VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
atulthosar at gmail.com
Guest
|
 Posted: Sun Nov 02, 2014 11:35 am Post subject: [asterisk-users] sslv3 alert handshake failure error |
 |
|
Hi All,
I am using "asterisk-11.12.0" version and I am trying to setup secure call (TLS + SRTP) between two extensions and while making a call, I got following error
*CLI> == Using SIP RTP CoS mark 5
-- Executing [6004@from-office:1] Dial("SIP/6003-00000000", "SIP/6004,20") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/6004
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: FILE * open failed!
I followed instruction given in "https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial", but no luck.
I googled around the issue and found solution mentioned by Patrick (https://www.mail-archive.com/asterisk-users@lists.digium.com/msg274038.html)
Did anyone has tried this solution and found it is working? I tried to create certificates with keyUsage/extendedKeyUsage, but it is not working.
I have one more query - When the SIP user agents are able to register successfully with TLS, why more handshake is required while making a call? Can't Asterisk use existing TLS connection with Leg B to forward INVITE request? Could anyone please educate me on the same? I am little confused here.
Thanks in advance.
--
Atul Thosar
|
|
| Back to top |
|
 |
noloader at gmail.com
Guest
|
| Posted: Sun Nov 02, 2014 12:21 pm Post subject: [asterisk-users] sslv3 alert handshake failure error |
|
|
| Quote: | == Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: FILE
* open failed!
|
It sounds like SSLv3 is being used by one of the endpoints.
SSLv3 is broken. Its been known broken for about 10 years. Its been
"more" broken recently (???). It should not have been used previous to
POODLE, and it should not be used now.
And don't use that crap UA's came up with (TLS_FALLBACK_SCSV). Always
advertise the protocols you are willing to accept, and don't fallback
to insecure protocols.
My protocol selections are TLS 1.0, 1.1 and 1.2. I allow TLS 1.0 for
interoperability, but I'd like to bury it too. If you control the
server and the clients, then you should be able to safely kill-off TLS
1.0 since interop is not a concern.
Jeff
On Sun, Nov 2, 2014 at 11:35 AM, Atul Thosar <atulthosar@gmail.com> wrote:
| Quote: | Hi All,
I am using "asterisk-11.12.0" version and I am trying to setup secure call
(TLS + SRTP) between two extensions and while making a call, I got following
error
*CLI> == Using SIP RTP CoS mark 5
-- Executing [6004@from-office:1] Dial("SIP/6003-00000000",
"SIP/6004,20") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/6004
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: FILE
* open failed!
I followed instruction given in
"https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial", but no
luck.
I googled around the issue and found solution mentioned by Patrick
(https://www.mail-archive.com/asterisk-users@lists.digium.com/msg274038.html)
Did anyone has tried this solution and found it is working? I tried to
create certificates with keyUsage/extendedKeyUsage, but it is not working.
I have one more query - When the SIP user agents are able to register
successfully with TLS, why more handshake is required while making a call?
Can't Asterisk use existing TLS connection with Leg B to forward INVITE
request? Could anyone please educate me on the same? I am little confused
here.
Thanks in advance.
--
Atul Thosar
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
atulthosar at gmail.com
Guest
|
| Posted: Mon Nov 03, 2014 9:07 am Post subject: [asterisk-users] sslv3 alert handshake failure error |
|
|
Hi Jeff,
Thanks for the response. I am using PJSIP soft clients and PJSIP uses TLSv1 by default. Even on network traces (using wireshark), I can observed TLSv1 protocol is being used. I am not getting why it is falling back on sslv3.
Could you please guide me here? Polease correct me in case I miss something here.
More-ever, I have something as following in "extensions.conf"
exten = 100,1,Answer()
same = n,Wait(1)
same = n,Playback(hello-world)
same = n,Hangup()
And call to 100 (Req URI - INVITE sips:100@pbx.asterisk1.org ([email]sips%3A100@pbx.asterisk1.org[/email]);trasnport=tls SIP/2.0) from either of PJSIP soft clients works perfectly. So I wonder, how it works here and it fails when I dial an extension configured on a soft phones
--
Thanks
Atul Thosar
On 2 November 2014 22:50, Jeffrey Walton <noloader@gmail.com (noloader@gmail.com)> wrote:
| Quote: | > == Problem setting up ssl connection: error:14094410:SSL
| Quote: | routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: FILE
* open failed!
|
It sounds like SSLv3 is being used by one of the endpoints.
SSLv3 is broken. Its been known broken for about 10 years. Its been
"more" broken recently (???). It should not have been used previous to
POODLE, and it should not be used now.
And don't use that crap UA's came up with (TLS_FALLBACK_SCSV). Always
advertise the protocols you are willing to accept, and don't fallback
to insecure protocols.
My protocol selections are TLS 1.0, 1.1 and 1.2. I allow TLS 1.0 for
interoperability, but I'd like to bury it too. If you control the
server and the clients, then you should be able to safely kill-off TLS
1.0 since interop is not a concern.
Jeff
On Sun, Nov 2, 2014 at 11:35 AM, Atul Thosar <atulthosar@gmail.com (atulthosar@gmail.com)> wrote:
| Quote: | Hi All,
I am using "asterisk-11.12.0" version and I am trying to setup secure call
(TLS + SRTP) between two extensions and while making a call, I got following
error
*CLI> == Using SIP RTP CoS mark 5
-- Executing [6004@from-office:1] Dial("SIP/6003-00000000",
"SIP/6004,20") in new stack
== Using SIP RTP CoS mark 5
-- Called SIP/6004
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: FILE
* open failed!
I followed instruction given in
"https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial", but no
luck.
I googled around the issue and found solution mentioned by Patrick
(https://www.mail-archive.com/asterisk-users@lists.digium.com/msg274038.html)
Did anyone has tried this solution and found it is working? I tried to
create certificates with keyUsage/extendedKeyUsage, but it is not working.
I have one more query - When the SIP user agents are able to register
successfully with TLS, why more handshake is required while making a call?
Can't Asterisk use existing TLS connection with Leg B to forward INVITE
request? Could anyone please educate me on the same? I am little confused
here.
Thanks in advance.
--
Atul Thosar
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
|
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
