Regarding the issue with TLS encryption ports being enabled

I plan to map the SIP service on FreePBX to the public network, but directly mapping TCP ports seems a bit insecure.So I plan to map the TLS encryption port to the public network. When I opened the port and was preparing to submit the TLS certificate, I couldn’t find the submission portal. How can I submit the TLS certificate to FreePBX and make it effective?

You manage/create certificates under Admin → Certificate Manager and then configure/use those certificates under System Admin → HTTPS Setup

It is indeed possible to do this, but the v6 Internet line connected to my FreePBX server has no speed limit and can run up to the speed of the upstream ISP broadband access computer room, while v4 is limited according to the line access contract. If It is indeed possible for v4 and v6 to resolve to the same domain name and configure TLS, but the DNS used will not resolve the v6 address first every time, so the advantageous v6 link will not be used for SIP phone communication, so whether FreePBX Can dual TLS ports be configured? That is, one TLS port for v4 and one TLS port for v6?

I believe having multiple TLS transports is problematic. But that said, usually seen on only IPv4 having multiple. Would need to check on IPv6 interfering.

That isn’t going to help you at all and you have a fundamental misunderstanding of how IPv6 works.

By standard, an IPv6 connection is ALWAYS attempted first, if both IPv6 and IPv4 records (and A and a AAAA record) are returned on a DNS query. It makes no difference if the DNS query response lists the AAAA record after the A record. If the IPv6 connection fails then it falls back to IPv4. Not the other way around like you think it does.

Secondly, if a TLS port is opened then assuming whatever is listening on that port is compiled on a reasonably newer version of Linux, then both IPv6 and IPv4 will be open and listening on that port. The programmers would have had to have gone out of their way to disable IPv6 listening in the FreePBX code for it to be otherwise.

If you are not seeing IPv6 connections, it’s because the clients - not you - decided to use IPv4. Most likely because they don’t have valid IPv6 numbers.

I have solved this problem. Upload the certificate to the server, then go to the etc/asterisk folder, find pjsip.transports.conf, and modify the certificate path to the uploaded certificate path.
The original plan was to separately publish the TLS port on the v6 public network, but the v6 activation rate in my region is too low.
So I came up with a compromise solution, which is to have my own tunnel service DNS rewrite the domain name bound to the TLS port of FreePBX to its parameter of FreePBX server v4 address.
The in the original configuration file does not listen to v6. I changed it to [:]: 5061. After the change, v6 is listening, but v4 is not listening. How can you solve this problem?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.