Hi, after switching from chan_sip to chan_pjsip, a device running Grandstream Wave leads to the following error message on the asterisk console: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:43357 Something with the encryption must have changed with asterisk. How can I get the device to register again? [transport-tls] type = transport protocol = tls bind = 0.0.0.0:5061 tos = cs5 cert_file = /etc/asterisk/cert/asterisk.pem ca_list_file = /etc/pki/tls/certs/ca-bundle.crt method = sslv23 'method = tlsv1' doesn't work, either.
On Wednesday, January 22, 2020 3:18:23 AM CET hw wrote:> Hi, > > after switching from chan_sip to chan_pjsip, a device running Grandstream > Wave leads to the following error message on the asterisk console: > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:43357 > > > Something with the encryption must have changed with asterisk. How can I > get the device to register again?Linphone doesn't register either, giving the same error message. So this must have to do with something with asterisk. Any ideas?
Sean Bright
2020-Jan-23  22:31 UTC
[asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On 1/21/2020 9:18 PM, hw wrote:> [transport-tls] > type = transport > protocol = tls > bind = 0.0.0.0:5061 > tos = cs5 > cert_file = /etc/asterisk/cert/asterisk.pem > ca_list_file = /etc/pki/tls/certs/ca-bundle.crt > method = sslv23This is what mine looks like which works just fine: [transport-tls] type = transport protocol = tls method = tlsv1_2 cipher = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem Kind regards, Sean
On Thursday, January 23, 2020 11:31:46 PM CET Sean Bright wrote:> On 1/21/2020 9:18 PM, hw wrote: > > [transport-tls] > > type = transport > > protocol = tls > > bind = 0.0.0.0:5061 > > tos = cs5 > > cert_file = /etc/asterisk/cert/asterisk.pem > > ca_list_file = /etc/pki/tls/certs/ca-bundle.crt > > method = sslv23 > > This is what mine looks like which works just fine: > > [transport-tls] > type = transport > protocol = tls > method = tlsv1_2 > cipher > ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128 > -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA- > AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pemThanks, it still says SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 Why does it even say ssl3 despite tlsv1_2 is set? Is there a way to see which cipher(s) a client is trying to use?
hw
2020-Jan-29  18:41 UTC
[asterisk-users] solved: PJSIP and Grandstream Wave with TSL and SRTP
Hi, I've got it to work with the following transport: [transport-tls] type=transport protocol=tls bind=0.0.0.0:5061 ca_list_file=/etc/pki/tls/certs/ca-bundle.crt cert_file=/etc/asterisk/cert/newc/himinbjorg.adminart.net.pem priv_key_file=/etc/asterisk/cert/newc/himinbjorg.adminart.net.key.pem This is using a self-signed certificate. Note that I omitted 'method='. On Wednesday, January 22, 2020 3:18:23 AM CET hw wrote:> Hi, > > after switching from chan_sip to chan_pjsip, a device running Grandstream > Wave leads to the following error message on the asterisk console: > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:43357 > > > Something with the encryption must have changed with asterisk. How can I > get the device to register again? > > > [transport-tls] > type = transport > protocol = tls > bind = 0.0.0.0:5061 > tos = cs5 > cert_file = /etc/asterisk/cert/asterisk.pem > ca_list_file = /etc/pki/tls/certs/ca-bundle.crt > method = sslv23 > > > 'method = tlsv1' doesn't work, either.