<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">I was able to get on the UI of the Yealink T32G and fiddle with the setting. Here's the setting for TLS transport in /etc/asterisk/extensions.conf:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">[transport-tls]</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">type = transport</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">protocol = tls</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">bind = <a href="http://0.0.0.0:5061">0.0.0.0:5061</a></font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">; ca_list_file = /etc/asterisk/keys/ca.crt</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">; cert_file = /etc/asterisk/keys/asterisk.crt</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">; priv_key_file = /etc/asterisk/keys/asterisk.key</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">cert_file = /etc/asterisk/keys/fullchain.pem</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">priv_key_file = /etc/asterisk/keys/privkey.pem</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0);min-height:25px"><font face="monospace"><span style="font-variant-ligatures:no-common-ligatures"></span><br></font></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">method = tlsv1_2</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">allow_reload = true</font></span></p></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">Using FQHN for sip server still results in the same error with the phone failing to registered:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default"><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">[Feb 12 16:55:33] WARNING[2080] pjproject: <span class="gmail-Apple-tab-span" style="white-space:pre"> </span> SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0 peer: <a href="http://128.171.77.34:45830">128.171.77.34:45830</a></font></span></p></div><div class="gmail_default" style="font-size:small"> </div><div class="gmail_default" style="font-size:small">I tried to upload my cert.pem (by Letsencrypt) to the phone as one of the trusted certificates and check "accept only trusted certificates". It didn't help. Nor does unchecking "accept only trusted certificates''. There seem to be some reports in freepbx forum re trouble setting up yearlink phones with tls transport:</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"><font face="monospace"><a href="https://community.freepbx.org/t/tls-freepbx-and-yealink/59174">https://community.freepbx.org/t/tls-freepbx-and-yealink/59174</a></font><br></div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"> Yealink's writeup re using security certificates was for certain models/firmware levels, and mine isn't among them. I guess I'll probably have to accept that the few Yealink T32G will not play nice with TLS transport and buy the "sanctioned" models when rolling out the new Asterisk 16.14 server. I may also try my luck with the Cisco 7940/7960 phones that populate most of our offices.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"> Thanks,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">--Ruisheng</div><div class="gmail_default" style="font-size:small"><br></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 12, 2021 at 3:13 PM Ruisheng Peng <<a href="mailto:rpeng@ifa.hawaii.edu">rpeng@ifa.hawaii.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-size:small">Thanks Joshua for the tip re using hostname rather than IP address when configuring the phone. It worked nicely on the linphone on my macbookpro at home. Dialplans are followed faithfully w/o the problems I experienced earlier. I'll test using the hostname on the Yealink phone next time I'm in office.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small"> Thanks,</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">--Ruisheng </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 12, 2021 at 4:48 AM Joshua C. Colp <<a href="mailto:jcolp@digium.com" target="_blank">jcolp@digium.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Thu, Feb 11, 2021 at 9:01 PM Ruisheng Peng <<a href="mailto:rpeng@ifa.hawaii.edu" target="_blank">rpeng@ifa.hawaii.edu</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:small">Sorry, my bad. I failed to change the transport to tls on the provision for the hardphone, nor did change the transport on the linphone setup. However, after I do that, the hardphone (Yealink T32G) failed to register, citing:</div><div style="font-size:small"><br></div><div><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><font face="monospace"><span style="font-variant-ligatures:no-common-ligatures">[Feb 11 14:16:03] </span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(180,36,25)">WARNING</span><span style="font-variant-ligatures:no-common-ligatures">[24936]: </span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(192,192,192)">pjproject</span><span style="font-variant-ligatures:no-common-ligatures">: </span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(192,192,192)"><?></span><span style="font-variant-ligatures:no-common-ligatures">: <span style="white-space:pre-wrap"> </span> SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0 peer: <a href="http://128.171.77.34:30401" target="_blank">128.171.77.34:30401</a></span></font></p></div></div></div></div></blockquote><div><br></div><div>This would be caused by the TLS transport configuration on Asterisk or the phone potentially. You'd need to provide the transport definition from pjsip.conf. Without that I can say the "method" option is likely needing changing. I'm not familiar with what is supported by Yealink.