Continuing the discussion from Asterisk pjsip sip tls:
The old thread got closed while i was working on a solution so i am continuing it here
After a bunch of back and forth with Yealink I had an epiphany about this issue this morning.
Yealink told me that the reason why the softphone was working but their phone was not was because the softphone only required 1 way authentication but Yelinks phone required 2 way authentication
So it hit me β I realized that there are 2 parts to the SSL connection for 2 way authentication β the server part and the client piece.
I had β as per the thread linked β setup the server certificates through Freepbx β both a Comodo and a LE certs
What i was missing was the client cert
So as per the wiki https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial I created a client file
Example: ./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C phone1.mycompany.com -O βMy Super Companyβ -d /etc/asterisk/keys -o malcolm (obviously making the requisite changes to fit my scenario)
Then as per the wiki i downloaded both the server and client pieces into the phone as follows:
Security tab has 2 sections β
Trusted Certificates β client piece
Server Certificates β server piece
First i uploaded the client cert to trusted certificates and the server cert to server certificates
The under trusted certificates i changed the CA certificates to All certificates
and under Server Certificates i hanged device certificates to Custom Certificates
Confirm β and reboot and it looks like we are in business!
The endpoint seem to work regardless of whether the setting for only accept trusted certificates is set to enabled or disabled
So there you have it β TLS and SRTP on a Yealink T5x series
thank you to all who helped β this was a really tough one that took me a while to work out β very satisfying in the end to get it working
I can now finalize my PBX in the cloud knowing that remote endpoints can connect securely to the hosted server