TLS, SRTP and Verify Client

I have set up TLS and SRTP for my PJSIP extensions by following this article:

Everything works as expected on softphones.

However, it doesn’t work on our Snom 720/725 deskphones unless I disable “Verify Client”.

With “Verify Client” enabled, the SIP trace on the phones shows them trying to register but there is no corresponding entry in the Asterisk log, not even an error. As soon as I disable “Verify Client” they register immediately and the lock symbol shows on the screen during a call to indicate that encryption is enabled.

I am using FreePBX hosted on a VPS. TLS is via a Let’s Encrypt certificate which is selected in both SIP and PJSIP settings. The phones are running the latest firmware dated Dec 2017.

These are the settings I changed in FreePBX:-

Settings > SIP Settings > General SIP Settings

Default TLS Port Assignment = PJSip

Settings > SIP Settings > Chan SIP Settings (I am not using Chan SIP but made the changes anyway)

Enable TLS = Yes
Certificate Manager = LetsEncrypt Cert
SSL Method = tlsv1
Don’t Verify Server = No

Settings > SIP Settings > Chan PJSIP Settings

Certificate Manager = LetsEncrypt Cert
SSL Method = Default
Verify Client = No (Yes doesn’t work with desk phones)
Verify Server = Yes

tls - - All = Yes

Applications > Extensions > 100 (Edit) > Advanced

Media Encryption = SRTP via in-SDP (recommended)

Can anyone advise what might be needed to get the desk phones working with “Verify Client” enabled? What are the implications of leaving it off?



Could you brief your solution if you found one?


Hi Fkm,

I didn’t find a solution. My endpoints are still running with Verify Client disabled.

If you find a solution please post it here. I’d be very interested to know what it is.

Sorry I can’t be of more help.


When you set verify to ‘yes’, you have to upload the correct certificate (ca file or pem) to phone also.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.