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:small">on the linphone side, it also fails to register:</div><div style="font-size:small"><br></div><div><p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:637 [linphone/belle-sip] MESSAGE Trying to connect to [TLS://::ffff:<a href="http://128.171.77.23:5061" target="_blank">128.171.77.23:5061</a>]</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:652 [linphone/belle-sip] MESSAGE Channel [0x7fc8b8000000]: Connected at TCP level, now doing TLS handshake with cname=128.171.77.23</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:654 [linphone/belle-sip] MESSAGE Channel [0x7fc8b8000000]: SSL handshake in progress...</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate depth=[2], flags=[]:</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">cert. version : 3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">subject name : O=Digital Signature Trust Co., CN=DST Root CA X3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">issued on : 2000-09-30 21:12:19</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">expires on : 2021-09-30 14:01:15</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">signed using : RSA with SHA1</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">RSA key size : 2048 bits</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">basic constraints : CA=true</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">key usage : Key Cert Sign, CRL Sign</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0);min-height:25px"><font face="monospace"><span style="font-variant-ligatures:no-common-ligatures"></span><br></font></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate depth=[1], flags=[]:</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">cert. version : 3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">serial number : 40:01:75:04:83:14:A4:C8:21:8C:84:A9:0C:16:CD:DF</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">subject name : C=US, O=Let's Encrypt, CN=R3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">issued on : 2020-10-07 19:21:40</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">expires on : 2021-09-29 19:21:40</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">signed using : RSA with SHA-256</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">RSA key size : 2048 bits</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">basic constraints : CA=true, max_pathlen=0</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">key usage : Digital Signature, Key Cert Sign, CRL Sign</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">ext key usage : TLS Web Server Authentication, TLS Web Client Authentication</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0);min-height:25px"><font face="monospace"><span style="font-variant-ligatures:no-common-ligatures"></span><br></font></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate depth=[0], flags=[CN-mismatch ]:</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">cert. version : 3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">serial number : 03:F0:83:3C:5D:41:76:BC:4E:B2:E6:AB:60:8C:F9:5E:27:86</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">issuer name : C=US, O=Let's Encrypt, CN=R3</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">subject name : CN=<a href="http://voip1.ifa.hawaii.edu" target="_blank">voip1.ifa.hawaii.edu</a></font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">issued on : 2020-12-30 02:56:29</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">expires on : 2021-03-30 02:56:29</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">signed using : RSA with SHA-256</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">RSA key size : 2048 bits</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">basic constraints : CA=false</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">subject alt name : <a href="http://voip1.ifa.hawaii.edu" target="_blank">voip1.ifa.hawaii.edu</a></font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">key usage : Digital Signature, Key Encipherment</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">ext key usage : TLS Web Server Authentication, TLS Web Client Authentication</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0);min-height:25px"><font face="monospace"><span style="font-variant-ligatures:no-common-ligatures"></span><br></font></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Channel [0x7fc8b8000000]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed</font></span></p>
<p style="margin:0px;font-stretch:normal;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="monospace">2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Cannot connect to [TLS://<a href="http://128.171.77.23:5061" target="_blank">128.171.77.23:5061</a>]<br></font></span></p></div></div></div></div></blockquote><div><br></div><div>I don't use linphone or have any experience so can only provide general comments. Either the certificate chain is incomplete and the client can't verify, or the client doesn't have the certificate authority root certificate as trusted. As well if you aren't doing so you have to connect to the hostname - you can't specify the IP address.</div></div><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-family:tahoma,sans-serif"><div><font color="#073763">Joshua C. Colp</font></div><div><font color="#073763">Asterisk Technical Lead</font></div><div><font color="#073763">Sangoma Technologies</font></div><div><font color="#073763">Check us out at <a href="http://www.sangoma.com/" target="_blank">www.sangoma.com</a> and <a href="http://www.asterisk.org/" target="_blank">www.asterisk.org</a></font></div></div></div></div></div></div></div></div></div></div></div></div>
-- <br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wiki/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a></blockquote></div>
</blockquote></div>