[asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP

hw hw at gc-24.de
Fri Jan 24 19:18:26 CST 2020 

On Friday, January 24, 2020 6:25:48 PM CET Sean Bright wrote:
> On 1/23/2020 6:04 PM, hw wrote:
> >> This is what mine looks like which works just fine:
> >> 
> >> [transport-tls]
> >> type          = transport
> >> protocol      = tls
> >> method        = tlsv1_2
> >> cipher        =
> >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES
> >> 128
> >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-
> >> RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256
> >> cert_file     = /etc/letsencrypt/live/specialdomain.com/fullchain.pem
> >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem
> > 
> > Thanks, it still says
> > 
> > 
> > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines-
> > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937
> 
> I guess I should have been more clear before - with the above settings
> TLS works for other phones, I hadn't tried with Wave.
> 
> I downloaded Wave for iOS and played around a bit and stumbled on a
> working configuration. Wave seems to only support TLS 1.0 which is
> problematic itself but it is what it is.
> 
> I set up Asterisk 16 on a VM in AWS to test which you can try as well if
> you like:
> 
> Domain: sip.seanbright.com
> Username: asterisk
> Password: asterisk
> 
> Calls are SRTP if offered, and the number dialed just needs to be 1 or
> more digits. This is the configuration I ended up with:
> 
> [transport-tls]
> type          = transport
> protocol      = tls
> method        = tlsv1
> cert_file     = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem
> priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem
> bind          = 0.0.0.0:5061
> external_media_address     = 52.91.86.158
> external_signaling_address = 52.91.86.158

Thanks a lot!  I tried to register and it worked.  It still doesn't work here 
with tlsv1.

Then I noticed that you have priv_key_file set.  I don't have that, and I 
don't remember which of the files that were created when I tried to create the 
key asterisk is using now is the private key.  It seems I'll have to spend 
another day or so on all the horrible key creation stuff again.

More information about the asterisk-users mailing list