Trying to register PJSIP extension over TLS and SRTP

moussa854 · October 17, 2019, 8:42pm

I am trying to test a PJSIP extension over TLS connection on a softphone. I following the instruction here https://wiki.freepbx.org/display/PHON/TLS+and+SRTP. I opened udp/tcp ports (443,5060,5061,5160,5262,5161) for softphone_IP but the phone is not registering. Here is the sngrep of the extension.

                                                                                                                       │REGISTER sip:freepbx_IP:5061 SIP/2.0
           softphone_IP:54189             10.128.0.23:5061             softphone_IP:57461            softphone_IP:57469│Via: SIP/2.0/UDP 192.168.1.73:54189;branch=z9hG4bK-524287-1--
          ──────────┬─────────          ──────────┬─────────          ──────────┬─────────          ──────────┬─────────│eb6ba295b32c816;rport
▒                   │          REGISTER           │                             │                             │         │Max-Forwards: 70
▒ 20:16:59.639023   │ ──────────────────────────> │                             │                             │         │Contact: <sip:[email protected]:54189;rinstance=ccada31f1521a3
▒       +0.504947   │          REGISTER           │                             │                             │         │>
▒ 20:17:00.143970   │ ────────────────────────>>> │                             │                             │         │To: <sip:204@freepbx_IP:5061>
▒       +1.002552   │          REGISTER           │                             │                             │         │From: <sip:204@freepbx_IP:5061>;tag=4c5c5379
▒ 20:17:01.146522   │ ────────────────────────>>> │                             │                             │         │Call-ID: 99140NzUxZjYwYjZhMDczZjIzNDQ1MzE3ZjI4NjQxZjI1ODY
▒       +2.002337   │          REGISTER           │                             │                             │         │CSeq: 1 REGISTER
▒ 20:17:03.148859   │ ────────────────────────>>> │                             │                             │         │Expires: 3600
▒       +4.002647   │          REGISTER           │                             │                             │         │Allow: OPTIONS, SUBSCRIBE, NOTIFY, INVITE, ACK, CANCEL, BYE,
▒ 20:17:07.151506   │ ────────────────────────>>> │                             │                             │         │FER, INFO, MESSAGE
▒       +4.005327   │          REGISTER           │                             │                             │         │User-Agent: X-Lite release 5.6.1 stamp 99140
▒ 20:17:11.156833   │ ────────────────────────>>> │                             │                             │         │Content-Length: 0
▒       +4.003045   │          REGISTER           │                             │                             │         │
▒ 20:17:15.159878   │ ────────────────────────>>> │                             │                             │         │
▒       +4.001474   │          REGISTER           │                             │                             │         │
▒ 20:17:19.161352   │ ────────────────────────>>> │                             │                             │         │
▒       +4.005608   │          REGISTER           │                             │                             │         │
▒ 20:17:23.166960   │ ────────────────────────>>> │                             │                             │         │
▒       +4.000279   │          REGISTER           │                             │                             │         │
▒ 20:17:27.167239   │ ────────────────────────>>> │                             │                             │         │
▒       +4.000360   │          REGISTER           │                             │                             │         │
▒ 20:17:31.167599   │ ────────────────────────>>> │                             │                             │         │
▒      +20.517620   │                             │          REGISTER           │                             │         │
▒ 20:17:51.685219   │                             │ <────────────────────────── │                             │         │
▒      +52.005005   │                             │                         REGISTER                          │         │
▒ 20:18:43.690224   │                             │ <──────────────────────────────────────────────────────── │         │
▒      +71.961750   │          REGISTER           │                             │                             │         │
│ 20:19:55.651974   │ ──────────────────────────> │                             │                             │         │
│       +0.503494   │          REGISTER           │                             │                             │         │
│ 20:19:56.155468   │ ────────────────────────>>> │                             │                             │         │
│       +1.003518   │          REGISTER           │                             │                             │         │
│ 20:19:57.158986   │ ────────────────────────>>> │                             │                             │         │
│       +2.000504   │          REGISTER           │                             │                             │         │
│ 20:19:59.159490   │ ────────────────────────>>> │                             │                             │         │
│       +4.001685   │          REGISTER           │                             │                             │         │

On the freepbx end I got this:
Endpoint: 204/204 Unavailable 0 of inf
InAuth: 204-auth/204
Aor: 204 1
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061

If I change the port to 5060 the phone will register. If I switch the ports in the FreePBX PJSIP: 5061 and tls:5060 then I will loss the registration.

Any thought/idea on what is happening? Thanks in advance.

BlazeStudios · October 17, 2019, 9:09pm

Probably doesn’t help that X-Lite is sending the request over regular SIP/UDP and not SIP/TLS. So that’s going to be an issue.

lgaetz · October 17, 2019, 9:47pm

You can’t debug TLS with sngrep unless you’ve gone thru the effort of downloading, compiling and launching it with the TLS cert.

moussa854 · October 17, 2019, 9:50pm

Thank you, Tom.
I am trying now with a Polycom VVX 250. On the phone side I created server 2 for TLS.
Fill the information for a second Line. I am not getting any hit from the phone and the phone is generating the following error:

1017173611|sip  |4|00|[cert_verify_callback,tcp]:Server certificate verification failed, Untrusted Certificate,error=20
1017173611|sip  |4|00|MakeTlsConnection: SSL_connect error 1
1017173611|sip  |4|00|MakeTlsConnection: SSL_connect failed 'error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed' err -1
1017173611|sip  |4|00|MakeTlsConnection: connection failed error -1
1017173611|pps  |4|00|[PpsHybridC::OnEvSipOnFetchRootCert] m_lineIdx[2], m_stsuri[], m_username[], m_domain[]
1017173611|app1 |4|00|Failure reason is error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

lgaetz · October 17, 2019, 9:53pm

You have the option of toggling off the verify in Settings → Asterisk SIP Settings

moussa854 · October 17, 2019, 10:32pm

@lgaetz and @BlazeStudios Although I have the Endpoint Manager, I used Google to manually configure our phones. Hence, I will need to manually import the certificate from FreePBX to the phone.

