I updated my certificate few days ago and now I noticed that the phones that are using TLS are not connecting / registering. On my browser, I see the certificate is valid until 2022.
In the log file I see: WARNING[2505] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines-ssl3_get_client_hello-no shared cipher> len: 0 peer
A reboot cleared another error, but the phones are still not connecting: ssl0x7efd800b2110 Error loading certificate chain file '/etc/asterisk/keys/my.pem': No such file or directory
For the first error have you checked out that the cipher suites your image supports are compatible with the cipher suites your phones support?
The second error seems to be a problem with the certificate chain. Is the file with the certificate chain actually located under this path /etc/asterisk/keys/my.pem?
Can the system access this file? Otherwise change it with chown.
I removed the new certificate and put the old one and I still having the same issue.
After removing the old certificate, then I had to select the new certificate in the Asterisk SIP Settings. l still have SSL routines-ssl3_get_client_hello-no shared cipher but I also have SSL routines-SSL3_GET_RECORD-wrong version number
In the SSL Method section I tried all options. I made no changes to the endpoint
@moussa854 Install openssl on a server that can connect to FreePBX. Then use the command openssl s_client -cipher "<cipher>" -connect <yourserver.tld>:<port>
You cannot check all ciphers at once, but you can check the ciphers your phones support.
My understanding that he changed it from TLS to UDP becuse he is having hard time making TLS working. I did the same all non working TLS are now on UDP. I have one extension / endpoint on TLS for testing
Like I said, my issue has none of the symptoms you are experiencing. I found my issue, its a Digium D65 issue… I created another Extension, set it up in EPM Extension Mapping with a S705 this time… Works perfect. Definitely somethign with the Digium D65…
Thank you @hgaibor and @defcomllc . I did also experience the same thing. I believe the setting may have changed when I replaced my old certificate. I made so many trouble shooting and was not sure what worked but now my phones have been working with tlsv1_2