TLS SIP Trunk Configuration Problem

Hi,
I have two FreePBX servers that both of them are in the same LAN.
Server A is FreePBX 10.13.66 with TLS enabled also created extension 201 in this server with TLS enabled.
Server B is FreePBX 10.13.66 with TLS enabled.
I want to set up a SIP Trunk in server B to register to server A extension 201 via TLS.

My Trunk “PEER Details” of server B is as follow:

host=192.168.1.50 (IP address of server A)
fromdomain=192.168.1.50
port=3935 (custom TLS port of server A)
transport=tls
username=201 (extension number in server A)
fromuser=201
secret=123456 (extension password in server A)
nat=yes
type=peer
qualify=yes
canreinvite=no
insecure=port,invite
context=from-trunk
disallow=all
allow=ulaw&alaw

My Trunk Registration String as follow:

tls://201:[email protected]:3935/201

My problem is this trunk on server B can not register to server A. But if I use UDP Trunk it will be ok.
I tested to register to extension 201 with enabled TLS softphone (Like Zoiper) and it was ok.

Is there anybody who has TLS SIP Trunking experience?
Thanks for your help,

Isn’t here anybody with TLS Trunking experience?!

If you are using TLS then you must use host names, not IP addresses, since your TLS certificates are issued for specific names or domain wildcards.

1 Like

Thanks for your reply,
But I use FreePBX self signed certificate.

Never mind

Then you would need to set “Don’t Verify Server” to YES in the Asterisk SIP settings on your server B. It can’t verify a self-signed certificate presented by server A.

2 Likes

Also, just a little more commentary - this doesn’t make much sense. Why would you want to register an Asterisk server to an extension configured on another Asterisk server, over TLS, on the same LAN?

But since you asked about registration, you should know that you have to configure the registration string for TLS also, not just the peer details. The registration string must start with tls:// otherwise it will use UDP to register.

2 Likes

I set “Don’t Verify Server” to YES in the Asterisk SIP settings on my server B but again the trunk on server B can not register to extension 201 on server A.

That’s all the guessing I can do. You will have to look at the logs on the server, perhaps set the debugging level higher or turn on SIP debugs to get a full understanding of what exactly is wrong. Once you have something specific, post here again for help.

2 Likes

I just wanted to test this scenario on LAN then use it on the remote place via internet.

I configured the registration string as follow:
tls://201:[email protected]:3935/201
But again registration failed.

Thanks for your help,
The Log on server B is as follow:

[2017-05-23 00:22:36] NOTICE[1953] chan_sip.c: – Registration for ‘[email protected]’ timed out, trying again (Attempt #91)
[2017-05-23 00:22:36] WARNING[5799] tcptls.c: Usage of SSLv2 is discouraged due to known vulnerabilities. Please use ‘tlsv1’ or leave the TLS method unspecified!
[2017-05-23 00:22:36] VERBOSE[5799] tcptls.c: SSL certificate ok
[2017-05-23 00:22:36] VERBOSE[5799] tcptls.c: == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[2017-05-23 00:22:36] WARNING[5799] tcptls.c: FILE * open failed!

The Log on server A is as follow:

[2017-05-23 00:39:21] VERBOSE[30478] tcptls.c: == Problem setting up ssl connection: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
[2017-05-23 00:39:21] WARNING[30478] tcptls.c: FILE * open failed!

All your questions in that last post are answered in the wiki with a link above, it is absolutely essential you absorb it all before you try and do “clever sh*t” :wink:

1 Like

Yes, just do as it says, get the TLS protocol versions to match and you should be good to go.

1 Like

My problem solved by your helps. :slight_smile:
Thanks so much for helping me to solve this issue. :rose:
Also thank you very much for noticing me that registration string must start with tls:// otherwise it will use UDP to register. :bouquet: