> == Problem setting up ssl connection: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> [Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection:
FILE
> * open failed!
It sounds like SSLv3 is being used by one of the endpoints.
SSLv3 is broken. Its been known broken for about 10 years. Its been
"more" broken recently (???). It should not have been used previous to
POODLE, and it should not be used now.
And don't use that crap UA's came up with (TLS_FALLBACK_SCSV). Always
advertise the protocols you are willing to accept, and don't fallback
to insecure protocols.
My protocol selections are TLS 1.0, 1.1 and 1.2. I allow TLS 1.0 for
interoperability, but I'd like to bury it too. If you control the
server and the clients, then you should be able to safely kill-off TLS
1.0 since interop is not a concern.
Jeff
On Sun, Nov 2, 2014 at 11:35 AM, Atul Thosar <atulthosar at gmail.com>
wrote:> Hi All,
> I am using "asterisk-11.12.0" version and I am trying to setup
secure call
> (TLS + SRTP) between two extensions and while making a call, I got
following
> error
>
> *CLI> == Using SIP RTP CoS mark 5
> -- Executing [6004 at from-office:1]
Dial("SIP/6003-00000000",
> "SIP/6004,20") in new stack
> == Using SIP RTP CoS mark 5
> -- Called SIP/6004
> SSL certificate ok
> == Problem setting up ssl connection: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> [Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection:
FILE
> * open failed!
>
> I followed instruction given in
>
"https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial",
but no
> luck.
> I googled around the issue and found solution mentioned by Patrick
> (https://www.mail-archive.com/asterisk-users at
lists.digium.com/msg274038.html)
>
> Did anyone has tried this solution and found it is working? I tried to
> create certificates with keyUsage/extendedKeyUsage, but it is not working.
>
> I have one more query - When the SIP user agents are able to register
> successfully with TLS, why more handshake is required while making a call?
> Can't Asterisk use existing TLS connection with Leg B to forward INVITE
> request? Could anyone please educate me on the same? I am little confused
> here.
>
> Thanks in advance.
> --
> Atul Thosar