SOLVED TLS/SRTP on Digium Phones? SRTP not working

Hey all,

Trying to set up Digium D62/65/80 phones with cloud based FreePBX 14 system. I want to use TLS and SRTP. I’ve been working on this for a while now with no success using either Digium Phone Config module or EPM.

Since I believe Digium Phone Congfig module is being depreciated eventually due to the merger I’d ideally like to accomplish this through EPM but can’t find any instructions detailed enough on how to accomplish this.

Does anyone have link or information that can point me in the correct direction?

Thanks in advance!

Ok, Some success using Digium Phone Config module.

I’ve got a D62 to register and connect with TLS using PJSip (gave up on Chan_Sip).

Now I need to get it to work with SRTP. If I set the extension to use: Media Encryption SRTP via in-SDP (recommended) outbound calls fail immediately and inbound calls go right to unavailable VM.

in the asterisk log I only get: Setting global variable ‘SIPDOMAIN’ to ‘host.mydomain.com

If I set Media Encryption to “None” calls work fine in both directions.

Any thoughts on what I should check?

I can’t speak to anything above the level of the phone…and maybe a little bit of Asterisk itself. The PJSIP endpoint for the phone will need to have media_encryption=yes set. We don’t do opportunistic (optimistic) SRTP on the D-Series phones; we only do it in an enforced manner…or not at all.

For the phone itself, it’s controlled via the media_encryption option of the host_primary account configuration element. If the phone’s being XML-configured, set it to “sdes.” If the phone’s being configured by old-school DPMA key-value pairs, then it’s a type=line setting “media_encryption=sdes”

Malcolm, many thanks for jumping in.

I’m configuring the phone using the Digium Phones module in FreePBX so it’s a DPMA configuration.

the /etc/asterisk/pjsip.endpoint_custom.conf file shows the following:

[303]
type=endpoint
aors=303
auth=303-auth
tos_audio=ef
tos_video=af41
cos_audio=5
cos_video=4
allow=ulaw,alaw,gsm,g726,g722
context=from-internal
callerid=TLS_SRTP TEst <303>

dtmf_mode=rfc4733
mailboxes=303@default

mwi_subscribe_replaces_unsolicited=yes
transport=0.0.0.0-tls
aggregate_mwi=yes
use_avpf=no
rtcp_mux=no
ice_support=no
media_use_received_transport=no
trust_id_inbound=yes
media_encryption=sdes
timers=yes
media_encryption_optimistic=no
send_pai=yes
rtp_symmetric=yes
rewrite_contact=yes
force_rport=yes
language=en
one_touch_recording=on
record_on_feature=apprecord
record_off_feature=apprecord

Do you see anything wrong there that I’m missing?

For the endpoint, that appears correct.

Did you verify that you’re loading a configuration onto the phone that tells it to enable media_encryption for the host_primary?

Did you ensure you’re using firmware at least 2_2_1_8?

The D80 doesn’t do TLS signaling, nor SDES SRTP.

firmware is 2.8.5

not sure how to look at the actual config file on the phone itself but all other settings appear to take just fine. TLS is working and I’ve got the little shield next to the extension number on the display.

Is there a way I can look at the actual config file on the phone through it’s web interface or pull it off somehow?

There are two shields. A shield on the line registration is for TLS registration. A shield on the call handle during active calls is for SRTP.
Does the INVITE from the phone indicate AVP (not SRTP) or SAVP (SRTP) in the m=audio line? If it’s the former, then I’d hazard that the phone isn’t being directed to enable media encryption.
Where are you telling the phone to enable media encryption? Did you look at the config file that the Digium Phones Add-on for FreePBX is generating? Did you verify that the phone had been sent a reconfigure after the file including the type=line media_encryption=sdes option had been reloaded by Asterisk? Did the phone respond to the reconfigure command?

yes, I’m aware there are two shields, my point was the TLS side of the TLS/SRTP config seems to be working. The second shield appears on the call status display when it’s using SRTP.

I’m guessing I’ll need wireshark to see the INVITE from the phone?

