On Thursday, January 23, 2020 11:31:46 PM CET Sean Bright wrote:> On 1/21/2020 9:18 PM, hw wrote: > > [transport-tls] > > type = transport > > protocol = tls > > bind = 0.0.0.0:5061 > > tos = cs5 > > cert_file = /etc/asterisk/cert/asterisk.pem > > ca_list_file = /etc/pki/tls/certs/ca-bundle.crt > > method = sslv23 > > This is what mine looks like which works just fine: > > [transport-tls] > type = transport > protocol = tls > method = tlsv1_2 > cipher > ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128 > -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA- > AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pemThanks, it still says SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 Why does it even say ssl3 despite tlsv1_2 is set? Is there a way to see which cipher(s) a client is trying to use?
Sean Bright
2020-Jan-24 17:25 UTC
[asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On 1/23/2020 6:04 PM, hw wrote:>> This is what mine looks like which works just fine: >> >> [transport-tls] >> type = transport >> protocol = tls >> method = tlsv1_2 >> cipher >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128 >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA- >> AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 >> cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem > Thanks, it still says > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937I guess I should have been more clear before - with the above settings TLS works for other phones, I hadn't tried with Wave. I downloaded Wave for iOS and played around a bit and stumbled on a working configuration. Wave seems to only support TLS 1.0 which is problematic itself but it is what it is. I set up Asterisk 16 on a VM in AWS to test which you can try as well if you like: Domain: sip.seanbright.com Username: asterisk Password: asterisk Calls are SRTP if offered, and the number dialed just needs to be 1 or more digits. This is the configuration I ended up with: [transport-tls] type = transport protocol = tls method = tlsv1 cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem bind = 0.0.0.0:5061 external_media_address = 52.91.86.158 external_signaling_address = 52.91.86.158 Hope that helps, Sean -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200124/c7100ed5/attachment.html>
On Friday, January 24, 2020 6:25:48 PM CET Sean Bright wrote:> On 1/23/2020 6:04 PM, hw wrote: > >> This is what mine looks like which works just fine: > >> > >> [transport-tls] > >> type = transport > >> protocol = tls > >> method = tlsv1_2 > >> cipher > >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES > >> 128 > >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE- > >> RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > >> cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem > > > > Thanks, it still says > > > > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- > > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 > > I guess I should have been more clear before - with the above settings > TLS works for other phones, I hadn't tried with Wave. > > I downloaded Wave for iOS and played around a bit and stumbled on a > working configuration. Wave seems to only support TLS 1.0 which is > problematic itself but it is what it is. > > I set up Asterisk 16 on a VM in AWS to test which you can try as well if > you like: > > Domain: sip.seanbright.com > Username: asterisk > Password: asterisk > > Calls are SRTP if offered, and the number dialed just needs to be 1 or > more digits. This is the configuration I ended up with: > > [transport-tls] > type = transport > protocol = tls > method = tlsv1 > cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem > bind = 0.0.0.0:5061 > external_media_address = 52.91.86.158 > external_signaling_address = 52.91.86.158Thanks a lot! I tried to register and it worked. It still doesn't work here with tlsv1. Then I noticed that you have priv_key_file set. I don't have that, and I don't remember which of the files that were created when I tried to create the key asterisk is using now is the private key. It seems I'll have to spend another day or so on all the horrible key creation stuff again.
On Friday, January 24, 2020 6:25:48 PM CET Sean Bright wrote:> On 1/23/2020 6:04 PM, hw wrote: > >> This is what mine looks like which works just fine: > >> > >> [transport-tls] > >> type = transport > >> protocol = tls > >> method = tlsv1_2 > >> cipher > >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES > >> 128 > >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE- > >> RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > >> cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem > > > > Thanks, it still says > > > > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- > > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 > > I guess I should have been more clear before - with the above settings > TLS works for other phones, I hadn't tried with Wave. > > I downloaded Wave for iOS and played around a bit and stumbled on a > working configuration. Wave seems to only support TLS 1.0 which is > problematic itself but it is what it is. > > I set up Asterisk 16 on a VM in AWS to test which you can try as well if > you like: > > Domain: sip.seanbright.com > Username: asterisk > Password: asterisk > > Calls are SRTP if offered, and the number dialed just needs to be 1 or > more digits. This is the configuration I ended up with: > > [transport-tls] > type = transport > protocol = tls > method = tlsv1 > cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem > bind = 0.0.0.0:5061 > external_media_address = 52.91.86.158 > external_signaling_address = 52.91.86.158Ok, I created a new certificate and it still doesn't work with your transport. Is Centos 7 too old to run asterisk on? Is the android device I'm using too old? Why did it work before changing from SIP to PJSIP? Do I need to do anything special when creating the certificate?
Apparently Analagous Threads
- PJSIP and Grandstream Wave with TSL and SRTP
- PJSIP and Grandstream Wave with TSL and SRTP
- PJSIP and Grandstream Wave with TSL and SRTP
- Fwd: SSL / TSL no advertise????
- dovecot TSL 1.3 config option 'ssl_ciphersuites' causes fatal error on launch. not supported, bad config, or bug?