Hi All,
My first post. I have a problem with TLS on PJSIP (not using SIP at the moment), I was trying to fix it in the last few days but with no luck, so decided to ask for help here. I have some experience with VoIP and encryption, not on FreePBX/Asterisk though.
My configuration:
PJSIP udp/5060, tcp/5062, tls/5065
firewall ports open (telnet to 5060, no NAT (VM in the cloud with public IP), lsof command shows
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
asterisk 1180 asterisk 43u IPv4 18309 0t0 UDP *:sip
asterisk 1180 asterisk 16u IPv4 18810 0t0 TCP *:5065 (LISTEN)
I removed the default certificate authority and generated it from scratch, together a new self-signed certificate and respective pkcs12/pem for the client. I uploaded CA and pkcs12 to the client.
Problem however is that in the tshark I can see that TLS fails. I even tried to change it to lower version, but it fails anyway.
7 3.289519851 ext_home_IP ext_ast_IP TLSv1 374 Client Hello
8 3.289537015 ext_ast_IP ext_home_IP TCP 56 5065 54101 [ACK] Seq=1 Ack=319 Win=30336 Len=0
9 3.298714344 ext_ast_IP ext_home_IP TLSv1.2 63 Alert (Level: Fatal, Description: Handshake Failure)
10 3.298811682 ext_ast_IP ext_home_IP TCP 56 5065 54101 [FIN, ACK] Seq=8 Ack=319 Win=30336 Len=0
11 3.329211013 ext_home_IP ext_ast_IP TCP 56 54101 5065 [ACK] Seq=319 Ack=8 Win=17408 Len=0
I tested this with both IP address and FQDN for the registrar server (using the same FQDN for the certificate authority and respective certificates). I still get the same error and of course can’t make a call saying that the
[2019-01-19 15:18:41] ERROR[20726]: res_pjsip/config_transport.c:665 transport_apply: Transport ‘0.0.0.0-tcp’ could not be started: Address already in use
[2019-01-19 15:18:41] ERROR[20726]: res_sorcery_config.c:407 sorcery_config_internal_load: Could not create an object of type ‘transport’ with id ‘0.0.0.0-tcp’ from configuration file ‘pjsip.conf’
Now I’m wondering how these two things can be related? Do I need to have TCP and TLS on the same port? But I’m using DTLS, shouldn’t that use UDP? I’ve seen some older post where there was some change required on the extension, but haven’t found it in new FreePBX (autodomain since I was trying to use FQDN and few other flags)
I’ve read through the community couple of times, tried this and that, but I’m not sure what else can I test to make it working. When I revert back to UDP, all I can make calls fine again, with two-way audio.
#Edit: I just tested it and found a bit different error
[2019-01-21 12:05:05] WARNING[7655]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336130315> len: 0
I don’t see any TLS fatal error anymore.
Any advise is appreciated,
Kind regards,