Asterisk logs show only the message I posted above when I try a call using SRTP:

"Setting global variable ‘SIPDOMAIN’ to ‘host.mydomain.com

I’m telling the phone to enable encryption int he FreePBX extension settings. Application > Extension > > Advanced > Media Encryption

I thought the file I had posted was the file generated by DPMA. Since youre asking, I’m guessing that’s not it. what’s the path to it?

Yes, the phone seems to respond to reconfig commands. I’ve even factory defaulted between some changes to ensure there’s not garbage left over.

here’s something interesting… suddenly inbound calls to the ringroup won’t ring PJSIP phones. I look in the digium phones module on the FreePBX gui and it’s not showing the PJSip TLS phone as registered… It does however show the chan_sip non TLS phone.

there’s something deeper going on here. Nat maybe?

reboot the PJSip TLS phone and now it responds to inbound calls to the ring group however it’s still not showing as registered in the Digium Phone app.

after about 5 min I see this pop up in the asterisk logs:

Contact 303/sip:303@:48733;transport=TLS;ob is now Unreachable. RTT: 0.000 msec
– Updating DPMA user ‘303’ uri=‘pjsip::48733;transport=TLS’ ua=‘Digium D62 2_8_5’
– Updating DPMA user ‘303’ uri=‘pjsip::48733;transport=TLS’ ua=‘Digium D62 2_8_5’

and then I try and inbound calls and sure enough, the extension does not ring.

  1. You can turn on the SIP debugging from inside the Asterisk CLI. pjsip set logger host yourhosthere.

  2. The FreePBX extension settings only affect the PJSIP endpoint configuration. That doesn’t affect the phone’s configuration.

  3. You’re probably looking for res_digium_phone_devices.conf.

If NAT is involved, you’re going to want to make sure that rewrite_contact=yes is set for the PJSIP endpoint if you’re using TCP or TLS for the signaling protocol.

I don’t think we’ve identified any issue w/ the phone. Things above the phone (FreePBX, Digium Phones Add-on for FreePBX, EPM, etc.) are outside of my purview.

probably true but I do appreciate you looking at it an trying. You’re at least helping point me in a better direction to resolve it.

when you say “yourhousehere” is that the phone IP or the PBX?

I’m testing with two phones. The PBX is in running in the cloud on vultr and the phones are inside my network. rewrite_contact=yes is set in the PJsip extension settings by default.

The IP of the phone. e.g.

pjsip set logger host 1.2.3.4

then to turn it off

pjsip set logger off

turn it on, make a call from the phone, inspect the INVITE. you can see what asterisk sends in response to the phone, as well.

that’s what I thought, the issue is the phones show up with my routers external IP, not their own.

<— Received SIP request (1109 bytes) from TLS:x.x.x.234:58952 —>
INVITE sip:@<myhost.mydomain.com>:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjgDrHumKRLPgogo2NqLkNXuR2TYgBm11h;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>
Contact: sip:[email protected]:58952;transport=TLS;ob
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
CSeq: 5860 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: Digium D62 2_8_5
Content-Type: application/sdp
Content-Length: 350

v=0
o=- 259440961 259440961 IN IP4 192.168.1.101
s=digphn
b=AS:84
t=0 0
a=X-nat:0
m=audio 4008 RTP/AVP 0 8 9 111 96
c=IN IP4 192.168.1.101
b=TIAS:64000
a=rtcp:4009 IN IP4 192.168.1.101
a=sendrecv
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16

<— Transmitting SIP response (634 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjgDrHumKRLPgogo2NqLkNXuR2TYgBm11h;alias
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>;tag=z9hG4bKPjgDrHumKRLPgogo2NqLkNXuR2TYgBm11h
CSeq: 5860 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1564069671/0790244bbb6d9c498dab074f6ce1527a”,opaque=“5def3a3926377508”,algorithm=md5,qop=“auth”
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

<— Received SIP request (497 bytes) from TLS:x.x.x.234:58952 —>
ACK sip:@<myhost.mydomain.com>:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjgDrHumKRLPgogo2NqLkNXuR2TYgBm11h;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>;tag=z9hG4bKPjgDrHumKRLPgogo2NqLkNXuR2TYgBm11h
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
CSeq: 5860 ACK
Content-Length: 0

