Phones with TLS are not connecting

PBX Version: 14.0.16.11
Asterisk Version: 16.19.0

I updated my certificate few days ago and now I noticed that the phones that are using TLS are not connecting / registering. On my browser, I see the certificate is valid until 2022.

In the log file I see:
WARNING[2505] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines-ssl3_get_client_hello-no shared cipher> len: 0 peer

A reboot cleared another error, but the phones are still not connecting:
ssl0x7efd800b2110 Error loading certificate chain file '/etc/asterisk/keys/my.pem': No such file or directory

Any thoughts on how to fix this?

For the first error have you checked out that the cipher suites your image supports are compatible with the cipher suites your phones support?

The second error seems to be a problem with the certificate chain. Is the file with the certificate chain actually located under this path /etc/asterisk/keys/my.pem?
Can the system access this file? Otherwise change it with chown.

Thank you @AdFun7911 for your response. The second error is go so we are good.

I went to HTTPS Setup >> Settings and I tried all options one by one as well as including the default and SSLProtocol all but still not connecting.

This is SIPS, not HTTPS. HTTPS settings will be irrelevant.

Then renewing the certificate should not affect the phone registeration. The phones were working fine before renewing the certificate.

I removed the new certificate and put the old one and I still having the same issue.

After removing the old certificate, then I had to select the new certificate in the Asterisk SIP Settings. l still have SSL routines-ssl3_get_client_hello-no shared cipher but I also have SSL routines-SSL3_GET_RECORD-wrong version number

In the SSL Method section I tried all options. I made no changes to the endpoint

I would like to try -ciphers ALL for TLS /PJSIP it seems to help in another applicaton but I do not know where to put it. Any thoughts?

@moussa854 Install openssl on a server that can connect to FreePBX. Then use the command
openssl s_client -cipher "<cipher>" -connect <yourserver.tld>:<port>

You cannot check all ciphers at once, but you can check the ciphers your phones support.

I see another person with similar issue?!

May be this as well?!

The second one represents a case where SRTP is impossible, because the signalling is over UDP, so does not allow a secure key exchange for the SRTP.,

My understanding that he changed it from TLS to UDP becuse he is having hard time making TLS working. I did the same all non working TLS are now on UDP. I have one extension / endpoint on TLS for testing

I dont believe our issues are related…

Maybe, maybe not?!

  • My FreePBX is hosted as well.
  • It has been working for years
  • My extensions are PJSIP
  • My HTTPS is working fine

For now my extensions are on UDP, hope someone can help.

Open a support ticket. I have

@defcomllc can you share the link to your ticket here. I will add myself as a watcher rather than opening multiple tickets of the same issue.

Like I said, my issue has none of the symptoms you are experiencing. I found my issue, its a Digium D65 issue… I created another Extension, set it up in EPM Extension Mapping with a S705 this time… Works perfect. Definitely somethign with the Digium D65…

Adding same comment on this thread as well:

At least for D-series phones (and likely P-series ones) this will solve TLS issues.

1 Like

Thank you @hgaibor and @defcomllc . I did also experience the same thing. I believe the setting may have changed when I replaced my old certificate. I made so many trouble shooting and was not sure what worked but now my phones have been working with tlsv1_2

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.