TLS authentication fails for extension despite exact credentials

Hello, I’m new here (and to free PBX for that matter). I’ve just recently installed the latest version (version 16). I’ve been reading up and trying to figure out how to get my extension to register with TLS (I honestly have no concern over getting unencrypted UDP set up). So I folowed this article here:
https: //wiki. freepbx. org/display/PHON/TLS+and+SRTP
I then configured an extension to use Symmetric RTP and Encrypted media via SDP.
I tried to get a SNOM phone to register to the PBX, but it failed to register despite having the exact credentials. In the SNOM phone I have it set up to use TLS, and TCP where encryption is mandatory using AES80. Finally I attempted to register (Note I have already restarted the PBX/Asterisk), and it fails to register. I looked online trying to diagnose the problem, but as far as I can see it just plain and simple fails to register… I’m not sure if it isn’t encrypting the credentials when it sends them, or what exactly is going on. Since this is a new installation I haven’t changed many settings. I’ve read up on the following articles to try to understand the problem:
https: //wiki. freepbx. org/display/DIMG/Configure+TLS
https: //wiki. freepbx. org/display/DIMG/Configure+SRTP
https: //wiki. freepbx. org/display/DIMG/IMG+1010±+TLS±+Configuration
However after reading up on these articles I am lost as how they pertain to the PBX and or my phone.
To verify that it wasn’t a configuration problem with my phone I also installed a desktop phone (linphone), with a TLS configuration registering on port 5061. When I enter the secret (copied), it fails to register as well. I’ve check the logs on both phones, and don’t see anything out of the ordinary (as far as I am concerned). Honestly looking at the logs it looks like it just plain and simple again fails. I’m not sure if there is a setting that you could set to have it not authenticate, and still look “normal”.

Again I would like to mention I just installed this pbx after watching some online videos and reading some articles. That being said I am no professional at analyzing pbx and sip logs. Any help in the direction I should go would be appreciated.
Note since I am a new users I can’t actually post links hence why there are unnecessary spaces in the links I provided.

Do you mean “that works fine” or “I had not tried that”?

I’m not familiar with Linphone logging, but you could run Wireshark on the Linphone machine and look at the TLS handshaking. If it fails, which side aborts the connection? If the server, certs may not be set up properly. If the client, certs maybe can’t be verified, you might try disabling verification for test. Re: [Linphone-developers] how to set up tls for linphone.

If the TLS connection opens ok, the Asterisk log should show the failed registration (invalid user, wrong password, etc.)

Exactly, I haven’t tried setting up UDP because I only want encrypted connections.
The TLS handshake is successful and the asterisk log shows failed registration. As I mentioned, it appears to be a regular failure as far as the logs go, but the secret is identical. Hence why something is or isn’t encrypted where it is supposed to be. However I have no idea where to check the encryption everywhere.

Also note that the client and server verification work perfectly fine as per the logs.

There were two conflicting choices. I assume you mean “I had not tried that”.

Generally it is best if you start simple, and build up from there, so I would definitely get it working with UDP first, then, maybe TCP, before going to TLS, and finally TLS + SRTP.

However it seems highly unlikely that the authentication response would be selectively treated differently by the TLS layer.

Please confirm you are using chan_pjsip.

Note that the tlsv1.1 in your first example guide is no longer considered safe.

You can post links, as long as your mark them up as preformatted text. They won’t be treated as links but can be selected as text and then followed.

Yes I have not tried that.

i’m using tlsv1.2

Awesome thanks for telling me.
I’m going to try what this user tried.
when they said.
MWI Subscription Type The default setting is AUTO

It must be set to Solicited.

That didn’t work, setting it back to auto. Quick question: Do I need DTLS to be enabled for it to work?

If it helps I turned on the logger for pjsip (running this command I found online: pjsip set logger on), and this is what the failed registration looks like:

