TLS FreePBX and Yealink

Having issues trying to configure TLS with FreePBX. Currently configured using the guide

https://wiki.freepbx.org/display/PHON/TLS+and+SRTP

Errors:
Connected to Asterisk 13.22.0 currently running on freepbx (pid = 14665)

[2019-06-04 01:30:57] WARNING[5433]: pjproject:0 <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0

== Setting global variable ‘SIPDOMAIN’ to ‘X.X.X.X’

[2019-06-04 01:30:58] WARNING[5433]: pjproject:0 <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0

== Setting global variable ‘SIPDOMAIN’ to ‘X.X.X.X’

[2019-06-04 01:31:00] WARNING[5434]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs

[2019-06-04 01:31:04] WARNING[5433]: pjproject:0 <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0

== Setting global variable ‘SIPDOMAIN’ to ‘X.X.X.X’

– Executing [9011441157940267@from-sip-external:1] NoOp("PJSIP/anonymous-00000007", "Received incoming SIP connection from unknown peer to 9011441157940267") in new stack

– Executing [9011441157940267@from-sip-external:2] Set("PJSIP/anonymous-00000007", "DID=9011441157940267") in new stack

– Executing [9011441157940267@from-sip-external:3] Goto("PJSIP/anonymous-00000007", "s,1") in new stack

– Goto (from-sip-external,s,1)

– Executing [s@from-sip-external:1] GotoIf("PJSIP/anonymous-00000007", "1?setlanguage:checkanon") in new stack

– Goto (from-sip-external,s,2)

– Executing [s@from-sip-external:2] Set("PJSIP/anonymous-00000007", "CHANNEL(language)=en") in new stack

– Executing [s@from-sip-external:3] GotoIf("PJSIP/anonymous-00000007", "1?noanonymous") in new stack

– Goto (from-sip-external,s,5)

– Executing [s@from-sip-external:5] Set("PJSIP/anonymous-00000007", "TIMEOUT(absolute)=15") in new stack

– Channel will hangup at 2019-06-04 01:31:29.818 UTC.

[2019-06-04 01:31:14] WARNING[7080][C-00000007]: func_channel.c:460 func_channel_read: Unknown or unavailable item requested: ‘recvip’

– Executing [s@from-sip-external:6] Log("PJSIP/anonymous-00000007", "WARNING,"Rejecting unknown SIP connection from "") in new stack

[2019-06-04 01:31:14] WARNING[7080][C-00000007]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from "

– Executing [s@from-sip-external:7] Answer("PJSIP/anonymous-00000007", "") in new stack

> 0x7f08ec02b120 – Strict RTP learning after remote address set to: 192.168.1.83:25282

– Executing [s@from-sip-external:8] Wait("PJSIP/anonymous-00000007", "2") in new stack

– Executing [s@from-sip-external:9] Playback("PJSIP/anonymous-00000007", "ss-noservice") in new stack

– <PJSIP/anonymous-00000007> Playing ‘ss-noservice.ulaw’ (language ‘en’)

– Executing [s@from-sip-external:10] PlayTones("PJSIP/anonymous-00000007", "congestion") in new stack

– Executing [s@from-sip-external:11] Congestion("PJSIP/anonymous-00000007", "5") in new stack

[2019-06-04 01:31:22] WARNING[5434]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs

Thank you for any advise

Thank you in advance. We are using Let’s Encrypt certs.

it looks TLS failed.

hi, you did not mention how your phones are configured, but i would look into the cert chain on the phone. even though you are using a “real” cert, it might be that the phone does not have the proper cert chain installed for LetsCrypt. Try configuring the phone to accept any cert and NOT check the validity…see if that works.

Did you check your router/firewall ports to make sure SSL isn’t blocked? You have to make sure that if you use web GUI, Let’s Encrypt is allowed to talk on Port 80.

It is a known issue with Yealink Phones and the LE cert when using FreePBX 14.

If you do not use the built in LE cert process, but your own cert instead, it always works.

Since making that thread, the G series has had new firmware, but it does not resolve the problem.

The S series work just fine as ling as you are on the last 3-4 firmwares from Yealink. I forget exactly which began working.

This PBX has the firewall off and has a public IP which isn’t behind any NAT. We tried registering using the latest firmware on at T42S series, however failed the same way. If anyone could help us get this working we are willing to pay for the time. FYI this is not a production system and if needed we can start from scratch at anytime.

Thank you and I appreciate the response.

Define latest firmware.

I know it works on 66.84.0.15

Confirm Version# 66.84.0.15 was what the phone is using. Also tried a T52S with Version# 70.84.0.15

I’ve always had problems getting SRTP to work proper with pjsip and LE, which is why I disabled pjsip altogether.

Thank you Kevin,
We did try disabling PJSIP and configuring using Chan SIP. The phone did register however I wasn’t able to get audio to pass though. Do you think its the type of phone we are using?

1.Chan SIP audio works when we put the phone on the Public IP
2.Chan SIP Phone audio works behind a NAT using UDP
3.Chan SIP Phone audio doesn’t work behind NAT using TLS (When doing SIP Show Peers I see that the Host IP is the Private IP and not the Public which is not reachable. We also tried to DMZ the phone on the router but had no affect.

Appreciate any help with this issue.

Sounds like the TLS bind port. When typing in the SIP Server address in the phone, you have to use the following format with TLS:

yoursipserveraddress.com:XXXX (xxxx= TLS Bind port)

Your SIP Bind port setting on the phone will remain the same, because that’s where the SIP data stream is passed. Transport on that extension has to be TLS only as well.

Thank you Community,

We were finally able to get TLS with Chan SIP working with Yealink phones. The step were were missing was under the Extension setup in the advance tab NAT Mode needed to be changed to Yes (Force,rport comedia)

I defiantly appreciated all the help in this matter

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.