server from /var/log/asterisk/full also a quick overview can be seen with sngrep

Dexter_23 · March 7, 2022, 3:26pm

i don’t see anything on this log related to connection from my smartphone

dicko · March 7, 2022, 3:46pm

sngrep sees traffic before any firewall and shows any responses

Dexter_23 · March 7, 2022, 4:02pm

@dicko

sngrep nothing show

dicko · March 7, 2022, 4:03pm

Does it work using UDP:5060 transport ?

Dexter_23 · March 7, 2022, 4:07pm

@dicko

Yes

dicko · March 7, 2022, 4:09pm

Sorry, I don’t have that problem and have no idea what else to advise.

Dexter_23 · March 7, 2022, 4:10pm

If i use Linphone Desktop App on my laptop the registration with 5061 tls works, but with this app GSWave with IOS and Android doesn’t work

dicko · March 7, 2022, 4:18pm

Don’t know much about IOS but on an android, for low level diagnosis and to ensure the network is working, sans the gs phone,I would install termux from fdroid and in that shell install telnet then

telnet your.url.com 5061

that way you will be sending to your PBX and seeing any traffic on the server, if the telnet session doesn’t respond nor the pbx show activity then no idea of the next step

Dexter_23 · March 7, 2022, 4:41pm

@dicko

Hi i have install Linphone on Android Smartphone and it works with TLS, so only with GS Wave app can’t register with SIP TLS

dicko · March 7, 2022, 4:42pm

I’m out of suggestions, call Grandstream perhaps?

Dexter_23 · March 7, 2022, 5:00pm

For now i use Linphone

system · April 7, 2022, 5:01pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.