Well, what immediately stands out is: "FILE * open failed!" Have you triple checked that the full filepath is correct and that the user that Asterisk is running as has full permissions to access your valid certificate file? I have it working with microsip and a free TLS cert from LetsEncrypt. When I get to the PC with that on, I can write up what settings I've got if that helps? On 26 August 2016 at 10:47, hw <hw at gc-24.de> wrote:> hw schrieb: >> >> >> Hi, >> >> I?m trying to get TLS to work with asterisk and client phones, >> and all I?m getting from asterisk is >> >> >> [Aug 23 11:46:42] WARNING[1170]: tcptls.c:673 handle_tcptls_connection: >> FILE * open failed! >> == Problem setting up ssl connection: >> error:00000000:lib(0):func(0):reason(0) >> [Aug 23 11:46:44] WARNING[1171]: tcptls.c:673 handle_tcptls_connection: >> FILE * open failed! >> >> >> when clients try to connect. No client is able to register using TLS. >> >> How can I use encrypted connections? >> > > Nobody having an idea? Nobody using encryption? > > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 > http://www.asterisk.org/community/astricon-user-conference > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Jonathan H schrieb:> Well, what immediately stands out is: > "FILE * open failed!"Yes, and it doesn?t say which file cannot be opened. I even looked at the source and found that at that point, you can?t simply add some debugging output to find out.> Have you triple checked that the full filepath is correct and that the > user that Asterisk is running as has full permissions to access your > valid certificate file?It says 'SSL certificate ok' when I 'reload sip'. When it can?t read one of the files involved with the certificate, it says which one.> I have it working with microsip and a free TLS cert from LetsEncrypt. > When I get to the PC with that on, I can write up what settings I've > got if that helps?I?m using a self signed certificate, but that shouldn?t behave any differently than an externally sigend one as long as it checks out, which it apparently does. So yes, it would be nice if you could send me the settings you?re using, thanks :)> > > On 26 August 2016 at 10:47, hw <hw at gc-24.de> wrote: >> hw schrieb: >>> >>> >>> Hi, >>> >>> I?m trying to get TLS to work with asterisk and client phones, >>> and all I?m getting from asterisk is >>> >>> >>> [Aug 23 11:46:42] WARNING[1170]: tcptls.c:673 handle_tcptls_connection: >>> FILE * open failed! >>> == Problem setting up ssl connection: >>> error:00000000:lib(0):func(0):reason(0) >>> [Aug 23 11:46:44] WARNING[1171]: tcptls.c:673 handle_tcptls_connection: >>> FILE * open failed! >>> >>> >>> when clients try to connect. No client is able to register using TLS. >>> >>> How can I use encrypted connections? >>> >> >> Nobody having an idea? Nobody using encryption? >> >> >> >> -- >> _____________________________________________________________________ >> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >> >> Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 >> http://www.asterisk.org/community/astricon-user-conference >> >> New to Asterisk? Start here: >> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >> >> asterisk-users mailing list >> To UNSUBSCRIBE or update options visit: >> http://lists.digium.com/mailman/listinfo/asterisk-users >
Sorry, things got a bit behind. I was about to settle down and type something up, when I notice you mention SIP. Sorry, I've not used that - I'm only familiar with the current pjsip implementation on 13.10. Which looks like this: [transport-tls] type=transport protocol=tls bind=0.0.0.0:5061 cert_file=/etc/letsencrypt/live/mysite.co.uk/fullchain.pem priv_key_file=/etc/letsencrypt/live/mysite.co.uk/privkey.pem method=tlsv1 But this won't be any good to you on sip. What version of Asterisk are you using? On 26 August 2016 at 11:36, hw <hw at gc-24.de> wrote:> Jonathan H schrieb: >> >> Well, what immediately stands out is: >> "FILE * open failed!" > > > Yes, and it doesn?t say which file cannot be opened. I even looked at > the source and found that at that point, you can?t simply add some > debugging output to find out. > >> Have you triple checked that the full filepath is correct and that the >> user that Asterisk is running as has full permissions to access your >> valid certificate file? > > > It says 'SSL certificate ok' when I 'reload sip'. When it can?t read one > of the files involved with the certificate, it says which one. > >> I have it working with microsip and a free TLS cert from LetsEncrypt. >> When I get to the PC with that on, I can write up what settings I've >> got if that helps? > > > I?m using a self signed certificate, but that shouldn?t behave any > differently than an externally sigend one as long as it checks out, > which it apparently does. > > So yes, it would be nice if you could send me the settings you?re using, > thanks :) > > > >> >> >> On 26 August 2016 at 10:47, hw <hw at gc-24.de> wrote: >>> >>> hw schrieb: >>>> >>>> >>>> >>>> Hi, >>>> >>>> I?m trying to get TLS to work with asterisk and client phones, >>>> and all I?m getting from asterisk is >>>> >>>> >>>> [Aug 23 11:46:42] WARNING[1170]: tcptls.c:673 handle_tcptls_connection: >>>> FILE * open failed! >>>> == Problem setting up ssl connection: >>>> error:00000000:lib(0):func(0):reason(0) >>>> [Aug 23 11:46:44] WARNING[1171]: tcptls.c:673 handle_tcptls_connection: >>>> FILE * open failed! >>>> >>>> >>>> when clients try to connect. No client is able to register using TLS. >>>> >>>> How can I use encrypted connections? >>>> >>> >>> Nobody having an idea? Nobody using encryption? >>> >>> >>> >>> -- >>> _____________________________________________________________________ >>> -- Bandwidth and Colocation Provided by http://www.api-digital.com -- >>> >>> Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 >>> http://www.asterisk.org/community/astricon-user-conference >>> >>> New to Asterisk? Start here: >>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started >>> >>> asterisk-users mailing list >>> To UNSUBSCRIBE or update options visit: >>> http://lists.digium.com/mailman/listinfo/asterisk-users >> >> > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Join the Asterisk Community at the 13th AstriCon, September 27-29, 2016 > http://www.asterisk.org/community/astricon-user-conference > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
On Fri, Aug 26, 2016 at 12:36:05PM +0200, hw wrote:> Jonathan H schrieb: > >Well, what immediately stands out is: > >"FILE * open failed!" > > Yes, and it doesn?t say which file cannot be opened. I even looked at > the source and found that at that point, you can?t simply add some > debugging output to find out.It is not a file on your computers disk. It is a connection attempt from one of your phones. If a phone is configured to use tcp without tls and connect to the port used for tls (default 5061) you will see a message like this. (just an example - different situation here) "WARNING[1170]: tcptls.c:673 handle_tcptls_connection ..." Handle ... connection ... "Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)" ERR_get_error returns 0 if there is no error in the queue. According to the description [1] this may happen and it would be possible to find out more about the error. Try to connect using "openssl s_client". 1) https://www.openssl.org/docs/manmaster/ssl/SSL_get_error.html -- Stefan Tichy ( asterisk3 at pi4tel dot de )