TLS encryption using RasPBX (Asterisk 16 & FreePBX 15) and Zoiper on Android

Hi guys,

I’m trying to set up TLS encryption on my SIP server running RasPBX (Asterisk 16 & FreePBX 15). Unfortunately there’s not too much information online about a complete workflow on how this should be done. So far I did the following

  • Created a Let’s encrypt certificate
  • SIP Settings > General SIP Settings > Security Settings > Default TLS Port Assignment > pjsip
  • SIP Settings > SIP Settings [chan_pjsip] > TLS/SSL/SRTP Settings
    • Certificate Manager: mycert
    • SSL Method: tls1_2
    • Verify client: yes
    • Verify server: yes
    • TLS: tls - - All - Yes
  • Extension: myextension > Advanced > Edit extension
    • Transport:
    • Media encryption: SRTP via in-SDP
    • Allow Non-Encrypted Media (Opportunistic SRTP): No

Ports 5060, 5061 are forwarded and my non encrypted extensions are working ok over UDP.

For the encrypted extension it throws Registration Failed error.

Has anybody used Zoiper in this configuration?

I know little about this, but believe that this option causes Asterisk to request a client certificate from the device and reject the connection if one is not provided or cannot be verified. Assuming that you haven’t configured Zoiper with such a cert, the TLS handshake will fail.

If turning that off doesn’t help:
Does anything appear in the Asterisk log when the device attempts to register? If so, post that. If not, capture traffic with tcpdump, move it to your PC and examine it with Wireshark. If there is a failed TLS handshake, it should give a clue as to what is wrong. If nothing appears at all (not even a SYN packet from Zoiper), describe your network configuration.

Thanks for the feedback!

I disabled the verify client option and set up the ports correctly in Zoiper’s account settings and then I was able to accept the server’s certificate and connect. Had some other errors after that (like “Internal Server Error” or “Not acceptable here”) which were preventing me from making calls but they disappeared after reloading the asterisk config.

One more question, where does this certificate stay on my android phone and how can I see it?

There is not one unless you do something to make one.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.