asterisk users - Dec 2021 - PJSIP to Twilio over TLS - wildcard cert problem

On Wed, 2021-12-01 at 21:49 +0100, Antony Stone wrote:
> On Wednesday 01 December 2021 at 21:39:52, Kingsley Tart wrote:
> 
> > Hi,
> > 
> > I can't get Asterisk to send a SIP call to Twilio over TLS because
> > it
> > complains about Twilio's wildcard certificate.
> 
> What is the exact "complaint"?
> 
> > Is there a way round this?
> 
> Maybe, once we know what the error message is :)
Ha, OK, here it is, or rather, several copies of it as I was trying
various things:

[Nov 29 16:44:08] ERROR[25803] pjproject:           tlsc0x7f1c74246778 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
[Nov 29 16:47:41] ERROR[26205] pjproject:           tlsc0x7fb2cc271cd8 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
[Nov 29 16:54:06] ERROR[26706] pjproject:           tlsc0x7f506c257798 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
[Dec  1 17:11:21] ERROR[27092] pjproject:           tlsc0x7fa20c1e9fd8 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
[Dec  1 17:29:24] ERROR[27934] pjproject:           tlsc0x7f7678347ef8 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
[Dec  1 17:36:11] ERROR[28475] pjproject:           tlsc0x7fee2c1d02f8 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
[Dec  1 17:57:02] ERROR[29731] pjproject:           tlsc0x7fd9e80b1be8 RFC 5922
(section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!

-- 
Cheers,
Kingsley.

On Wednesday 01 December 2021 at 22:43:47, Kingsley Tart wrote:
> On Wed, 2021-12-01 at 21:49 +0100, Antony Stone wrote:
> > 
> > What is the exact "complaint"?
> [Nov 29 16:44:08] ERROR[25803] pjproject:           tlsc0x7f1c74246778 RFC
> 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your
> SIP provider, please!
So, https://datatracker.ietf.org/doc/html/rfc5922#section-7.2 does seem pretty 
clear about this.  "Implementations MUST NOT match any form of
wildcard"

Have you contacted the provider who is using a wildcard certificate in this way 
and referred them to the RFC?


Antony.

-- 
"Can you keep a secret?"
"Well, I shouldn't really tell you this, but... no."


                                                   Please reply to the list;
                                                         please *don't* CC
me.

That particular error does not prevent it from connecting (at least it
doesn't in the 18.x I'm using with my own wildcard certs).  The problem
may be somewhere else -- for example Twilio might require TLS 1.2 or later -- so
try adding in

method=tlsv1_2

to you transport configuration.  If that doesn't work, you'll want to
turn on pjsip debugging
(https://www.asterisk.org/debugging-sip-message-traffic-with-pjsip-history/) to
see if you can glean something from that.

-Adam
On Wed, Dec 01, 2021 at 09:43:47PM +0000, Kingsley Tart
wrote:
> On Wed, 2021-12-01 at 21:49 +0100, Antony Stone wrote:
> > On Wednesday 01 December 2021 at 21:39:52, Kingsley Tart wrote:
> > 
> > > Hi,
> > > 
> > > I can't get Asterisk to send a SIP call to Twilio over TLS
because
> > > it
> > > complains about Twilio's wildcard certificate.
> > 
> > What is the exact "complaint"?
> > 
> > > Is there a way round this?
> > 
> > Maybe, once we know what the error message is :)
> 
> Ha, OK, here it is, or rather, several copies of it as I was trying
> various things:
> 
> [Nov 29 16:44:08] ERROR[25803] pjproject:           tlsc0x7f1c74246778 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> [Nov 29 16:47:41] ERROR[26205] pjproject:           tlsc0x7fb2cc271cd8 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> [Nov 29 16:54:06] ERROR[26706] pjproject:           tlsc0x7f506c257798 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> [Dec  1 17:11:21] ERROR[27092] pjproject:           tlsc0x7fa20c1e9fd8 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> [Dec  1 17:29:24] ERROR[27934] pjproject:           tlsc0x7f7678347ef8 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> [Dec  1 17:36:11] ERROR[28475] pjproject:           tlsc0x7fee2c1d02f8 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> [Dec  1 17:57:02] ERROR[29731] pjproject:           tlsc0x7fd9e80b1be8 RFC
5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP
provider, please!
> 
> -- 
> Cheers,
> Kingsley.
> 
> 
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Check out the new Asterisk community forum at:
https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users