asterisk users - Apr 2020 - SIP TLS not working, Asterisk 16.9.0

Hi,

I have problems with SIP via TLS. Asterisk works as a client. The TCP
connection is established, followed by a client hello from Asterisk to
the server. The server sends Server Hello, Certificate, Server Key
Exchange and Server Hello Done.

Than Asterisk sends back a Alert (Level: Fatal, Description Handshake
Failure). The following line appears in the log:

ast_iostream_start_tls: Problem setting up ssl connection:
error:00000001:lib(0):func(0):reason(1), Internal SSL error

Asterisk version is 16.9.0, openssl is 1.1.1d-0+deb10u2 of debian
Buster.

The configuration works with Asterisk 11.25 and openssl 1.0.1.

Any hints on how to find the error?

Best regards,

Karsten

Hi Karsten,


On Thu, Apr 30, 2020 at 05:50:39PM +0200, Karsten Wemheuer
wrote:
> ....        The server sends Server Hello, Certificate, Server Key
> Exchange and Server Hello Done.
Something in that packet seems to be unacceptable for openssl 1.1.1d
as it is compiled and configured for Buster.

Certificate length, Digest algorithm, ...


You my change the system default settings at the bottom of
"/etc/ssl/openssl.cnf", restart asterisk and try again. Keep in
mind that this will affect the whole server.




-- 
Stefan Tichy  ( asterisk3 at pi4tel dot de )

Hi Stefan,

thanks a lot. It is working now.

Best regards,

Karsten

Am Freitag, den 01.05.2020, 18:40 +0200 schrieb Stefan
Tichy:
> Hi Karsten,
>
>
> On Thu, Apr 30, 2020 at 05:50:39PM +0200, Karsten Wemheuer wrote:
> >
> > ....        The server sends Server Hello, Certificate, Server Key
> > Exchange and Server Hello Done.
> Something in that packet seems to be unacceptable for openssl 1.1.1d
> as it is compiled and configured for Buster.
>
> Certificate length, Digest algorithm, ...
>
>
> You my change the system default settings at the bottom of
> "/etc/ssl/openssl.cnf", restart asterisk and try again. Keep in
> mind that this will affect the whole server.
>
>
>
>
> -- 
> Stefan Tichy  ( asterisk3 at pi4tel dot de )
>