New yealink phone fails to register TLS


(HawkEye) #1

Hi,
Setting up new Yealink T21-P phone to use TLS only (port 5061) for transport and have SRTP=yes. This phone doesn’t register. It can register if using just UDP (5060).

Also configured new Granstream 813 ATA using TLS only. The ATA registers without any issue.

CLI> sip show peer 136
.
.
Addr->IP : 192.168.25.56:42453
Defaddr->IP : (null)
Prim.Transp. : TLS
Allowed.Trsp : TLS
Def. Username: 136
SIP Options : (none)
Codecs : (ulaw)
Auto-Framing : No
Status : OK (28 ms)
Useragent : Grandstream HT813 1.0.9.1
Reg. Contact : sips:136@192.168.25.56:5061;transport=tls

The Yealink phone config is for port 5061 and TLS for transport, the same as the Grandstream ATA. Nothing is displayed in CLI when plugging in the phone to PoE… no failure displayed in CLI>

Everything points to some misconfiguration in the Yealink phone considering the ATA registers on port 5061 TLS. Just don’t see what it might be.

Firmware in Yealink phone is latest.
Asterisk version is 16.15.0
FPBX version is 15.0.16.81
Both devices are configured in FPBX for CHAN_SIP

Any ideas?
Thanks.


(Jared Busch) #2

Not all Yealink phones will work with the LE cert used by FreePBX by default.

Even those models that do work with it, will not work with it with all firmware versions.

I’ve never tried the low end phones in a couple years, so I have no idea what the status of that phone is.

Note, if you do not use the built in LE cert, but your own cert it can work.

If you use the built in cert, it can still possibly work if you add the ca cert to the trusted certs in the phone.
I link the ca cert to a custom folder in the web path

[jbusch@pbx ~]$ ls -lash /var/www/html/custom/pbx.domain.com-ca-bundle.crt 
0 lrwxrwxrwx 1 asterisk asterisk 49 Jan 17  2020 /var/www/html/custom/pbx.domain.com-ca-bundle.crt -> /etc/asterisk/keys/pbx.domain.com-ca-bundle.crt

Then in the config file I add it.

static.trusted_certificates.url = http://pbx.domain.com/custom/pbx.domain.com-ca-bundle.crt

(HawkEye) #3

The cert installed is a valid SECTIGO 2-year certificate for the PBX server.


(Jared Busch) #4

It could still be a similar problem. CA roots get updated periodically. That is one reason for firmware updates in the phones.


(HawkEye) #5

Changed the extension to PJSIP. PJSIP is configured to listen on 5161 for TLS
Ran from remote
openssl s_client -showcerts -connect f.q.d.n:5161
CONNECTED(00000005)
140444695155136:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1528:SSL alert number 40

Subsequently deleted the SSL certificate in Certificate Manager and re-added it back. This time though, only added 1 of the CA Bundle certificates at a time (there are 3 CA Bundle certs) until all three bundle certs were installed.

Now we don’t see the failure when running (extension set for chan_sip)
openssl s_client -showcerts -connect f.q.d.n:5061
CONNECTED(00000005)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = f.q.d.n
verify return:1

Certificate chain
0 s:CN = f.q.d.n
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----

Reset the Yealink phone back to factory default and then configured the phone. full log displays: Unable to set up ssl connection with peer ‘192.168.25.55:12770’

Still at a loss as to why the Yealink phone is unable to register with TLS (regardless of using Chan_sip or PJSip)


(xp) #6

We see T46S and some T5X models that ALL register TLS, with known good GoDaddy cert, using chan_SIP and then stop registering after upgrading to PJSIP. T46G, 42G, etc all work chan or pj.

Would love to have a root cause as we keep just chasing symptoms and hate that.