What did you try?
What?
tlsbindaddress is for chan_sip, not pjsip.
Thank you Bill for helping.
I followed the steps that are similar to the ones in the article here SIP TLS - VoIP-Info to generate a certificate.pem file without appending the server key to the end of it. I then went to pjsip.transports_custom_post.conf and added a path cert_file : /etc/asterisk/certificates/certificate.pem I set the extension/line as above and still did not register.
The article above says that instead of certificate.pem the certificate name should be domain.com.pem. Not sure if it make a difference but I was planning to try that.
Forget about voip-info.org. Everything on there is outdated.
If you are using Certificate Manager to import your certificates then there is already a file in the /etc/asterisk/keys directory that contains just the certificate(s) (note you will probably need the file that contains the certificate followed by intermediates).
The syntax you are using in the pjsip.transports_custom_post.conf is not right. If you want to change what cert_file is pointing to, youâd put something like this in your pjsip.transports_custom_post.conf:
[0.0.0.0-tls](+)
cert_file=/etc/asterisk/keys/YOURCERTIFICATESFILE.crt
and then reload with fwconsole reload at the shell prompt.
Use the pjsip show transport 0.0.0.0-tls CLI command you used above to be sure the transport is now seeing the file you specified.
Watch the console when your phone tries to register and see if any SSL errors appear.
Thanks again, Bill.
I will try what you said and come back to post the outcome. It might take me few days before I can test this
Hi Bill,
Set the SIP Settings/Chan PJSIP settings, Extension and phone as above.
I put the statement below in pjsip.transports_custom_post.conf
0.0.0.0-tls
cert_file=/etc/asterisk/keys/
after the forward slash I included every .crt and . pem file inside the /etc/asterisk/keys/ folder then reload with fwconsole reload at the shell prompt.
Still no luck .
You need to use the syntax I gave you.
I used this to make sure that the cert_file is the same on in pjsip.transports_custom_post.conf
What error do you see when you attempt to register?
I got this error from the phone
1024071530|sip |4|00|CPlcmSipTcpSocket::ConnectThreadLocal Failed to connect to freepbx_IP:5061 : Error[Operation now in progress]
1024071530|app1 |4|00|Failure reason is Failed to connect to server : Error[Operation now in progress]
âŚfrom asterisk please.
I used sngrep and I can not see the phone trying to register the extension. The phone however has two more extensions (non-tls) that there are registered. Port 5061 is open on the firewall (udp:5060,5061,5160,5262,5161,10000-20000)
Except this is TLS which is TCP not UDP. Do you have the proper ports and protocols opened?
1 Like
Unless youâve taken pains to download and compile sngrep and invoke with the cert, you will not see TLS signalling. You will have to debug from CLI.
Yes, the downside of TLS is that in order to troubleshoot/debug/view traffic you must also do it under TLS with the cert.
You mention you can register fine on 5060 on the softphoneâŚbut if you switch the ports so tls is 5060 you lose registration. If this is true it tells me that the softphone is using udp and not tls. Whats your transport type set to on the softphone?
For polycom i see server transports, but what about line settings? I set ports and srtp in line settings. I hate polycom. Never tested with tls on those.
Yes the softphone is using udp. I was testing if the ports 5060 and 5061 are open through the firewall.
Here is my line setting. Enable SRTP Yes, Transport TLS
I feel you.
I would like to thank everyone for your input. I will work on this offline and if I find a solution I will report back. Thanks again
The tone I infer from this statement makes me think youâre worn out by the troubleshooting and back-and-forth of this thread. Understandable. Adding encryption to SIP makes diagnostics twice as hard. I am personally interested in seeing what you need to do to succeed because, as I mentioned above, I believe there to be a bug, or at least some kind of misconfiguration going on, when FreePBX sets up the certificates for PJSIP TLS transport. So if you have more questions or findings please post back here and donât wait until youâve gotten it completely solved.
2 Likes
I saw a way to debug PJSIP in CLI pjsip set history on , pjsip show history https://blogs.asterisk.org/2016/02/24/debugging-sip-message-traffic-with-pjsip-history/
How I can debug TLS traffic in CLI?