<— Received SIP request (1448 bytes) from TLS:x.x.x.234:58952 —>
INVITE sip:@<myhost.mydomain.com>:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjJfWAHEHgyy723NcL8WEAo79VOz0w.zCG;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>
Contact: sip:[email protected]:58952;transport=TLS;ob
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
CSeq: 5861 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: Digium D62 2_8_5
Authorization: Digest username=“302”, realm=“asterisk”, nonce=“1564069671/0790244bbb6d9c498dab074f6ce1527a”, uri=“sip:@<myhost.mydomain.com>:5161;transport=tls”, response=“dec62003316445710c7d3b8737facbe4”, algorithm=md5, cnonce=“VIIFnpCv8fMmTm4Ekn2yW9jE6lhJQD5t”, opaque=“5def3a3926377508”, qop=auth, nc=00000001
Content-Type: application/sdp
Content-Length: 350

v=0
o=- 259440961 259440961 IN IP4 192.168.1.101
s=digphn
b=AS:84
t=0 0
a=X-nat:0
m=audio 4008 RTP/AVP 0 8 9 111 96
c=IN IP4 192.168.1.101
b=TIAS:64000
a=rtcp:4009 IN IP4 192.168.1.101
a=sendrecv
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16

== Setting global variable ‘SIPDOMAIN’ to ‘<myhost.mydomain.com>’
<— Transmitting SIP response (435 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 100 Trying
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjJfWAHEHgyy723NcL8WEAo79VOz0w.zCG;alias
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>
CSeq: 5861 INVITE
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

<— Transmitting SIP response (489 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 488 Not Acceptable Here
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjJfWAHEHgyy723NcL8WEAo79VOz0w.zCG;alias
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>;tag=a87185a6-e414-47d2-ab3c-77288653ab7a
CSeq: 5861 INVITE
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

<— Received SIP request (492 bytes) from TLS:x.x.x.234:58952 —>
ACK sip:@<myhost.mydomain.com>:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjJfWAHEHgyy723NcL8WEAo79VOz0w.zCG;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=F-EabR3woaIxeU1XCP1eoDGFSMyvrB1U
To: <sip:@<myhost.mydomain.com>>;tag=a87185a6-e414-47d2-ab3c-77288653ab7a
Call-ID: W5YAxgQOdnOTVkXO1AXfg61DsJyUqnwp
CSeq: 5861 ACK
Content-Length: 0

<— Received SIP request (765 bytes) from TLS:x.x.x.234:58952 —>
REGISTER sip:<myhost.mydomain.com>:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjqIYKfuBo1F7.ueCqyygIpD8VuCK1hhbx;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=d3ZXPeN.aO9QSO.UlI1ED8m8ix5MZSxk
To: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>
Call-ID: hwCfW4H8eZ19HM19Ey-Jg.531yKvw9Cx
CSeq: 45017 REGISTER
User-Agent: Digium D62 2_8_5
Supported: outbound, path
Contact: sip:[email protected]:58952;transport=TLS;ob;reg-id=1;+sip.instance=“urn:uuid:00000000-0000-0000-0000-0000aba11f13
Expires: 300
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Content-Length: 0

<— Transmitting SIP response (652 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjqIYKfuBo1F7.ueCqyygIpD8VuCK1hhbx;alias
Call-ID: hwCfW4H8eZ19HM19Ey-Jg.531yKvw9Cx
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=d3ZXPeN.aO9QSO.UlI1ED8m8ix5MZSxk
To: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=z9hG4bKPjqIYKfuBo1F7.ueCqyygIpD8VuCK1hhbx
CSeq: 45017 REGISTER
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1564069672/ad4e01021044c4bd80ebc087af1c10a3”,opaque=“2788b4803de0d3bd”,algorithm=md5,qop=“auth”
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

