Phones no longer connecting SSL Error

HackerHarvey · February 1, 2021, 4:10pm

Hi Folks,

So today everything was working well all phones connect and calling. I reset my root password and re-ran the firewall setup and for some reason, all phones are showing what I believe is an SSL error. I updated the SSL certficate and I still can’t connect. Please see the log below. Apart from that I am stumped as it was all working before.

<131>Feb 1 23:58:26 WEB [2514:2533]: WEB <3+error > 106.445.854:Post msg : [RPLAC:GID_ACC] [], 0x10000, 3, 0, []
<131>Feb 1 23:58:27 WEB [2514:2533]: WEB <3+error > 107.755.500:Send msg : [DONOW:NULL] [app_vpPhone], 0x60d02, 0, 0, , 5000
<131>Feb 1 23:58:27 WEB [2514:2533]: WEB <3+error > 107.756.455:CallDskMsgTimeoutEx [0x60d02] lret[0]
<131>Feb 1 15:58:31 cfg [653.654]: CFG <3+error > get attr can not find item priv.auto_provision.mac_local_cfg_md5 err
<131>Feb 1 23:58:39 WEB [2514:2514]: WEB <3+error > 119.382.085:Send msg : [DONOW:NULL] [app_vpPhone], 0x60d03, 0, 1, , 5000
<131>Feb 1 23:58:39 WEB [2514:2514]: WEB <3+error > 119.382.824:CallDskMsgTimeoutEx [0x60d03] lret[0]
<131>Feb 1 23:58:39 WEB [2514:2533]: WEB <3+error > 119.419.790:Post msg : [COMON:] [], 0x10000, 3, 0, []
<131>Feb 1 23:58:39 WEB [2514:2533]: WEB <3+error > 119.448.167:Post msg : [COMON:] [], 0x10000, 2, 0, []
<131>Feb 1 23:58:43 WEB [2514:2533]: WEB <3+error > 123.582.262:Send msg : [DONOW:NULL] [app_vpPhone], 0x60d02, 0, 0, , 5000
<131>Feb 1 23:58:43 WEB [2514:2533]: WEB <3+error > 123.583.097:CallDskMsgTimeoutEx [0x60d02] lret[0]
<131>Feb 1 23:58:48 WEB [2514:2514]: WEB <3+error > 128.303.169:Send msg : [DONOW:NULL] [app_vpPhone], 0x60d03, 0, 1, , 5000
<131>Feb 1 23:58:48 WEB [2514:2514]: WEB <3+error > 128.303.961:CallDskMsgTimeoutEx [0x60d03] lret[0]
<131>Feb 1 23:58:48 WEB [2514:2533]: WEB <3+error > 128.337.960:Post msg : [RPLAC:GID_ACC] [], 0x10000, 3, 0, []
<131>Feb 1 23:58:48 sua [1824]: NET <3+error > [000] New binding with ...**
<131>Feb 1 23:58:49 sua [1824]: NET <3+error > [255] depth=2:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Feb 1 23:58:49 sua [1824]: NET <3+error > [255] depth=1:/C=US/O=Let’s Encrypt/CN=R3
<131>Feb 1 23:58:49 WEB [2514:2514]: WEB <3+error > 129.470.826:Send msg : [DONOW:NULL] [app_vpPhone], 0x60d02, 0, 0, , 5000
<131>Feb 1 23:58:49 WEB [2514:2514]: WEB <3+error > 129.471.732:CallDskMsgTimeoutEx [0x60d02] lret[1]
<131>Feb 1 23:58:49 sua [1824]: NET <3+error > [255] depth=0:/CN=sip..co.uk
<131>Feb 1 23:58:50 sua [1824]: NET <3+error > [255] SSL ERROR ZERO RETURN - SHUTDOWN
<131>Feb 1 23:58:50 sua [1824]: NET <3+error > [255] EVP lib in (null) (null)
<131>Feb 1 23:58:580 sua [1824]: DLG <3+error > [255] tls recv message failed, error_code[6]; socket:remote_ip[..], remote_port[]

dicko · February 1, 2021, 4:15pm

Check your clock, its not 11:58 in the UK yet and tls is time sensitive

HackerHarvey · February 1, 2021, 4:44pm

I know, I have now changed the clock on this handset and although I know one is in the wrong time zone the other one which is not working is at the correct time.

dicko · February 1, 2021, 4:48pm

Timezones are not a problem, just the system clock maybe a factory reset on the recalcitrent clock? Any reason for the phillipines tz?

