Asterisk Forums

[urmi.l]

Hello,

I m having asterisk-1.8.3.2 installed on my fedora -13 system. I have make the configuraiton of TLS and SRTP on my system.
I have self signed certificate files. I have followed the below link :

http://www.voip-info.org/wiki/view/SIP+TLS
http://www.voip-info.org/wiki/view/Asterisk+SRTP

I m trying to register x-lite-5.0 softphone, but its not getting registered with "transport=tls".

sip.conf

[general]
tlsenable=no
tlsbindaddr=192.168.1.x
tlscertfile=/etc/asterisk/certificates/asterik.pem
tlsdontverifyserver=no
tlscipher=DES-CBC3-SHA
tlsclientmethod=tlsv1

[1111]
type=friend
username=1111
secret=1111
host=dynamic
nat=yes
canreinvite=no
context=tls-test
allow=all
accountcode=1111
dtmfmode=rfc2833
transport=tls

Can you please tell me what i m missing here ?

[david55]

tlsenable=no

[urmi.l]

The softphone gets registered but I m getting following error :

Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca

[david55]

Sign the phone's certificate using a certifying authority known to your Open SSL implementation, or add the signing certificate used by the phone to the Asterisk SSL configuration.

Asterisk is unable to verify the authenticity of the phone because there is no chain of trust between it and anything that Asterisk is configured to trust.

[urmi.l]

Thank you for your reply.

I m using blink softphone. Will you please guide me how to Sign the phone's certificate to my Open SSL implementation ?
or how to add the signing certificate used by the phone to the Asterisk SSL configuration ?

-Thanks

[david55]

http://gagravarr.org/writing/openssl-ce ... ed-openssl

[urmi.l]

Thank you for your reply.

I m having the self signed certificate.
When I try to verify it, i m getting following :

openssl verify -CApath /etc/pki/tls/certs /etc/asterisk/certificates/my_ca.pem

/etc/asterisk/certificates/my_ca.pem: C = IN, ST = Guj, L = City, O = company, OU = section, CN = my_ca
error 18 at 0 depth lookup:self signed certificate
OK

Will you please guide me for this ?

[urmi.l]

I have followed below link :
https://wiki.asterisk.org/wiki/display/ ... g+Tutorial

I have registered the blink phone and i can make the calls. Its working fine. but I m still having the following on my CLI :

== Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Aug 21 14:49:09] WARNING[21851]: tcptls.c:222 handle_tcptls_connection: FILE * open failed!

Any help pls.

[urmi.l]

Any help in this issue pls.

[urmi.l]

Hello,

I have changed the asterisk version to 1.8.15.0 still have the same issue.

*CLI> == Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Aug 21 21:35:38] WARNING[27740]: tcptls.c:239 handle_tcptls_connection: FILE * open failed!

Any guidance pls.

[urmi.l]

My calls are working properly with tls and srtp. But still on CLI, I m getting following :

== Problem setting up ssl connection: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
[Aug 23 10:09:17] WARNING[15842]: tcptls.c:239 handle_tcptls_connection: FILE * open failed!

Any Suggestions please.

[david55]

I presume you have somehow turned off authentication of the peer, but it is still trying to authenticate, and then ignoring the resulting security problem.

[urmi.l]

Thank you very much for you reply.

I have followed https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
Below is my whole configurations :

sip.conf

tcpenable=yes
tcpbindaddr=192.168.1.x
tlsenable=yes
tlsbindaddr=192.168.1.x

tlsdontverifyserver=yes ;no
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
;tlscipher=DES-CBC3-SHA
tlscipher=ALL
tlsclientmethod=tlsv1

[1111]
type=friend
username=1111
secret=1111
host=dynamic
nat=yes
canreinvite=no
context=tls-test
allow=all
accountcode=1111
dtmfmode=rfc2833
transport=tls ;udp

[malcolm]
type=friend
username=malcolm
secret=malcolm
host=dynamic
;context=local
context=tls-test
dtmfmode=rfc2833
directmedia=no
disallow=all
allow=g722
transport=tls
encryption=yes

files in /etc/asterisk/keys :

asterisk.crt
asterisk.csr
asterisk.key
asterisk.pem
ca.cfg ca.crt
ca.key
malcolm.crt
malcolm.csr
malcolm.key
malcolm.pem
tmp.cfg

Will you please guide me, what is missing here ?

[david55]

I presume that tlsdontverifyserver is causing it to ignore the fact that you haven't installed the root certificate properly, but it is doing so only after trying to fetch it. If you think you are safe from man in the middle attacks, I wouldn't worry further. Otherwise read the URL I gave you before more carefully, particularly the bit about using the hash as the file name.