[asterisk-users] Problem with TLS/SRTP with Asterisk 11.8.1

Patrick Laimbock patrick at laimbock.com
Mon Mar 24 15:28:58 CDT 2014 

Hi,

I followed the TLS/SRTP tutorial on the wiki [0] using Asterisk 11.8.1 
on CentOS 6.5 x86_64 and CSipSimple on a Nexus with Android 4.4.x local 
wifi. The phone seems to register but directly after that things fall 
apart (turning SELinux off made no difference):

*CLI>     -- Registered SIP 'encrypted' at 10.0.0.137:58079
        > Saved useragent "CSipSimple_crespo-19/r2330" for peer encrypted
SSL certificate ok
   == Problem setting up ssl connection: error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:42] WARNING[28466]: tcptls.c:272 handle_tcptls_connection: 
FILE * open failed!
[Mar 24 21:20:45] NOTICE[28460]: chan_sip.c:29584 sip_poke_noanswer: 
Peer 'encrypted' is now UNREACHABLE!  Last qualify: 0
SSL certificate ok
   == Problem setting up ssl connection: error:14094410:SSL 
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection: 
FILE * open failed!
     -- Unregistered SIP 'encrypted'

sip.conf looks like this:

[general]
context=guest
allowguest=no
allowoverlap=no
allowtransfer=no

bindaddr=0.0.0.0:5060
udpbindaddr=0.0.0.0:5060
tcpenable=no

tlsenable=yes
tlsbindaddr=0.0.0.0

tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt

tlscipher=ALL
tlsclientmethod=tlsv1

transport=udp

preferred_codec_only=no
disallow=all
allow=ulaw
language=en
trustrpid=no
dtmfmode=rfc2833
videosupport=no
alwaysauthreject=yes
directmedia=no
jbenable = yes
jbforce = no

[encrypted]
type=friend
secret=1234
context=internal
callerid="Encrypted" <1002>
host=dynamic
qualify=yes
canreinvite=no
dtmfmode=rfc2833
disallow=all
allow=alaw
allow=ulaw
transport=tls
encryption=yes


$ ls -l /etc/asterisk/keys
total 28
-rw-r--r--. 1 asterisk asterisk 1204 mrt 24 16:16 asterisk.crt
-r--r-----. 1 asterisk asterisk  887 mrt 24 16:16 asterisk.key
-r--r-----. 1 asterisk asterisk 2091 mrt 24 16:16 asterisk.pem
-rw-r--r--. 1 asterisk asterisk 1736 mrt 24 16:16 ca.crt
-r--------. 1 asterisk asterisk 3311 mrt 24 16:16 ca.key
-rw-r--r--. 1 asterisk asterisk 1208 mrt 24 16:20 nexus.crt

The certs were created with ast_tls_cert as described in the tutorial. I 
created a nexus.p12 for the phone and imported it before configuring 
CSipSimple.

Does anyone know what's wrong? Pointers much appreciated.

Thanks,
Patrick

[0] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial

More information about the asterisk-users mailing list