<— Received SIP request (1093 bytes) from TLS:x.x.x.234:58952 —>
REGISTER sip:<myhost.mydomain.com>:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjlutJOQp0x1yPsHHganQu1Cl2EesPK.BD;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=d3ZXPeN.aO9QSO.UlI1ED8m8ix5MZSxk
To: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>
Call-ID: hwCfW4H8eZ19HM19Ey-Jg.531yKvw9Cx
CSeq: 45018 REGISTER
User-Agent: Digium D62 2_8_5
Supported: outbound, path
Contact: sip:[email protected]:58952;transport=TLS;ob;reg-id=1;+sip.instance=“urn:uuid:00000000-0000-0000-0000-0000aba11f13
Expires: 300
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Authorization: Digest username=“302”, realm=“asterisk”, nonce=“1564069672/ad4e01021044c4bd80ebc087af1c10a3”, uri=“sip:<myhost.mydomain.com>:5161;transport=tls”, response=“aea97ae554e8e757056614281834b784”, algorithm=md5, cnonce=“D8KoaJVWS9EMdauRfBNEebgOxB2RRikA”, opaque=“2788b4803de0d3bd”, qop=auth, nc=00000001
Content-Length: 0

<— Transmitting SIP response (615 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjlutJOQp0x1yPsHHganQu1Cl2EesPK.BD;alias
Call-ID: hwCfW4H8eZ19HM19Ey-Jg.531yKvw9Cx
From: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=d3ZXPeN.aO9QSO.UlI1ED8m8ix5MZSxk
To: ““PJSip_TLS” <302>” <sip:302@<myhost.mydomain.com>>;tag=z9hG4bKPjlutJOQp0x1yPsHHganQu1Cl2EesPK.BD
CSeq: 45018 REGISTER
Date: Thu, 25 Jul 2019 15:47:52 GMT
Contact: sip:[email protected]:58952;transport=TLS;ob;expires=299
Expires: 300
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

-- Updating DPMA user '302' uri='pjsip:x.x.x.234:58952;transport=TLS' ua='Digium D62 2_8_5'

<— Transmitting SIP request (677 bytes) to TLS:x.x.x.234:58952 —>
NOTIFY sip:[email protected]:58952;transport=TLS;ob SIP/2.0
Via: SIP/2.0/TLS :5161;rport;branch=z9hG4bKPj810f10b2-62c4-4454-b61b-b52ea9a2efc7;alias
From: <sip:302@>;tag=378b33a6-d48e-4bfd-acb9-3156226d28d7
To: sip:[email protected];ob
Contact: <sip:302@:5161;transport=TLS>
Call-ID: 6bbfb3c1-5ffa-4419-b2e3-7c6323d3ed9b
CSeq: 51648 NOTIFY
Subscription-State: terminated
Event: message-summary
Allow-Events: presence, dialog, message-summary, refer
Max-Forwards: 70
User-Agent: FPBX-14.0.13.4(13.22.0)
Content-Type: application/simple-message-summary
Content-Length: 48

Messages-Waiting: no
Voice-Message: 0/0 (0/0)

<— Received SIP response (389 bytes) from TLS:x.x.x.234:58952 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS :5161;rport=5161;received=;branch=z9hG4bKPj810f10b2-62c4-4454-b61b-b52ea9a2efc7;alias
Call-ID: 6bbfb3c1-5ffa-4419-b2e3-7c6323d3ed9b
From: <sip:302@>;tag=378b33a6-d48e-4bfd-acb9-3156226d28d7
To: sip:[email protected];ob;tag=z9hG4bKPj810f10b2-62c4-4454-b61b-b52ea9a2efc7
CSeq: 51648 NOTIFY
Content-Length: 0

<— Received SIP request (699 bytes) from TLS:x.x.x.234:58952 —>
REGISTER sip::5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjPcwUvJF8ywtEaqx65NWdfsVw7iTNS1uS;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@>;tag=r6j2cT6LkZcgdt54ybUo0YDvPVAjACtK
To: ““PJSip_TLS” <302>” <sip:302@>
Call-ID: O3d.HBXW592x6P5whKaqS4AAKlfaCMMU
CSeq: 55121 REGISTER
User-Agent: Digium D62 2_8_5
Supported: outbound, path
Contact: sip:[email protected]:58952;transport=TLS;ob;reg-id=1;+sip.instance=“urn:uuid:00000000-0000-0000-0000-0000aba11f13
Expires: 300
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Content-Length: 0

