PJSIP Issue - Yealink T27G - TLS - Will Not Connect

pjsip
freepbx
Tags: #<Tag:0x00007fafc5c98c78> #<Tag:0x00007fafc5c98ac0>

#1

Looking for guidance with some troubleshooting.

We use Yealink T27G and Yealink T29G phones at some locations. Our staff came in to one location this morning and discovered that the T27G phones were not connecting to the SIP Server.

We found one T27G that was connecting but was running an old firmware version (69.82.0.30). The rest of the phones were running a firmware from the last 12 months.

We upgraded firmware, factory reset phones and even rebooted the FreePBX server. All to no avail.

The error in the server logs was:

WARNING[11872] pjproject: SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> <asn1 encoding routines-ASN1_item_verify-unknown message digest algorithm> len: 32000 peer: 192.168.1.21:12702

Best we can tell, something must have auto-updated on the server over the weekend (I think the server updated Friday Night) and it broke something… That or something expired on the phones (built-in firmware cert??)

Like I said, the T29G phones connect to the server with the latest Yealink Firmware and no issues.

As a “last ditch” effort we setup TLS on CHAN_SIP. We then converted the extensions to “CHAN_SIP” and pointed the non-working phones to the CHAN_SIP TLS port. They registered immediately.

Background:

  • We use a purchased Wildcard Cert from a major vendor for TLS.
  • Phone Server is currently running 14.0.13.23.
  • Current System Version is: 12.7.6-1910-1.sng7
  • This server and extensions have been running without issue since building it. All has been setup from beginning with PJSIP TLS and extension on TLS.
  • We were able to register the affected phone via PJSIP TLS with a server running 13.0.197.21 and PBX Firmware version 10.13.66-22

Any guidance on troubleshooting why PJSIP stopped working on these extensions would be greatly appreciated.


(Olivier) #2

Can you post your phone config files (MAC.cfg and maybe y000xxx.cfg ) ?
It seems like some variable substitutions are missing ( PHONEIP:PHONEPORT instead of $PHONEIP:$PHONEPORT for instance).
Simply comparing those config files with successful ones would help.


#3

Hello @oliv2831

Thanks so much for responding to my post. I had just replaced my actual IP from the log output with PHONEIP:PHONEPORT because it didn’t seem necessary to trouble shoot the issue and would potentially reveal my internal IP structure to the web, which we try not to do.

To help with confusion I will update the original post with 192.168.1.21:12702

Do you know how else I can trouble shoot this situation?


#4

Just bumping this. I did a side by side config file comparison and see nothing that stands out.
Right now i’m not in a position where I can have 2 wiped out phones with default configs side by side, but that will be the next step.

Does anybody know how I can understand what the Server is telling me with the error? Is the phone sending the wrong version of TLS or something else?


#5

did you see this??


(Mvogel4949) #6

I’m not doing any TLS encryption but it could be similar I suppose


#7

Hello @ashcortech I suppose this could be related, but the symptoms seem very different. We also do not use the “Responsive Firewall”.

Any other suggestions?


#8

Hello @jgiebler Hopefully this helps.

It looks like the issue you are having is related to the digest algorithm or the hash functions being used. The Yealink T27Gs firmware was updated to support a newer Cipher Suite last year (Sep, 2018). The 84 version over 83.
Yealink T27G Doc

If some phones dont have the update and the ones that do stopped working after a FreePBX update, something must be different with the ciphers the PBX is trying to decrypt from the newer firmware. ie the log message stating it doesnt know what algorithm is being used. Obviously the older firmware still works so the issue kinda points more in the direction of Yealink rather than FreePBX.

This may be a Yealink issue if their new cipher suites they added arent good somehow. Probably not likely.

Have you tried using more up to date TLS v1.2? From what I know the Chan_sip drivers are on TLSv1 which is 20 years old now.

You could also go back to the older firmware version that works on the phones. And maybe roll back any recent PBX module updates (those are easy). If you can live with the older firmware it doesnt look like there were any major bug fixes for the phones you use.


#9

@K1m1z This response is very helpful. I have been away for a while. I’m hoping to look into this more this week.

Thank you again for such a researched answer.


(system) closed #10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.