Patrick Laimbock
2014-Mar-24 20:28 UTC
[asterisk-users] Problem with TLS/SRTP with Asterisk 11.8.1
Hi, I followed the TLS/SRTP tutorial on the wiki [0] using Asterisk 11.8.1 on CentOS 6.5 x86_64 and CSipSimple on a Nexus with Android 4.4.x local wifi. The phone seems to register but directly after that things fall apart (turning SELinux off made no difference): *CLI> -- Registered SIP 'encrypted' at 10.0.0.137:58079 > Saved useragent "CSipSimple_crespo-19/r2330" for peer encrypted SSL certificate ok == Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [Mar 24 21:20:42] WARNING[28466]: tcptls.c:272 handle_tcptls_connection: FILE * open failed! [Mar 24 21:20:45] NOTICE[28460]: chan_sip.c:29584 sip_poke_noanswer: Peer 'encrypted' is now UNREACHABLE! Last qualify: 0 SSL certificate ok == Problem setting up ssl connection: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure [Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection: FILE * open failed! -- Unregistered SIP 'encrypted' sip.conf looks like this: [general] context=guest allowguest=no allowoverlap=no allowtransfer=no bindaddr=0.0.0.0:5060 udpbindaddr=0.0.0.0:5060 tcpenable=no tlsenable=yes tlsbindaddr=0.0.0.0 tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt tlscipher=ALL tlsclientmethod=tlsv1 transport=udp preferred_codec_only=no disallow=all allow=ulaw language=en trustrpid=no dtmfmode=rfc2833 videosupport=no alwaysauthreject=yes directmedia=no jbenable = yes jbforce = no [encrypted] type=friend secret=1234 context=internal callerid="Encrypted" <1002> host=dynamic qualify=yes canreinvite=no dtmfmode=rfc2833 disallow=all allow=alaw allow=ulaw transport=tls encryption=yes $ ls -l /etc/asterisk/keys total 28 -rw-r--r--. 1 asterisk asterisk 1204 mrt 24 16:16 asterisk.crt -r--r-----. 1 asterisk asterisk 887 mrt 24 16:16 asterisk.key -r--r-----. 1 asterisk asterisk 2091 mrt 24 16:16 asterisk.pem -rw-r--r--. 1 asterisk asterisk 1736 mrt 24 16:16 ca.crt -r--------. 1 asterisk asterisk 3311 mrt 24 16:16 ca.key -rw-r--r--. 1 asterisk asterisk 1208 mrt 24 16:20 nexus.crt The certs were created with ast_tls_cert as described in the tutorial. I created a nexus.p12 for the phone and imported it before configuring CSipSimple. Does anyone know what's wrong? Pointers much appreciated. Thanks, Patrick [0] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
Patrick Laimbock
2014-Mar-25 03:22 UTC
[asterisk-users] Problem with TLS/SRTP with Asterisk 11.8.1
On 24-03-14 21:28, Patrick Laimbock wrote: [snip]> == Problem setting up ssl connection: error:14094410:SSL > routines:SSL3_READ_BYTES:sslv3 alert handshake failure > [Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection:So others may find the fix: make sure the server and client certificates have the proper keyUsage. The ast_gen_tls script does not set them and this caused the handshake/verification to fail. The client certificate needs something like: keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth The server certificate needs something like: keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth HTH, Patrick