<— Transmitting SIP response (608 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjPcwUvJF8ywtEaqx65NWdfsVw7iTNS1uS;alias
Call-ID: O3d.HBXW592x6P5whKaqS4AAKlfaCMMU
From: ““PJSip_TLS” <302>” <sip:302@>;tag=r6j2cT6LkZcgdt54ybUo0YDvPVAjACtK
To: ““PJSip_TLS” <302>” <sip:302@>;tag=z9hG4bKPjPcwUvJF8ywtEaqx65NWdfsVw7iTNS1uS
CSeq: 55121 REGISTER
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1564069672/ad4e01021044c4bd80ebc087af1c10a3”,opaque=“66e80fe76afb0790”,algorithm=md5,qop=“auth”
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

<— Received SIP request (1005 bytes) from TLS:x.x.x.234:58952 —>
REGISTER sip::5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS x.x.x.234:58952;rport;branch=z9hG4bKPjpL3J8SxNLE2imIHxT11IEMLIyUNtDvTx;alias
Max-Forwards: 70
From: ““PJSip_TLS” <302>” <sip:302@>;tag=r6j2cT6LkZcgdt54ybUo0YDvPVAjACtK
To: ““PJSip_TLS” <302>” <sip:302@>
Call-ID: O3d.HBXW592x6P5whKaqS4AAKlfaCMMU
CSeq: 55122 REGISTER
User-Agent: Digium D62 2_8_5
Supported: outbound, path
Contact: sip:[email protected]:58952;transport=TLS;ob;reg-id=1;+sip.instance=“urn:uuid:00000000-0000-0000-0000-0000aba11f13
Expires: 300
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Authorization: Digest username=“302”, realm=“asterisk”, nonce=“1564069672/ad4e01021044c4bd80ebc087af1c10a3”, uri=“sip::5161;transport=tls”, response=“04063a5a00260ccba8d57ed4c82e36b6”, algorithm=md5, cnonce=“wYSxLk2HciO9cMm12tmDZ4FxDVQVIMLj”, opaque=“66e80fe76afb0790”, qop=auth, nc=00000001
Content-Length: 0

<— Transmitting SIP response (571 bytes) to TLS:x.x.x.234:58952 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS x.x.x.234:58952;rport=58952;received=x.x.x.234;branch=z9hG4bKPjpL3J8SxNLE2imIHxT11IEMLIyUNtDvTx;alias
Call-ID: O3d.HBXW592x6P5whKaqS4AAKlfaCMMU
From: ““PJSip_TLS” <302>” <sip:302@>;tag=r6j2cT6LkZcgdt54ybUo0YDvPVAjACtK
To: ““PJSip_TLS” <302>” <sip:302@>;tag=z9hG4bKPjpL3J8SxNLE2imIHxT11IEMLIyUNtDvTx
CSeq: 55122 REGISTER
Date: Thu, 25 Jul 2019 15:47:52 GMT
Contact: sip:[email protected]:58952;transport=TLS;ob;expires=299
Expires: 300
Server: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

-- Updating DPMA user '302' uri='pjsip:x.x.x.234:58952;transport=TLS' ua='Digium D62 2_8_5'

<— Transmitting SIP request (677 bytes) to TLS:x.x.x.234:58952 —>
NOTIFY sip:[email protected]:58952;transport=TLS;ob SIP/2.0
Via: SIP/2.0/TLS :5161;rport;branch=z9hG4bKPj153360d1-e1dd-4288-9aa8-7ab92d2d9c9b;alias
From: <sip:302@>;tag=eaa5d475-5507-49d0-ac4e-f42ec0af1cfd
To: sip:[email protected];ob
Contact: <sip:302@:5161;transport=TLS>
Call-ID: 2e3942c6-2e97-40d1-812f-191b7d2d22f0
CSeq: 55013 NOTIFY
Subscription-State: terminated
Event: message-summary
Allow-Events: presence, dialog, message-summary, refer
Max-Forwards: 70
User-Agent: FPBX-14.0.13.4(13.22.0)
Content-Type: application/simple-message-summary
Content-Length: 48

