Ruisheng Peng
2021-Feb-12 00:59 UTC
[asterisk-users] Hangup() not working for handsets using pls transport?
Sorry, my bad. I failed to change the transport to tls on the provision for the hardphone, nor did change the transport on the linphone setup. However, after I do that, the hardphone (Yealink T32G) failed to register, citing: [Feb 11 14:16:03] WARNING[24936]: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0 peer: 128.171.77.34:30401 on the linphone side, it also fails to register: 2021-02-11 13:26:32:637 [linphone/belle-sip] MESSAGE Trying to connect to [TLS://::ffff:128.171.77.23:5061] 2021-02-11 13:26:32:652 [linphone/belle-sip] MESSAGE Channel [0x7fc8b8000000]: Connected at TCP level, now doing TLS handshake with cname=128.171.77.23 2021-02-11 13:26:32:654 [linphone/belle-sip] MESSAGE Channel [0x7fc8b8000000]: SSL handshake in progress... 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate depth=[2], flags=[]: cert. version : 3 serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 subject name : O=Digital Signature Trust Co., CN=DST Root CA X3 issued on : 2000-09-30 21:12:19 expires on : 2021-09-30 14:01:15 signed using : RSA with SHA1 RSA key size : 2048 bits basic constraints : CA=true key usage : Key Cert Sign, CRL Sign 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate depth=[1], flags=[]: cert. version : 3 serial number : 40:01:75:04:83:14:A4:C8:21:8C:84:A9:0C:16:CD:DF issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 subject name : C=US, O=Let's Encrypt, CN=R3 issued on : 2020-10-07 19:21:40 expires on : 2021-09-29 19:21:40 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=true, max_pathlen=0 key usage : Digital Signature, Key Cert Sign, CRL Sign ext key usage : TLS Web Server Authentication, TLS Web Client Authentication 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate depth=[0], flags=[CN-mismatch ]: cert. version : 3 serial number : 03:F0:83:3C:5D:41:76:BC:4E:B2:E6:AB:60:8C:F9:5E:27:86 issuer name : C=US, O=Let's Encrypt, CN=R3 subject name : CN=voip1.ifa.hawaii.edu issued on : 2020-12-30 02:56:29 expires on : 2021-03-30 02:56:29 signed using : RSA with SHA-256 RSA key size : 2048 bits basic constraints : CA=false subject alt name : voip1.ifa.hawaii.edu key usage : Digital Signature, Key Encipherment ext key usage : TLS Web Server Authentication, TLS Web Client Authentication 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Channel [0x7fc8b8000000]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Cannot connect to [TLS:// 128.171.77.23:5061] On Mon, Feb 8, 2021 at 12:27 PM Joshua C. Colp <jcolp at digium.com> wrote:> On Mon, Feb 8, 2021 at 6:14 PM Ruisheng Peng <rpeng at ifa.hawaii.edu> wrote: > >> Thanks Jashua for the suggestion. To find out if the issue was only >> limited to the softphone that was using tls transport (SOFTPHONE_B on ext >> 103, a linphone running off my MBP), I also turned one of the hard phone >> (0000f30A0A01 on ext 100, a Yealink T32G) into using tls transport. It >> behaves similarly to the linphone in that the Hangup() call in dialplan is >> silently ignored, and the handsets would alway appear as busy/unavilable. >> > > Have you configured the devices, on them or using their provisioning, to > use TLS? It does not appear so as they are using UDP, while you're forcing > a TLS transport in Asterisk. This would not work. > > -- > Joshua C. Colp > Asterisk Technical Lead > Sangoma Technologies > Check us out at www.sangoma.com and www.asterisk.org > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210211/d2950c89/attachment.html>
Joshua C. Colp
2021-Feb-12 14:46 UTC
[asterisk-users] Hangup() not working for handsets using pls transport?
On Thu, Feb 11, 2021 at 9:01 PM Ruisheng Peng <rpeng at ifa.hawaii.edu> wrote:> Sorry, my bad. I failed to change the transport to tls on the provision > for the hardphone, nor did change the transport on the linphone setup. > However, after I do that, the hardphone (Yealink T32G) failed to register, > citing: > > [Feb 11 14:16:03] WARNING[24936]: pjproject: <?>: SSL > SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL > routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0 peer: > 128.171.77.34:30401 >This would be caused by the TLS transport configuration on Asterisk or the phone potentially. You'd need to provide the transport definition from pjsip.conf. Without that I can say the "method" option is likely needing changing. I'm not familiar with what is supported by Yealink.> on the linphone side, it also fails to register: > > 2021-02-11 13:26:32:637 [linphone/belle-sip] MESSAGE Trying to connect to > [TLS://::ffff:128.171.77.23:5061] > > 2021-02-11 13:26:32:652 [linphone/belle-sip] MESSAGE Channel > [0x7fc8b8000000]: Connected at TCP level, now doing TLS handshake with > cname=128.171.77.23 > > 2021-02-11 13:26:32:654 [linphone/belle-sip] MESSAGE Channel > [0x7fc8b8000000]: SSL handshake in progress... > > 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate > depth=[2], flags=[]: > > cert. version : 3 > > serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B > > issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 > > subject name : O=Digital Signature Trust Co., CN=DST Root CA X3 > > issued on : 2000-09-30 21:12:19 > > expires on : 2021-09-30 14:01:15 > > signed using : RSA with SHA1 > > RSA key size : 2048 bits > > basic constraints : CA=true > > key usage : Key Cert Sign, CRL Sign > > > 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate > depth=[1], flags=[]: > > cert. version : 3 > > serial number : 40:01:75:04:83:14:A4:C8:21:8C:84:A9:0C:16:CD:DF > > issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 > > subject name : C=US, O=Let's Encrypt, CN=R3 > > issued on : 2020-10-07 19:21:40 > > expires on : 2021-09-29 19:21:40 > > signed using : RSA with SHA-256 > > RSA key size : 2048 bits > > basic constraints : CA=true, max_pathlen=0 > > key usage : Digital Signature, Key Cert Sign, CRL Sign > > ext key usage : TLS Web Server Authentication, TLS Web Client > Authentication > > > 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate > depth=[0], flags=[CN-mismatch ]: > > cert. version : 3 > > serial number : 03:F0:83:3C:5D:41:76:BC:4E:B2:E6:AB:60:8C:F9:5E:27:86 > > issuer name : C=US, O=Let's Encrypt, CN=R3 > > subject name : CN=voip1.ifa.hawaii.edu > > issued on : 2020-12-30 02:56:29 > > expires on : 2021-03-30 02:56:29 > > signed using : RSA with SHA-256 > > RSA key size : 2048 bits > > basic constraints : CA=false > > subject alt name : voip1.ifa.hawaii.edu > > key usage : Digital Signature, Key Encipherment > > ext key usage : TLS Web Server Authentication, TLS Web Client > Authentication > > > 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Channel > [0x7fc8b8000000]: SSL handshake failed : X509 - Certificate verification > failed, e.g. CRL, CA or signature check failed > > 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Cannot connect to > [TLS://128.171.77.23:5061] >I don't use linphone or have any experience so can only provide general comments. Either the certificate chain is incomplete and the client can't verify, or the client doesn't have the certificate authority root certificate as trusted. As well if you aren't doing so you have to connect to the hostname - you can't specify the IP address. -- Joshua C. Colp Asterisk Technical Lead Sangoma Technologies Check us out at www.sangoma.com and www.asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210212/7b27a56a/attachment.html>