[asterisk-users] HELP! tls/srtp: sip_xmit error: returned -2

Da Rock asterisk-users at herveybayaustralia.com.au
Mon Jun 13 21:19:20 CDT 2011 

I know I've bumped this already now, but I do need to resolve this and 
I've only been replying to myself.

I've tried another client now (Jitsi), which was the only one with 
tls/srtp support that will run on freebsd, and it suffers the same problem.

I am very confused now as to why the only client that is demonstrated in 
the docs is blink and is the only client to support a client 
certificate. Is this the only way that this works- to have a server 
_and_ a client certificate? Is this the source of the problem? Does this 
mean asterisk is broken in this regard?


On 06/13/11 10:44, Da Rock wrote:
> I'm still no further advanced on this, but I think I have narrowed it 
> down to tls. I have sip debug logs which shows that the server cannot 
> contact the tls enabled phone at the same time this error crops up. 
> The log says "calling <user>" and then the error.
>
> With TLS disabled, though, SRTP still doesn't work either though. I 
> have no knowledge of how to move forward on this, so some pointers 
> would be very much appreciated.
>
>
> On 06/07/11 12:11, Da Rock wrote:
>> I'm having trouble setting up tls/srtp secure communications on my 
>> Asterisk server- I'm still rather new at working with Asterisk.
>>
>> I have enabled tls and encryption and I have csipsimple with tls 
>> build on the phone. I'm currently only testing one phone with this 
>> capability so far, and the rest still work in the current state.
>>
>> My logging looks like this with verbose turned up:
>>
>> [Jun  7 11:44:13] NOTICE[88483]: chan_sip.c:19842 
>> handle_response_peerpoke: Peer '<user>' is now Reachable. (171ms / 
>> 2000ms)
>> [Jun  7 11:46:17] NOTICE[88483]: chan_sip.c:25072 sip_poke_noanswer: 
>> Peer '<user>' is now UNREACHABLE!  Last qualify: 203
>> [Jun  7 11:46:29] NOTICE[88483]: chan_sip.c:19842 
>> handle_response_peerpoke: Peer '<user>' is now Reachable. (1888ms / 
>> 2000ms)
>>
>> When I call on this phone I get:
>>
>> [Jun  7 11:40:47] WARNING[88483]: chan_sip.c:3280 __sip_xmit: 
>> sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: 
>> Invalid argument
>> [Jun  7 11:41:01] WARNING[88483]: chan_sip.c:3280 __sip_xmit: 
>> sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: 
>> Invalid argument
>> [Jun  7 11:41:15] WARNING[88483]: chan_sip.c:3280 __sip_xmit: 
>> sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: 
>> Invalid argument
>> [Jun  7 11:41:29] WARNING[88483]: chan_sip.c:3280 __sip_xmit: 
>> sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: 
>> Invalid argument
>>     -- Registered SIP '<user>' at 192.168.0.200:57805
>> [Jun  7 11:41:31] NOTICE[88483]: chan_sip.c:19842 
>> handle_response_peerpoke: Peer '<user>' is now Reachable. (10ms / 
>> 2000ms)
>>
>> When I call from another phone I get:
>>
>> [Jun  7 11:55:30] NOTICE[88483]: chan_sip.c:25072 sip_poke_noanswer: 
>> Peer '<tls user>' is now UNREACHABLE!  Last qualify: 13
>>     -- SIP/<tls user>-00000024 is circuit-busy
>>   == Everyone is busy/congested at this time (1:0/1/0)
>>     -- Auto fallthrough, channel 'SIP/<user>-00000023' status is 
>> 'CONGESTION'
>> [Jun  7 11:56:22] WARNING[88483]: chan_sip.c:3280 __sip_xmit: 
>> sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:45931 returned -2: 
>> Interrupted system call
>>
>> and eventually:
>>
>> [Jun  7 11:57:46] WARNING[88483]: chan_sip.c:3280 __sip_xmit: 
>> sip_xmit of 0x2cefb000 (len 599) to 192.168.0.200:45931 returned -2: 
>> Unknown error: 0
>>
>> I'm using my own CA setup for purposes beyond just this need, so I'm 
>> using openssl commands directly and everything works elsewhere- so my 
>> CA setup is fine (includes SAN).
>>
>> My config for tls/srtp looks like this (remember, the rest works very 
>> happily):
>>
>> [global]
>> encryption             =       yes
>> tlsenable               =       yes
>> tlsbindaddr             =       0.0.0.0
>> tlscertfile             =       
>> /path/to/asterisk/certificate/and/key/in/a/single/file
>> tlscafile               =       /path/to/CA/certificate
>> tlscipher               =       ALL
>> tlsclientmethod         =       tlsv1
>>
>> [tls user]
>> transport                =    tls
>>
>> Can someone give me any clues to what is happening? I've checked my 
>> packet flow with tcpdump and wireshark as well, but I'm still left 
>> mystified.
>>
>> Cheers
>>
>> -- 
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>               http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list