Messages-Waiting: no
Voice-Message: 0/0 (0/0)

<— Received SIP response (389 bytes) from TLS:x.x.x.234:58952 —>
SIP/2.0 200 OK
Via: SIP/2.0/TLS :5161;rport=5161;received=;branch=z9hG4bKPj153360d1-e1dd-4288-9aa8-7ab92d2d9c9b;alias
Call-ID: 2e3942c6-2e97-40d1-812f-191b7d2d22f0
From: <sip:302@>;tag=eaa5d475-5507-49d0-ac4e-f42ec0af1cfd
To: sip:[email protected];ob;tag=z9hG4bKPj153360d1-e1dd-4288-9aa8-7ab92d2d9c9b
CSeq: 55013 NOTIFY
Content-Length: 0

<— Transmitting SIP request (466 bytes) to TLS:x.x.x.234:34489 —>
OPTIONS sip:[email protected]:34489;transport=TLS;ob SIP/2.0
Via: SIP/2.0/TLS :5161;rport;branch=z9hG4bKPj7b419bb3-c973-4403-af2f-4638a8416721;alias
From: <sip:303@>;tag=6a73e137-496b-480f-a880-6db58fafc74f
To: sip:[email protected];ob
Contact: <sip:303@:5161;transport=TLS>
Call-ID: 2590473f-aca2-4527-bf13-ff6c60f7b0c3
CSeq: 31592 OPTIONS
Max-Forwards: 70
User-Agent: FPBX-14.0.13.4(13.22.0)
Content-Length: 0

== Spawn extension (dpma_message_context, digium_phone_module, 7) exited non-zero on ‘Message/ast_msg_queue’
– Executing [proxy@dpma_message_context:1] Set(“Message/ast_msg_queue”, “MESSAGE(custom_data)=mark_all_outbound”) in new stack
– Executing [proxy@dpma_message_context:2] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-URI)=sip:x.x.x.234:37761”) in new stack
– Executing [proxy@dpma_message_context:3] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-FullContact)=”) in new stack
– Executing [proxy@dpma_message_context:4] MessageSend(“Message/ast_msg_queue”, “digium_phone:blah”) in new stack
– Executing [proxy@dpma_message_context:5] Hangup(“Message/ast_msg_queue”, “”) in new stack
== Spawn extension (dpma_message_context, proxy, 5) exited non-zero on ‘Message/ast_msg_queue’
– Executing [proxy@dpma_message_context:1] Set(“Message/ast_msg_queue”, “MESSAGE(custom_data)=mark_all_outbound”) in new stack
– Executing [proxy@dpma_message_context:2] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-URI)=sip:x.x.x.234:37761”) in new stack
– Executing [proxy@dpma_message_context:3] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-FullContact)=”) in new stack
– Executing [proxy@dpma_message_context:4] MessageSend(“Message/ast_msg_queue”, “digium_phone:blah”) in new stack
– Executing [proxy@dpma_message_context:5] Hangup(“Message/ast_msg_queue”, “”) in new stack
== Spawn extension (dpma_message_context, proxy, 5) exited non-zero on ‘Message/ast_msg_queue’
– Executing [proxy@dpma_message_context:1] Set(“Message/ast_msg_queue”, “MESSAGE(custom_data)=mark_all_outbound”) in new stack
– Executing [proxy@dpma_message_context:2] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-URI)=sip:x.x.x.234:37761”) in new stack
– Executing [proxy@dpma_message_context:3] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-FullContact)=”) in new stack
– Executing [proxy@dpma_message_context:4] MessageSend(“Message/ast_msg_queue”, “digium_phone:blah”) in new stack
– Executing [proxy@dpma_message_context:5] Hangup(“Message/ast_msg_queue”, “”) in new stack
== Spawn extension (dpma_message_context, proxy, 5) exited non-zero on ‘Message/ast_msg_queue’
– Executing [digium_phone_module@dpma_message_context:1] Set(“Message/ast_msg_queue”, “MESSAGE(custom_data)=mark_all_outbound”) in new stack
– Executing [digium_phone_module@dpma_message_context:2] Set(“Message/ast_msg_queue”, “TMP_RESPONSE_URI=sip:x.x.x.234:37761”) in new stack
– Executing [digium_phone_module@dpma_message_context:3] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(Request-URI)=”) in new stack
– Executing [digium_phone_module@dpma_message_context:4] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-URI)=”) in new stack
– Executing [digium_phone_module@dpma_message_context:5] Set(“Message/ast_msg_queue”, “MESSAGE_DATA(X-Digium-AppServer-Response-FullContact)=”) in new stack
– Executing [digium_phone_module@dpma_message_context:6] MessageSend(“Message/ast_msg_queue”, “sip:x.x.x.234:37761,proxy”) in new stack
– Executing [digium_phone_module@dpma_message_context:7] Hangup(“Message/ast_msg_queue”, “”) in new stack
== Spawn extension (dpma_message_context, digium_phone_module, 7) exited non-zero on ‘Message/ast_msg_queue’

