I have set up TLS and SRTP for my PJSIP extensions by following this article:
http://wiki.freepbx.org/display/PHON/TLS+and+SRTP
Everything works as expected on softphones.
However, it doesn’t work on our Snom 720/725 deskphones unless I disable “Verify Client”.
With “Verify Client” enabled, the SIP trace on the phones shows them trying to register but there is no corresponding entry in the Asterisk log, not even an error. As soon as I disable “Verify Client” they register immediately and the lock symbol shows on the screen during a call to indicate that encryption is enabled.
I am using FreePBX 14.0.1.36 hosted on a VPS. TLS is via a Let’s Encrypt certificate which is selected in both SIP and PJSIP settings. The phones are running the latest firmware dated Dec 2017.
These are the settings I changed in FreePBX:-
Settings > SIP Settings > General SIP Settings
Default TLS Port Assignment = PJSip
Settings > SIP Settings > Chan SIP Settings (I am not using Chan SIP but made the changes anyway)
Enable TLS = Yes
Certificate Manager = LetsEncrypt Cert
SSL Method = tlsv1
Don’t Verify Server = No
Settings > SIP Settings > Chan PJSIP Settings
Certificate Manager = LetsEncrypt Cert
SSL Method = Default
Verify Client = No (Yes doesn’t work with desk phones)
Verify Server = Yes
tls
tls - 0.0.0.0 - All = Yes
Applications > Extensions > 100 (Edit) > Advanced
Media Encryption = SRTP via in-SDP (recommended)
Can anyone advise what might be needed to get the desk phones working with “Verify Client” enabled? What are the implications of leaving it off?
TIA!