asterisk users - Dec 2021 - PJSIP to Twilio over TLS - wildcard cert problem

Hi,

I can't get Asterisk to send a SIP call to Twilio over TLS because it
complains about Twilio's wildcard certificate.

This is with Asterisk 18.8.0 and PJSIP 2.10

pjsip show transport shows me this:

 allow_reload               : false
 async_operations           : 1
 bind                       : 0.0.0.0:5061
 ca_list_file               : 
 ca_list_path               : 
 cert_file                  : /admin/local/asterisk-keys/asterisk.crt
 cipher                     : ADH-AES256-SHA, ADH-AES128-SHA, ECDHE-
RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-
SHA384, ECDHE-RSA-AES128-SHA256, AES256-GCM-SHA384, AES128-GCM-SHA256,
AES256-SHA256, AES128-SHA256, AES256-SHA, AES128-SHA
 cos                        : 0
 domain                     : 
 external_media_address     : 
 external_signaling_address : 
 external_signaling_port    : 0
 local_net                  : 
 method                     : sslv23
 password                   : 
 priv_key_file              : /admin/local/asterisk-keys/asterisk.key
 protocol                   : tls
 require_client_cert        : No
 symmetric_transport        : false
 tos                        : 0
 verify_client              : No
 verify_server              : No
 websocket_write_timeout    : 100

(also tried with method set to tlsv1).

Googling told me to set verify_server=no but as you can see this is
already set.

Is there a way round this?

-- 
Cheers,
Kingsley.

On Wednesday 01 December 2021 at 21:39:52, Kingsley Tart wrote:
> Hi,
> 
> I can't get Asterisk to send a SIP call to Twilio over TLS because it
> complains about Twilio's wildcard certificate.
What is the exact "complaint"?
> Is there a way round this?
Maybe, once we know what the error message is :)


Antony.

-- 
I wasn't sure about having a beard at first, but then it grew on me.

                                                   Please reply to the list;
                                                         please *don't* CC
me.

>>>>> "KT" == Kingsley Tart <kingsley at
dns99.co.uk> writes:
KT> I can't get Asterisk to send a SIP call to Twilio over TLS
KT> because it complains about Twilio's wildcard certificate.

the sip rfc claims that wildcard certs should be invalid for sip.

digium insisted on following that advise as set in stone, and so
asterisk refuses such certs.  i doubt that stance is different
under sangoma.

the only workaround is to remind twil of the rfc and get them to
replace the wildcard with an rfc-copliant cert.  at least for the
sip ports.

-JimC
-- 
James Cloos <cloos at jhcloos.com>         OpenPGP: 0x997A9F17ED7DAEA6

Thank you everyone for your help and comments with this.

I can't explain this but it has now started working. I had no luck with
tlsv1 or tlsv1_2 but using sslv23 does work.

The strange thing is, I tried that before and it DIDN'T work. I'm not
sure why.

Apologies for my delay in responding to this - I've been snowed under
with other work and have only just been given a clear day to focus on
these issues.

-- 
Cheers,
Kingsley.