this appears to be the case…

INVITE sip:[email protected]:5161;transport=tls SIP/2.0
Via: SIP/2.0/TLS 47.21.145.234:58952;rport;branch=z9hG4bKPjyU6WaVacmLGxkthd3op5OMJQ5GPUatT6;alias
Max-Forwards: 70
From: “"PJSip_TLS" <302>” sip:[email protected];tag=lYXdbr1BcoydpDfO3mc-Aqs6hbN99rtq
To: sip:[email protected]
Contact: sip:[email protected]:58952;transport=TLS;ob
Call-ID: etXzHT7Lv-rxNPvYeXcTqjRNY2HcxJj.
CSeq: 28246 INVITE
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Session-Expires: 1800
Min-SE: 90
User-Agent: Digium D62 2_8_5
Content-Type: application/sdp
Content-Length: 350

v=0
o=- 259441732 259441732 IN IP4 192.168.1.101
s=digphn
b=AS:84
t=0 0
a=X-nat:0
m=audio 4012 RTP/AVP 0 8 9 111 96
c=IN IP4 192.168.1.101
b=TIAS:64000
a=rtcp:4013 IN IP4 192.168.1.101
a=sendrecv
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:9 G722/8000
a=rtpmap:111 G726-32/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-16

Ok, found that:

[302]
type=phone
full_name=PjSipTLS
parking_exten=70
parking_transfer_type=blind
active_locale=en_US
application=voicemail
line=302
send_to_vm=yes
accept_local_calls=host
active_locale=en_US
call_waiting_tone=yes
display_mc_notification=yes
firmware=D40-2_8_5
firmware=D45-2_8_5
firmware=D50-2_8_5
firmware=D60-2_8_5
firmware=D62-2_8_5
firmware=D65-2_8_5
firmware=D70-2_8_5
lock_preferences=no
name_format=first_last
parking_exten=70
record_own_calls=yes
timezone=America/New_York
web_ui_enabled=yes
use_local_storage=yes
network=network-2
8021x_method=
application=status-available
application=status-chat
application=status-away
application=status-dnd
application=status-xa
application=status-unavailable

[302]
type=line
mailbox=302@default

[network-2]
type=network
alias=external TLS
alternate_registration_address=-PBX IP-
registration_address=-PBX URL-
registration_port=5161
file_url_prefix=https://-pbx url-/digium_phones/
ntp_server=0.digium.pool.ntp.org
syslog_server=-PBX IP-
syslog_port=514
sip_dscp=24
rtp_dscp=46
alternate_registration_port=5161
alternate_transport=tls
cidr=0.0.0.0/0
network_vlan_discovery_mode=LLDP
transport=tls

That type=line definition also needs:
media_encryption=sdes

so that’s missing in the file that FreePBX creates? This a bug??