2[2022-01-21 01:21:25] VERBOSE[26307] res_pjsip_logger.c: <--- Received SIP request (1052 bytes) from TLS:myip:37142 --->
3REGISTER sip:mypbx.domainname SIP/2.0
4Via: SIP/2.0/TLS;alias;branch=z9hG4bK.wRi5~IFM5;rport
5From: ;tag=jTh88S7ni
6To: sip:[email protected]
8Call-ID: MVb1xf1CP8
9Max-Forwards: 70
10Supported: replaces, outbound, gruu
11Accept: application/sdp
12Accept: text/plain
13Accept: application/vnd.gsma.rcs-ft-http+xml
14Contact: ;message-expires=604800;+sip.instance="";+org.linphone.specs="ephemeral,groupchat/1.1,lime"
15Expires: 600
16User-Agent: Linphone Desktop/4.3.0 (Ubuntu 20.04.3 LTS, Qt 5.12.5) LinphoneCore/5.0.39
17Content-Length: 0
18Authorization: Digest realm="asterisk", nonce="1642728024/5d69f281d2b385476baf04500c70d314", algorithm=md5, opaque="4268b04f560c36f8", username="3000", uri="sip:mypbx.domainname", response="a77fab1fea0ae43b5be7669d28357d7f", cnonce="dHqh4vKiGGVEovaV", nc=00000001, qop=auth
21[2022-01-21 01:21:25] NOTICE[22332] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '' failed for 'myip:37142' (callid: MVb1xf1CP8) - Failed to authenticate
22[2022-01-21 01:21:25] VERBOSE[22332] res_pjsip_logger.c: <--- Transmitting SIP response (514 bytes) to TLS:myip:37142 --->
23SIP/2.0 401 Unauthorized
24Via: SIP/2.0/TLS;rport=37142;received=myip;branch=z9hG4bK.wRi5~IFM5;alias
25Call-ID: MVb1xf1CP8
26From: ;tag=jTh88S7ni
27To: ;tag=z9hG4bK.wRi5~IFM5
29WWW-Authenticate: Digest realm="asterisk",nonce="1642728085/8b17d3570736627ab6fb13dfd31581ed",opaque="4e41553323f3ddf9",algorithm=md5,qop="auth"
30Server: FPBX-
31Content-Length: 0
34[2022-01-21 01:21:25] VERBOSE[26307] res_pjsip_logger.c: <--- Received SIP request (1052 bytes) from TLS:myip:37142 --->
35REGISTER sip:mypbx.domainname SIP/2.0
36Via: SIP/2.0/TLS;alias;branch=z9hG4bK.UB0AmJUz0;rport
37From: ;tag=jTh88S7ni
38To: sip:[email protected]
40Call-ID: MVb1xf1CP8
41Max-Forwards: 70
42Supported: replaces, outbound, gruu
43Accept: application/sdp
44Accept: text/plain
45Accept: application/vnd.gsma.rcs-ft-http+xml
46Contact: ;message-expires=604800;+sip.instance="";+org.linphone.specs="ephemeral,groupchat/1.1,lime"
47Expires: 600
48User-Agent: Linphone Desktop/4.3.0 (Ubuntu 20.04.3 LTS, Qt 5.12.5) LinphoneCore/5.0.39
49Content-Length: 0
50Authorization: Digest realm="asterisk", nonce="1642728085/8b17d3570736627ab6fb13dfd31581ed", algorithm=md5, opaque="4e41553323f3ddf9", username="3000", uri="sip:mypbx.domainname", response="31e30b770500db9f01425b06f6f85833", cnonce="GhVq6JNrABH3yLw9", nc=00000001, qop=auth
53[2022-01-21 01:21:25] NOTICE[22332] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '' failed for 'myip:37142' (callid: MVb1xf1CP8) - Failed to authenticate
54[2022-01-21 01:21:25] VERBOSE[22332] res_pjsip_logger.c: <--- Transmitting SIP response (514 bytes) to TLS:myip:37142 --->
55SIP/2.0 401 Unauthorized
56Via: SIP/2.0/TLS;rport=37142;received=myip;branch=z9hG4bK.UB0AmJUz0;alias
57Call-ID: MVb1xf1CP8
58From: ;tag=jTh88S7ni
59To: ;tag=z9hG4bK.UB0AmJUz0
61WWW-Authenticate: Digest realm="asterisk",nonce="1642728085/8b17d3570736627ab6fb13dfd31581ed",opaque="68f2f58d541368e9",algorithm=md5,qop="auth"
62Server: FPBX-
63Content-Length: 0

Confirm that in Asterisk SIP Settings, chan_pjsip tab, for transport (tls), Port to Listen On is set to 5061.

Confirm that in Applications → Extensions, the Type of the linphone extension is shown as pjsip. If not, edit the extension and on the Advanced tab, change to CHAN_PJSIP Driver.

If you still have trouble, at the Asterisk command prompt (not a shell prompt) type
pjsip set logger on
restart linphone so it attempts to register, paste the Asterisk log for the attempt (which should include a SIP trace) at and post the link here.

Complete logs here:

Sorry, I didn’t notice your SIP trace; you posted it during my previous post. However, it’s garbled. Please paste it as described above, or put it in quoted text. For example the line 5 in your log surely contains an extension number but it did not appear on the forum.

1 Like

OK, good log. Set a short Secret for extension 3000, Submit, Apply Config and type the same value into linphone as the password. If you still have trouble, paste another log.

Alright I will try that, please note that the current password is a randomly generated lowercase alphanumeric [a-z0-9].

New logs.

Looks basically identical.

