Yealink / Freepbx / SIP / TLS

Continuing the discussion from Asterisk pjsip sip tls:

The old thread got closed while i was working on a solution so i am continuing it here

After a bunch of back and forth with Yealink I had an epiphany about this issue this morning.

Yealink told me that the reason why the softphone was working but their phone was not was because the softphone only required 1 way authentication but Yelinks phone required 2 way authentication

So it hit me – I realized that there are 2 parts to the SSL connection for 2 way authentication – the server part and the client piece.

I had – as per the thread linked – setup the server certificates through Freepbx – both a Comodo and a LE certs

What i was missing was the client cert

So as per the wiki I created a client file

Example: ./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C -O β€œMy Super Company” -d /etc/asterisk/keys -o malcolm (obviously making the requisite changes to fit my scenario)

Then as per the wiki i downloaded both the server and client pieces into the phone as follows:

Security tab has 2 sections –

Trusted Certificates – client piece
Server Certificates – server piece

First i uploaded the client cert to trusted certificates and the server cert to server certificates

The under trusted certificates i changed the CA certificates to All certificates
and under Server Certificates i hanged device certificates to Custom Certificates

Confirm – and reboot and it looks like we are in business!

The endpoint seem to work regardless of whether the setting for only accept trusted certificates is set to enabled or disabled

So there you have it – TLS and SRTP on a Yealink T5x series

thank you to all who helped – this was a really tough one that took me a while to work out – very satisfying in the end to get it working

I can now finalize my PBX in the cloud knowing that remote endpoints can connect securely to the hosted server

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.