On Tue, March 3, 2015 13:37, James Cloos wrote:>>>>>> "JBB" == James B Byrne <byrnejb at harte-lyne.ca> writes: > > JBB> tcpenable=yes > JBB> tlsenable=yes > JBB> tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.crt > JBB> tlscafile=/etc/pki/tls/certs/ca-bundle.crt > JBB> tlsdontverifyserver=yes > JBB> tlscipher=ALL > JBB> tlsclientmethod=tlsv1 > > You are missing the tls key. > > The config name is tlsprivatekey; set that to the filename of your tls > key, akin to how tlscertfile is set. > > -JimCThank you. The settings in sip_general_additional.conf are now: tcpenable=yes tlsenable=yes tlscertfile=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.pem tlscafile=/etc/pki/tls/certs/ca-bundle.crt tlsdontverifyserver=yes tlscipher=ALL tlsclientmethod=tlsv1 tlsprivatekey=/etc/pki/asterisk/ca.harte-lyne.hamilton.asterisk.key However, issuing 'amportal a r' still results in this error: [2015-03-03 15:40:42] ERROR[13681]: tcptls.c:875 ast_tcptls_client_start: Unable to connect SIP socket to 192.168.6.112:5060: Connection refused -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Other things to consider: The transport config, which can be in [general] or in a peer's [] block. if you want tls-only, use transport=tls it also accepts tcp, udp or a comma-separated list. if given a list, it tries them in order If you need ast to register over tls, use something like this: register => tls://username:xxxxxx at sip-tls-proxy.example.org (copied from the example sip.conf). Set tlsbindaddr to the address to which to bind(2) the tls socket. tlsbindaddr=0.0.0.0 is typical in ipv4-only configs. -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
On Tue, March 3, 2015 16:34, James Cloos wrote:> Other things to consider: > > The transport config, which can be in [general] or in a peer's [] > block. > if you want tls-only, use transport=tls > it also accepts tcp, udp or a comma-separated list. > if given a list, it tries them in order >The specific device I am using to test this with has only transport=tls set. Which is why it cannot register because the default fall-back to udp is not permitted.> If you need ast to register over tls, use something like this: > > register => tls://username:xxxxxx at sip-tls-proxy.example.orgDoes this go in the device context? In other words is it placed in the same context that the device's transport value is set? Would the following be valid? [device] register => tls://user:extension at 192.168.6.112:5061 How would multiple users at a single device be handled?> > (copied from the example sip.conf). > > Set tlsbindaddr to the address to which to bind(2) the tls socket. > tlsbindaddr=0.0.0.0 is typical in ipv4-only configs. > > -JimCPresumably this is equivalent to tlsbindaddr=0.0.0.0/0.0.0.0? Is the syntax tlsbindaddr=0.0.0.0/0.0.0.0:5061 is also correct? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3