| View previous topic :: View next topic |
| Author |
Message |
patrick at laimbock.com
Guest
|
 Posted: Mon Mar 24, 2014 3:29 pm Post subject: [asterisk-users] Problem with TLS/SRTP with Asterisk 11.8.1 |
 |
|
Hi,
I followed the TLS/SRTP tutorial on the wiki [0] using Asterisk 11.8.1
on CentOS 6.5 x86_64 and CSipSimple on a Nexus with Android 4.4.x local
wifi. The phone seems to register but directly after that things fall
apart (turning SELinux off made no difference):
*CLI> -- Registered SIP 'encrypted' at 10.0.0.137:58079
| Quote: | Saved useragent "CSipSimple_crespo-19/r2330" for peer encrypted
|
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:42] WARNING[28466]: tcptls.c:272 handle_tcptls_connection:
FILE * open failed!
[Mar 24 21:20:45] NOTICE[28460]: chan_sip.c:29584 sip_poke_noanswer:
Peer 'encrypted' is now UNREACHABLE! Last qualify: 0
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection:
FILE * open failed!
-- Unregistered SIP 'encrypted'
sip.conf looks like this:
[general]
context=guest
allowguest=no
allowoverlap=no
allowtransfer=no
bindaddr=0.0.0.0:5060
udpbindaddr=0.0.0.0:5060
tcpenable=no
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem
tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
transport=udp
preferred_codec_only=no
disallow=all
allow=ulaw
language=en
trustrpid=no
dtmfmode=rfc2833
videosupport=no
alwaysauthreject=yes
directmedia=no
jbenable = yes
jbforce = no
[encrypted]
type=friend
secret=1234
context=internal
callerid="Encrypted" <1002>
host=dynamic
qualify=yes
canreinvite=no
dtmfmode=rfc2833
disallow=all
allow=alaw
allow=ulaw
transport=tls
encryption=yes
$ ls -l /etc/asterisk/keys
total 28
-rw-r--r--. 1 asterisk asterisk 1204 mrt 24 16:16 asterisk.crt
-r--r-----. 1 asterisk asterisk 887 mrt 24 16:16 asterisk.key
-r--r-----. 1 asterisk asterisk 2091 mrt 24 16:16 asterisk.pem
-rw-r--r--. 1 asterisk asterisk 1736 mrt 24 16:16 ca.crt
-r--------. 1 asterisk asterisk 3311 mrt 24 16:16 ca.key
-rw-r--r--. 1 asterisk asterisk 1208 mrt 24 16:20 nexus.crt
The certs were created with ast_tls_cert as described in the tutorial. I
created a nexus.p12 for the phone and imported it before configuring
CSipSimple.
Does anyone know what's wrong? Pointers much appreciated.
Thanks,
Patrick
[0] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
patrick at laimbock.com
Guest
|
| Posted: Mon Mar 24, 2014 10:23 pm Post subject: [asterisk-users] Problem with TLS/SRTP with Asterisk 11.8.1 |
|
|
On 24-03-14 21:28, Patrick Laimbock wrote:
[snip]
| Quote: | == Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection:
|
So others may find the fix: make sure the server and client certificates
have the proper keyUsage. The ast_gen_tls script does not set them and
this caused the handshake/verification to fail.
The client certificate needs something like:
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
The server certificate needs something like:
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
HTH,
Patrick
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
Search