HackerHarvey · February 1, 2021, 4:52pm

This is the what I get now

<131>Feb 1 16:46:49 sua [1572]: NET <3+error > [255] SSL ERROR ZERO RETURN - SHUTDOWN
<131>Feb 1 16:46:49 sua [1572]: NET <3+error > [255] EVP lib in (null) (null)
<131>Feb 1 16:46:49 sua [1572]: DLG <3+error > [255] tls recv message failed, error_code[6]; socket:remote_ip[46.***.55.***], remote_port[56974]
<131>Feb 1 16:46:49 sua [1572]: DLG <3+error > [255] ssl err detail[code_value: 0, str: error:00000000:lib(0):func(0):reason(0)]
<131>Feb 1 16:46:52 sua [1572]: NET <3+error > [000] New binding with 46.***.55.***
<131>Feb 1 16:46:56 sua [1572]: NET <3+error > [255] depth=2:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Feb 1 16:46:56 sua [1572]: NET <3+error > [255] depth=1:/C=US/O=Let’s Encrypt/CN=R3
<131>Feb 1 16:46:56 sua [1572]: NET <3+error > [255] depth=0:/CN=sip.************.co.uk
<131>Feb 1 16:46:57 sua [1572]: NET <3+error > [255] SSL ERROR ZERO RETURN - SHUTDOWN
<131>Feb 1 16:46:57 sua [1572]: NET <3+error > [255] EVP lib in (null) (null)
<131>Feb 1 16:46:57 sua [1572]: DLG <3+error > [255] tls recv message failed, error_code[6]; socket:remote_ip[46.***.55.***], remote_port

dicko · February 1, 2021, 4:53pm

https://www.checktimes.com/world/asia/ph/central_luzon/sua/

HackerHarvey · February 1, 2021, 4:53pm

System shows this, I am in the UK btw

root@sip ~]# timedatectl
Local time: Mon 2021-02-01 16:53:13 UTC
Universal time: Mon 2021-02-01 16:53:13 UTC
RTC time: Mon 2021-02-01 16:53:13
Time zone: UTC (UTC, +0000)
NTP enabled: yes
NTP synchronized: yes
RTC in local TZ: yes
DST active: n/a

dicko · February 1, 2021, 5:01pm

Then its not a time problem

I would double check certs and such at https://www.ssllabs.com/ssltest/

HackerHarvey · February 1, 2021, 5:47pm

Yeah comes back all fine, mind is melting. I have got the phones working on TCP for the moment, but I’m guessing even with the RTP encryption it’s not as secure as TLS right?

HackerHarvey · February 1, 2021, 5:54pm

Although to throw more WTF into the mix got a sip client on my android phone conencted fine by TLS. I had a polycom do this the other day refused to connect by TLS then I reprogeammed it yesterday and it worked fine until this afternoon. Could it be I am checking server and client on the PJSIP settings and maybe I onky need server to be checked? But again the sip client on the mobile is working fine nethertheless

dicko · February 1, 2021, 6:37pm

Checking the client can be problematic as you need to put the cert on the phone, although more secure, is largely unnecessary and as yet those who try and steal your phone calls choose the much lower hanging UDP/5060

If you want to go the extra mile, I suggest you use an obscure domain for TLS who’s name and DNS records are not related to your front facing web presence.

sorvani · February 1, 2021, 8:53pm

That would be incorrect-ish.

The signaling and the voice have nothing to do with each other from that perspective.

The signalling, the sip traffic, never sends credentials unencrypted. Whether you are using UDP, TCP, or TLS. Sure the signalling itself will be in clear text, but there is nothing really important there.

The RTP, the voice, doesn’t care about the SIP.

If you are having cert issues, are you sure the RTP is actually encrypted though? Most phones don’t have a visible marker if the RTP is encrypted o not. Just for the registration.

dsubs · February 1, 2021, 10:41pm

Just a thought. Not sure if this error is related to the below. However, if you have updated the new cert in PJSIP settings in Asterisk sip settings, you may have to restart services using fwconsole restart.

brk · February 2, 2021, 2:01am

My vpn connected sangoma phones dropped off today too. I just found some tls errors in the system log.

HackerHarvey · February 2, 2021, 12:23pm

Yes I did update them and I am not sure if I have restarted the console since though you know, I’ll give it a go once everyone’s off the phone lol

So I restarted the asterisk using fwconsole restart and yeah no luck still, I now have SIPNetic running on 2 android phones running on TLS fine, but hard phones say no dice.

Madness!

HackerHarvey · February 2, 2021, 2:59pm

So, I have solved it. On the Asterisk SIP settings for PJSIP TLS, I needed to turn off Verify Client as I am not bothered about clients being good I just want clients to check the server. Did that then restarted Asterisk and boom!

system · June 3, 2021, 11:05pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.