[SOLVED] Can't connect to PBX using TLS/PJSIP

Hi, for the last few days having issues with extensions using TLS.
My Bria and another extension using Bria cannot register. My phone says 408 timeout, the other Bria says ‘503 No Shared TLS Cipher’

Another remote extension using Bria has the following showing up in cli>
WARNING[4583]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> len: 0 peer:

The Freepbx server has valid Sectigo SSL certificate for its FQDN. Certificate Management displays: Valid Until 2022-06-13 (135 days)

Deleted the certificate and noticed in /etc/asterisk/keys/integrations the 3 files were still present even though the certificate was deleted. Put back the certificate, key and ca-bundle in Certificate Management.

We have slightly different setup in that 5060/5061 = chan_sip and 5160/5161 = pjsip. I don’t see how that really would be causing this TLS issue.

SRTP seems to be working though.
Openssl connection attempt to PJSIP TLS port 5161
openssl s_client -showcerts -connect XX.XX.XX.XX:5161
140446832570816:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1528:SSL alert number 40

no peer certificate available

No client certificate CA names sent

SSL handshake has read 7 bytes and written 315 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Rrunning same openssl command but change to port 5061 it shows the certificate

openssl s_client -showcerts -connect xx.xx.xx.xx:5061
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = FQDN
verify return:1

Certificate chain
0 s:CN = FQDN
i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA

Asterisk version: 18.6.0
PBX version: 12.7.8-2107-3.sng7

Thanks for any help with this issue.

Possibly that’s the truth. Look at the TLS handshake with Wireshark and see which ciphers are being offered and which are being accepted. An update to one end or the other may be now disallowing an older (insecure) version that the other end is requiring.

Just updated the posting. See the attempts with OPENSSL to PJSIP port 5161.

Found the issue being the TLS version in SIP Settings/PJSIP. Was set to tlsv1_1. Changed version to tlsv1_2 and it fixed the issue.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.