Problem with TLS and certificates over chan-sip in FreePBX

Hello.

I’m having trouble with setting up TLS over chan-sip. I’m using a sip-trunk where I have got the authentication to work over TLS, but voice is still sent as plain.
This is with following settings in Asterisk SIP-settings/chan-sip settings:
Enable TLS = Yes
Certificate manager = “Select a certificate” (I have not selected any certificate)
SSL Method = tlsv1
Don’t verify server = Yes

And my SIP-trunk settings are:
Outgoing:

type=peer
transport=tls
outboundproxy:5065=[proxy-server address],force
host=[SIP-server address]
fromuser=+12345678890
fromdomain=[domain name]
username=[myusername]
secret=[mypassword]
dtmfmode=auto
insecure=port,invite
qualify=yes
canreinvite=no
context=from-trunk

And for incoming:

USER context:

+1234567890

Register string:

tls://[email protected][domain]:mypassword:[email protected][SIP-server address]/1234567890

(I have replaced my credentials and server addresses)

The problem is that when I select a certificate in the Asterisk SIP-settings/chan-sip settings, I start to get following error in the Asterisk console:

[2019-01-30 14:18:32] ERROR[24949]: tcptls.c:727 handle_tcptls_connection: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error
[2019-01-30 14:18:32] WARNING[24949]: tcptls.c:814 handle_tcptls_connection: FILE * open failed!

And it causes the SIP-trunk to not register at all, it tries but with error:

chan_sip.c:15907 sip_reg_timeout: – Registration for ‘[email protected][SIP-server address]’ timed out, trying again

That’s incorrect to start with. outboundproxy= not outboundproxy:5065=

Just a quick question too, your provider supports TLS right?

Yes, they do.
So, the correct way should be

outboundproxy=[proxyserver addresss],force

Is that correct?

Correct.

That is now corrected. But the SSL-related errors remains. The proxy setting was little bit of a minor issue in this case.

I never said it was the issue just that it was not correct. What type of cert is this?

Also, if you are connecting to them why do you need to install a cert?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.