[asterisk-users] sslv3 alert handshake failure error

Atul Thosar atulthosar at gmail.com
Mon Nov 3 08:07:05 CST 2014


Hi Jeff,
Thanks for the response. I am using PJSIP soft clients and PJSIP uses TLSv1
by default. Even on network traces (using wireshark), I can observed TLSv1
protocol is being used. I am not getting why it is falling back on sslv3.

Could you please guide me here? Polease correct me in case I miss something
here.

More-ever, I have something as following in "extensions.conf"

exten = 100,1,Answer()
same = n,Wait(1)
same = n,Playback(hello-world)
same = n,Hangup()

And call to 100 (Req URI - INVITE sips:100 at pbx.asterisk1.org;trasnport=tls
SIP/2.0) from either of PJSIP soft clients works perfectly. So I wonder,
how it works here and it fails when I dial an extension configured on a
soft phones

--
​Thanks​
Atul Thosar


On 2 November 2014 22:50, Jeffrey Walton <noloader at gmail.com> wrote:

> >   == Problem setting up ssl connection: error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> > [Nov  2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection:
> FILE
> > * open failed!
> It sounds like SSLv3 is being used by one of the endpoints.
>
> SSLv3 is broken. Its been known broken for about 10 years. Its been
> "more" broken recently (???). It should not have been used previous to
> POODLE, and it should not be used now.
>
> And don't use that crap UA's came up with (TLS_FALLBACK_SCSV). Always
> advertise the protocols you are willing to accept, and don't fallback
> to insecure protocols.
>
> My protocol selections are TLS 1.0, 1.1 and 1.2. I allow TLS 1.0 for
> interoperability, but I'd like to bury it too. If you control the
> server and the clients, then you should be able to safely kill-off TLS
> 1.0 since interop is not a concern.
>
> Jeff
>
> On Sun, Nov 2, 2014 at 11:35 AM, Atul Thosar <atulthosar at gmail.com> wrote:
> > Hi All,
> > I am using "asterisk-11.12.0" version and I am trying to setup secure
> call
> > (TLS + SRTP) between two extensions and while making a call, I got
> following
> > error
> >
> > *CLI>   == Using SIP RTP CoS mark 5
> >     -- Executing [6004 at from-office:1] Dial("SIP/6003-00000000",
> > "SIP/6004,20") in new stack
> >   == Using SIP RTP CoS mark 5
> >     -- Called SIP/6004
> > SSL certificate ok
> >   == Problem setting up ssl connection: error:14094410:SSL
> > routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> > [Nov  2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection:
> FILE
> > * open failed!
> >
> > I followed instruction given in
> > "https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial",
> but no
> > luck.
> > I googled around the issue and found solution mentioned by Patrick
> > (
> https://www.mail-archive.com/asterisk-users@lists.digium.com/msg274038.html
> )
> >
> > Did anyone has tried this solution and found it is working? I tried to
> > create certificates with keyUsage/extendedKeyUsage, but it is not
> working.
> >
> > I have one more query - When the SIP user agents are able to register
> > successfully with TLS, why more handshake is required while making a
> call?
> > Can't Asterisk use existing TLS connection with Leg B to forward INVITE
> > request? Could anyone please educate me on the same? I am little confused
> > here.
> >
> > Thanks in advance.
> > --
> > Atul Thosar
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20141103/0a36b047/attachment.html>


More information about the asterisk-users mailing list