Do you know the location of the certificate?
I searched find / -iname *.pem and I got many files.

It is here: /etc/asterisk/keys/*.pem

billsimon · October 18, 2019, 12:47am

Couple quick questions…

What version of Asterisk and what version of FreePBX are you using?

Could you copy here the output of pjsip show transport 0.0.0.0-tls from the Asterisk CLI?

moussa854 · October 18, 2019, 12:57am

Thanks, Bill. Here are the answers to your questions:
Asterisk Version: 13.27.1
FreePBX Version: 14.1-1

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  0.0.0.0-tls               tls      3     96  0.0.0.0:5061

 ParameterName              : ParameterValue
 =================================================================
 allow_reload               : true
 async_operations           : 1
 bind                       : 0.0.0.0:5061
 ca_list_file               : /etc/pki/tls/certs/*.crt
 ca_list_path               : 
 cert_file                  : /etc/asterisk/keys/*.pem
 cipher                     : 
 cos                        : 3
 domain                     : 
 external_media_address     : freepbx_IP
 external_signaling_address : freepbx_IP
 external_signaling_port    : 0
 local_net                  : 10.128.0.0/255.255.240.0
 method                     : tlsv1
 password                   : 
 priv_key_file              : /etc/asterisk/keys/*.key
 protocol                   : tls
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 96
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

billsimon · October 18, 2019, 1:05am

since you are hiding the names I am not sure exactly which files are being referred to here, but ensure that the file listed for cert_file contains only certificates and NOT the private key. And of course the priv_key_file should have just the key.

The reason for my inquiry is that in a later version (FreePBX 15), there is a related bug: [FREEPBX-20610] PJSIP TLS transport points to wrong certificate file - Sangoma Issue Tracker I don’t know whether this same bug would be affecting your version, but it is worth checking.

moussa854 · October 18, 2019, 1:08am

I will do, thank you Bill.

moussa854 · October 18, 2019, 3:01am

My cert_file : /etc/asterisk/keys/*.pem does contain PRIVATE KEY and CERTIFICATE. I wonder why there are not many people complaining?

I have another question. I can generate my own server key and client certificate. Do I need to upload anything to the phone itself? I have polycom VVX 250 which is not included in the Endpoint Manager and I am having trouble uploading custom certificate to the phone (it does have certificate signed by Polycom)

sorvani · October 18, 2019, 3:05am

When you put the cert, intermediate cert, and key in the local folder and click import, FreePBX generates that combined pem file and uses it.

moussa854 · October 18, 2019, 3:11am

Thank you @sorvani.
What about the polycom VVX 250, I will set the port, server IP etc, but do I need to to upload any certificate to the polycom VVX 250?

This guid says I need to import a certificate to the phone https://community.polycom.com/t5/VoIP-SIP-Phones/FAQ-How-can-I-setup-a-TLS-connection-for-SIP-signaling-and-or/td-p/33018

sorvani · October 18, 2019, 3:21am

I don’t use polycom anywhere with FreePBX that I want or need tls. So I have never tried.

moussa854 · October 18, 2019, 3:22am

Thank you.

billsimon · October 18, 2019, 3:48am

I don’t know. The way I solved it for myself was to override the config that FreePBX generated for the 0.0.0.0-tls transport, specifying the correct (certs-only) file for the cert_file option (through the pjsip.transports_custom_post.conf file).

I would like to see someone else validate my finding. There has not been any response yet to that ticket. Surely others have tested this. If so, and it worked, what did they do differently that caused FreePBX to specify a valid cert file for the pjsip transport.

You would only need to do that if you use a self-signed certificate.

dmanolis79 · October 20, 2019, 2:29am

In order for the polycoms to work you will need a specific firmware that accepts the Letsencrypt certificate. I believe its 4.0.12 for the soundpoint ip and 5.6.0 for the vvx. Other then that it will work flawlessly.

moussa854 · October 20, 2019, 2:54am

Current Polycom software version : 6.1.0.6189|
I have a third party certificate by GoGetSSL.

SIP Settings >> Chan PJSIP settings
Certificate Manager: My certificate selected
SSL Method: Default
Verify Client / Server: I tried both Yes/Yes and No/No
tls - 0.0.0.0 - All Yes

SIP Settings >> General SIP settings
Default TLS Port Assignment: PJSip

Extension>> Advanced
Transport: 0.0.0.0-tls
Media Encryption SRTP
Allow Non-Encrypted Media (Opportunistic SRTP) No

On a already working line in the Polycom 250 vvx I changed the following
Transport TLS
Port 5061

Unfortunately the line will not register
Endpoint: 201/201 Unavailable 0 of inf
InAuth: 201-auth/201
Aor: 201 1
Transport: 0.0.0.0-tls tls 3 96 0.0.0.0:5061

billsimon · October 20, 2019, 1:26pm

Did you straighten out the cert issue? The file containing both cert and key that we discussed upthread isn’t going to work.

moussa854 · October 20, 2019, 2:33pm

I tried that one as well. Did not work.
My certificate did not have “.com” in the name so I am planning to try that also I read that if your box is nat’ed, the tlsbindaddress needs to be your internal address, in other words, the ip address that shows up when you type “ifconfig”, so I will try this one as well