CISCO SPA112/122 with TLS on FreePBX

bogdanb · November 8, 2021, 11:07pm

Changed the pjsip SSL method to tls1_1 and then to default (TLSv1). The extension didn’t register in either of the two cases and the same errors were shown by the PBX.

[2021-11-09 01:04:10] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca len: 0 peer: xxx:5068
[2021-11-09 01:04:12] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca len: 0 peer: xxx:5069
[2021-11-09 01:04:13] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca len: 0 peer: xxx:5070

BlazeStudios · November 9, 2021, 1:12am

The handshake may not happen due to the device not having updated algos/ciphers. It might not have current CAs.

I would try a factory default and go again.

Stewart1 · November 9, 2021, 4:17am

True, but in this case it didn’t get that far.

I’m reasonably certain that is the case here:

My interpretation is that during the initial TLS handshake, pjsip received an alert from the SPA indicating that the SPA did not recognize the CA that signed the server’s certificate.

That’s consistent with my interpretation of the (truly awful) admin guide, which implies that the only built-in CA certificate is Cisco’s, so you would need a custom CA to use a standard cert. However, it’s inconsistent with:

I can think of several possibilities: You set up the server cert with a Cisco signing tool. EPM, behind the scenes, provisioned the SPA with a custom CA. You manually set up a custom CA but forgot. The SPA used to support ‘regular’ CAs but doesn’t anymore. Do any of these make sense?

In any case, I recommend that the OP set up a custom CA and confirm that it shows in Custom CA Info.

I can’t see how that could work, because the LE site is HTTPS only and the SPA won’t accept it because it doesn’t recognize the CA (catch 22). Download the cert to a local system, make it available by TFTP or HTTP, confirm (in your local log) that the SPA actually fetched it, then check its Custom CA Status.

bogdanb · November 9, 2021, 12:03pm

My feeling is also that I should provide a path to the CA since I use a FreePBX implementation configured to use certificates signed by Let’s Encrypt. The SPA never gave me the opportunity to accept any certificate so I guess I need to provision it manually.

Which certificate should I point to from this list?

cert

BlazeStudios · November 9, 2021, 1:17pm

None. Just enter the connection details like normal.

bogdanb · November 9, 2021, 1:35pm

don’t I have to give the complete path to a specific certificate in the Custom CA URL ?

BlazeStudios · November 9, 2021, 2:24pm

No, when using a proper and public TLS cert you just need to set the device up to use the TLS settings and tell the device to use TLS/secure calling. That’s it. Just like a web browser you connect to the server and the server has the TLS cert to be dealt with.

bogdanb · November 9, 2021, 2:39pm

Tried that, doesn’t work.

BlazeStudios · November 9, 2021, 2:52pm

You may have to resign yourself to the fact this device cannot support current TLS standards.

bogdanb · November 9, 2021, 6:49pm

I understand that TLSv1.2 may not be supported given that the last firmware for SPA112 was released two years ago but this doesn’t explain why TLSv1.1 or even v1 aren’t working. I think @Stewart1 has a point when proposing to:

Download the cert to a local system, make it available by TFTP or HTTP, confirm (in your local log) that the SPA actually fetched it, then check its Custom CA Status.

I’ll set up a web server with lighttpd, put the certificates there and point the SPA112 to take them from there.

bogdanb · November 9, 2021, 9:25pm

Hi Stewart,

I tried this method and the SPA112 accepted the certificate

However I still get the errors and the registration fails:

[2021-11-09 23:17:57] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca len: 0 peer: xx:5064
[2021-11-09 23:17:58] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca len: 0 peer: xx:5065
[2021-11-09 23:18:00] WARNING[1817]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151576> SSL routines-ssl3_read_bytes-tlsv1 alert unknown ca len: 0 peer: xx:5066

I wonder if I set the path to the correct certificates. I’ve got the following structure in /etc/asterisk/keys/

cert

And a folder with the same domain name as the above certificates containing this structure:

Which certificate should I choose?

Thanks!

sorvani · November 9, 2021, 9:41pm

You could have bought a current model of any brand of ATA with the money you have burned dealing with this old gear.

dicko · November 9, 2021, 10:34pm

Before you go un-necessarily crazy, what Is the IP address of your 112 ?

bogdanb · November 9, 2021, 11:05pm

Grandstream HT801 might be a good fit?

bogdanb · November 9, 2021, 11:16pm

The ATA is NATed, the errors above are with my public IP address which I removed.

dicko · November 9, 2021, 11:34pm

Then there is no need for TLS, nobody can get to you except from your LAN, which we hope you have control over.

BlazeStudios · November 10, 2021, 1:43am

HT802 or HT801 should be fine as long as it has current support

dicko · November 10, 2021, 1:51am

Again, unless any of your ATA’s are exposed directly to the internet, TLS is an unnecessary conceit for any of them.

bogdanb · November 10, 2021, 8:49am

My Android client (Zoiper) is NATed and I’m able to use TLS without any issues. My ATA is exposed to the Internet but not through a public IP.

bogdanb · November 10, 2021, 8:54am

Same with SPA112, even though it’s not being sold it should be supported until 2025.