[asterisk-users] Problem with TLS/SRTP with Asterisk 11.8.1
Patrick Laimbock
patrick at laimbock.com
Mon Mar 24 15:28:58 CDT 2014
Hi,
I followed the TLS/SRTP tutorial on the wiki [0] using Asterisk 11.8.1
on CentOS 6.5 x86_64 and CSipSimple on a Nexus with Android 4.4.x local
wifi. The phone seems to register but directly after that things fall
apart (turning SELinux off made no difference):
*CLI> -- Registered SIP 'encrypted' at 10.0.0.137:58079
> Saved useragent "CSipSimple_crespo-19/r2330" for peer encrypted
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:42] WARNING[28466]: tcptls.c:272 handle_tcptls_connection:
FILE * open failed!
[Mar 24 21:20:45] NOTICE[28460]: chan_sip.c:29584 sip_poke_noanswer:
Peer 'encrypted' is now UNREACHABLE! Last qualify: 0
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection:
FILE * open failed!
-- Unregistered SIP 'encrypted'
sip.conf looks like this:
[general]
context=guest
allowguest=no
allowoverlap=no
allowtransfer=no
bindaddr=0.0.0.0:5060
udpbindaddr=0.0.0.0:5060
tcpenable=no
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
transport=udp
preferred_codec_only=no
disallow=all
allow=ulaw
language=en
trustrpid=no
dtmfmode=rfc2833
videosupport=no
alwaysauthreject=yes
directmedia=no
jbenable = yes
jbforce = no
[encrypted]
type=friend
secret=1234
context=internal
callerid="Encrypted" <1002>
host=dynamic
qualify=yes
canreinvite=no
dtmfmode=rfc2833
disallow=all
allow=alaw
allow=ulaw
transport=tls
encryption=yes
$ ls -l /etc/asterisk/keys
total 28
-rw-r--r--. 1 asterisk asterisk 1204 mrt 24 16:16 asterisk.crt
-r--r-----. 1 asterisk asterisk 887 mrt 24 16:16 asterisk.key
-r--r-----. 1 asterisk asterisk 2091 mrt 24 16:16 asterisk.pem
-rw-r--r--. 1 asterisk asterisk 1736 mrt 24 16:16 ca.crt
-r--------. 1 asterisk asterisk 3311 mrt 24 16:16 ca.key
-rw-r--r--. 1 asterisk asterisk 1208 mrt 24 16:20 nexus.crt
The certs were created with ast_tls_cert as described in the tutorial. I
created a nexus.p12 for the phone and imported it before configuring
CSipSimple.
Does anyone know what's wrong? Pointers much appreciated.
Thanks,
Patrick
[0] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
More information about the asterisk-users
mailing list