Here are my settings, hopefully there will be something very obvious that is wrong.
-----START Asterisk General SIP Settings--------
Allow Anonymous Inbound SIP Calls: No
Alow SIP Guests: No
Default TLS Port Assignment: PJSip
NAT Settings skip
RTP Settings:
RTP Port Ranges: Start: 10000 End: 20000
RTP Checksums: Yes
Strict RTP Yes
RTP Timeout: 30
RTP Hold Timeout 300
RTP Keep Alive 0
Everything else until Codecs Blank
Codecs ulaw, alaw, gsm, g726, g722, g729
Video Support: Disabled
------END Asterisk General SIP Settings ----------
--------START SIP Settings [chan_pjsip] -----------
Allow Transports Reload: No
Enable Debug: No
Keep Alive Interval 90
Caller ID into Contact Header No
Taskprocessor Overload Trigger pjsip_only
Show Advanced Settings: No
Endpoint Identified Order: Blank
TLS/SSL/SRTP Settings:
Certificate Manager: mypbx.domain (certificate)
SSL Method: tlsv1_2
Verify Client Yes
Verify Server Yes
Transports (tls): Port to Listen On: 5061 everything else Blank or No
-----------END SIP Settings [chan_pjsip]-----------
------------START Extension 3000 Settings-----------
Secret: 16 alpha numeric characters[a-z0-9]
Voicemail: Enabled voicemail should be irrelevent
DTMF Signaling: RFC 4733
Context: from-internal
Default User: Blank
Trust RPID: Yes
Send Connected Line: Yes
user = Phone No
Send RPID: Send P-Asserted-Identity header
Qualify Frequency: 60
Enable AVPF: No
Enable ICE Support: No
Enable rtcp Mux: No
Call Groups|Pickup Groups|Disallowed Codecs| Allowed Codecs: Blank
Dial: PJSIP/3000
Mailbox [email protected]
Voicemail Extension: Blank
Account Code: Blank
Max Contacts: 3
Media Use Received Transport: Yes
RTP Symmetric: Yes
Rewrite Contact: Yes
Force rport: Yes
MWI Subscription Type: Auto
Aggregate MWI Yes
Enable WebRTC defaults No
Max audio streams 100
Max video streams 100
Media Encryption: SRTP via in-SDP (recommeneded)
Session Timers: Yes
Timer Expiration Period: 90
Direct Media: Yes
Allow Non-Encrypted Media (Opportunistic SRTP): No
Refer Blind Progress: Yes
Device State Busy at: 0
Match (Permit): Blank
Maximum Expiration: 7200
Minimum Expiration: 60
RTP Timeout: 0
Outbound Proxy|Messages Context|CID Num Alias|SIP Alias: Blank
Extension Options: appear to be irrelevant to this problem.
Recording Options: appear to be irrelevant to this problem.
Dictation Services: appear to be irrelevant to this problem.
Default Directory: Exclude
DTLS Enable DTLS: No
Everythign Else appear to be irrelevant to this problem.
------------END Extension 3000 Settings-----------

Just to be sure, confirm that this is a pjsip extension, extension number is 3000 and you have done an Apply Config after submitting any changes.

Here is a perl script to compute the response value in an Authorization header. Edit the redacted / non-supplied parameters and run it. Report whether the displayed value matches the log.

#!/usr/bin/perl -w
use Digest::MD5 qw(md5_hex);

$authid = '3000';
$pass = '1234';
$realm = 'asterisk';
$method = 'REGISTER';
$uri = 'sip:mypbx.domain';
$nonce = '1642729849/2fde6475ba4d765567db00ee1ebefd37';
$nc = '00000001';
$cnonce = 'YX6zR4kGK3~jNsjj';

$enonce = "$nonce:$nc:$cnonce:auth";
$a1 = md5_hex("$authid:$realm:$pass");
$a2 = md5_hex("$method:$uri");
print md5_hex("$a1:$enonce:$a2"), "\n";
1 Like

Thank you I will try to run this. And Yes this is a PJSip extension.

Post the contents of /etc/asterisk/pjsip.auth.conf (redact password but leave the rest intact). If you have trunks, etc., just post the [3000-auth] section.

I really appreciate the help @Stewart1

I’m just completely puzzled. Is this a Distro install? If not, how was it built?
Where is it running? Is it directly on a public IP address? If not, what firewall is between it and the internet?

What firewall is between your Ubuntu desktop and the internet?

I’m completely puzzled here. Perhaps you should try one or more of the following:

  1. Try to get more info about the error with higher verbosity.
  2. Test with a UDP or TCP extension.
  3. Test with a chan_sip extension.
  4. Test the Linphone client with a commercial SIP provider that offers TLS.
  5. Test against a different instance of FreePBX, e.g. a free trial at