Issue setting up TLS registration to Telnyx trunk

Hello,

I’m trying to set up a Telnyx PJSIP trunk using TLS transport on FreePBX 15.0.17.53. It works fine over UDP. I get the following message in my Asterisk log when I try to use TLS:

WARNING[1303] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336151598> <SSL routines-ssl3_read_bytes-tlsv1 alert protocol version> len: 0

Telnyx only supports TLS v1.2 as of June 2021, so I selected that in Settings > Asterisk SIP Settings > chan_pjsip > SSL Method. The above error suggests that FreePBX is trying to use an older version. Not sure how to proceed to fix this.

Thanks!

Did you restart asterisk? By default you need to do so after a transport-level change.

Yes, tried restarting asterisk and even rebooting the entire server.

I’m using FreePBX 15, Telnyx, TLS. The trunk setup is very simple, pointing to sip.telnyx.com. Transport selected is 0.0.0.0-tls. In Asterisk SIP settings, I have tlsv1_2, verify client = no, verify server = yes.

You didn’t mention whether you are using FreePBX distro or built it yourself. The server I am using is on Debian 10 and I had to prevent it from using TLS v1.3. (I worked with Telnyx support to troubleshoot connectivity errors; I don’t recall the exact error message.) I adjusted this section in /etc/ssl/openssl.cnf:

[system_default_sect]
MinProtocol = TLSv1.2
MaxProtocol = TLSv1.2
CipherString = [email protected]=2

It’s the MaxProtocol line that solved the connectivity problem. I don’t know whether this is what you are seeing, but it might be worth a try.

Thanks! I’m not running an official FreePBX distro; I’m running it on a Raspberry Pi (Debian-based). I tried your suggestion with the result that the error message changed from alert protocol version to no protocols available. It’s as if TLS1.2 is not supported, although my openssl version is 1.1.1 which should support it…

It does seem to be related to a TLS handshake error. I just can’t figure out what to do next.

I figured it out by looking directly at the /etc/asterisk/pjsip.transports.conf configuration file. The SSL Method parameter in FreePBX under Settings > Asterisk SIP Settings > chan_pjsip should set a corresponding method=tlsv1_2 line in the configuration file, but it doesn’t. There is no such line, thus the default is used - which is tlsv1. That FreePBX parameter doesn’t seem to do anything. I manually added the config line in the file, and the trunk came up right away (after restarting Asterisk).

This would seem to be a bug in FreePBX, but it’s strange that it worked for you.

Please report it: issues.freepbx.org

I’m not sure @cinergi. My pjsip.transports.conf file shows method=tlsv1_2. I didn’t have to add it in manually.

My sipsettings module version is 15.0.6.39.

Hmm… I suspect it has something to do with my unofficial installation on a Raspberry Pi :-). I’ll report it as @PitzKey mentioned and see what happens. Anyway, I’m just happy that it’s working.

I didn’t need any of the changes in openssl.cnf, though.

By the way, since you have verify server = yes, did you define anything in CA Chain and Server Certificate?

Thanks

You may. The issue I found is that the TLS 1.3 connection was unreliable. I don’t know why, but 1.2 is “good enough” so I was happy to set it at that.

FreePBX finds the system CA certs and uses those. (In Debian, /etc/ssl/certs)

Thanks. I’ll keep an eye on the trunk, but so far it seems solid. Since I specified method=tlsv1_2, I assume it’s using that and not 1.3.

In my case, FreePBX doesn’t seem to pick up the system CA certs. If I specify verify_server=yes in pjsip.transports.conf, the trunk won’t connect because it can’t find the proper CA certs. I think I’ll have to specify them manually but I haven’t tried yet. By the way, toggling Verify Server to On in the GUI has no effect for me - it looks like it’s on, but it doesn’t actually add the corresponding line in the .conf file. This is the same behavior as for the method=tlsv1_2 parameter. It seems this issue may be unique to my setup, since it works for you. Do you see verify_server=yes in your pjsip.transports.conf?

Yes, here is what gets produced by Asterisk SIP settings for me:

[0.0.0.0-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
external_media_address=(my public IP)
external_signaling_address=(my public IP)
ca_list_file=/etc/ssl/certs/ca-certificates.crt <-- I did not specify this; it found this file itself
cert_file=/etc/asterisk/keys/(cert+intermediate chain from Certificate Manager)
priv_key_file=/etc/asterisk/keys/(key corresponding to cert from Certificate Manager)
method=tlsv1_2
verify_client=no
verify_server=yes
allow_reload=yes
tos=cs3
cos=3

Thanks. I’m missing all the lines related to certificates and TLS version. I have to add these manually. Strange.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.