Joshua C. Colp
2021-Feb-12 14:46 UTC
[asterisk-users] Hangup() not working for handsets using pls transport?
On Thu, Feb 11, 2021 at 9:01 PM Ruisheng Peng <rpeng at ifa.hawaii.edu> wrote:> Sorry, my bad. I failed to change the transport to tls on the provision > for the hardphone, nor did change the transport on the linphone setup. > However, after I do that, the hardphone (Yealink T32G) failed to register, > citing: > > [Feb 11 14:16:03] WARNING[24936]: pjproject: <?>: SSL > SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL > routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0 peer: > 128.171.77.34:30401 >This would be caused by the TLS transport configuration on Asterisk or the phone potentially. You'd need to provide the transport definition from pjsip.conf. Without that I can say the "method" option is likely needing changing. I'm not familiar with what is supported by Yealink.> on the linphone side, it also fails to register: > > 2021-02-11 13:26:32:637 [linphone/belle-sip] MESSAGE Trying to connect to > [TLS://::ffff:128.171.77.23:5061] > > 2021-02-11 13:26:32:652 [linphone/belle-sip] MESSAGE Channel > [0x7fc8b8000000]: Connected at TCP level, now doing TLS handshake with > cname=128.171.77.23 > > 2021-02-11 13:26:32:654 [linphone/belle-sip] MESSAGE Channel > [0x7fc8b8000000]: SSL handshake in progress... > > 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate > depth=[2], flags=[]: > > cert. version : 3 > > serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B > > issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 > > subject name : O=Digital Signature Trust Co., CN=DST Root CA X3 > > issued on : 2000-09-30 21:12:19 > > expires on : 2021-09-30 14:01:15 > > signed using : RSA with SHA1 > > RSA key size : 2048 bits > > basic constraints : CA=true > > key usage : Key Cert Sign, CRL Sign > > > 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate > depth=[1], flags=[]: > > cert. version : 3 > > serial number : 40:01:75:04:83:14:A4:C8:21:8C:84:A9:0C:16:CD:DF > > issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 > > subject name : C=US, O=Let's Encrypt, CN=R3 > > issued on : 2020-10-07 19:21:40 > > expires on : 2021-09-29 19:21:40 > > signed using : RSA with SHA-256 > > RSA key size : 2048 bits > > basic constraints : CA=true, max_pathlen=0 > > key usage : Digital Signature, Key Cert Sign, CRL Sign > > ext key usage : TLS Web Server Authentication, TLS Web Client > Authentication > > > 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate > depth=[0], flags=[CN-mismatch ]: > > cert. version : 3 > > serial number : 03:F0:83:3C:5D:41:76:BC:4E:B2:E6:AB:60:8C:F9:5E:27:86 > > issuer name : C=US, O=Let's Encrypt, CN=R3 > > subject name : CN=voip1.ifa.hawaii.edu > > issued on : 2020-12-30 02:56:29 > > expires on : 2021-03-30 02:56:29 > > signed using : RSA with SHA-256 > > RSA key size : 2048 bits > > basic constraints : CA=false > > subject alt name : voip1.ifa.hawaii.edu > > key usage : Digital Signature, Key Encipherment > > ext key usage : TLS Web Server Authentication, TLS Web Client > Authentication > > > 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Channel > [0x7fc8b8000000]: SSL handshake failed : X509 - Certificate verification > failed, e.g. CRL, CA or signature check failed > > 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Cannot connect to > [TLS://128.171.77.23:5061] >I don't use linphone or have any experience so can only provide general comments. Either the certificate chain is incomplete and the client can't verify, or the client doesn't have the certificate authority root certificate as trusted. As well if you aren't doing so you have to connect to the hostname - you can't specify the IP address. -- Joshua C. Colp Asterisk Technical Lead Sangoma Technologies Check us out at www.sangoma.com and www.asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210212/7b27a56a/attachment.html>
Ruisheng Peng
2021-Feb-13 01:13 UTC
[asterisk-users] Hangup() not working for handsets using pls transport?
Thanks Joshua for the tip re using hostname rather than IP address when configuring the phone. It worked nicely on the linphone on my macbookpro at home. Dialplans are followed faithfully w/o the problems I experienced earlier. I'll test using the hostname on the Yealink phone next time I'm in office. Thanks, --Ruisheng On Fri, Feb 12, 2021 at 4:48 AM Joshua C. Colp <jcolp at digium.com> wrote:> On Thu, Feb 11, 2021 at 9:01 PM Ruisheng Peng <rpeng at ifa.hawaii.edu> > wrote: > >> Sorry, my bad. I failed to change the transport to tls on the provision >> for the hardphone, nor did change the transport on the linphone setup. >> However, after I do that, the hardphone (Yealink T32G) failed to register, >> citing: >> >> [Feb 11 14:16:03] WARNING[24936]: pjproject: <?>: SSL >> SSL_ERROR_SSL (Handshake): Level: 0 err: <336027900> <SSL >> routines-SSL23_GET_CLIENT_HELLO-unknown protocol> len: 0 peer: >> 128.171.77.34:30401 >> > > This would be caused by the TLS transport configuration on Asterisk or the > phone potentially. You'd need to provide the transport definition from > pjsip.conf. Without that I can say the "method" option is likely needing > changing. I'm not familiar with what is supported by Yealink. > > >> on the linphone side, it also fails to register: >> >> 2021-02-11 13:26:32:637 [linphone/belle-sip] MESSAGE Trying to connect to >> [TLS://::ffff:128.171.77.23:5061] >> >> 2021-02-11 13:26:32:652 [linphone/belle-sip] MESSAGE Channel >> [0x7fc8b8000000]: Connected at TCP level, now doing TLS handshake with >> cname=128.171.77.23 >> >> 2021-02-11 13:26:32:654 [linphone/belle-sip] MESSAGE Channel >> [0x7fc8b8000000]: SSL handshake in progress... >> >> 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate >> depth=[2], flags=[]: >> >> cert. version : 3 >> >> serial number : 44:AF:B0:80:D6:A3:27:BA:89:30:39:86:2E:F8:40:6B >> >> issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 >> >> subject name : O=Digital Signature Trust Co., CN=DST Root CA X3 >> >> issued on : 2000-09-30 21:12:19 >> >> expires on : 2021-09-30 14:01:15 >> >> signed using : RSA with SHA1 >> >> RSA key size : 2048 bits >> >> basic constraints : CA=true >> >> key usage : Key Cert Sign, CRL Sign >> >> >> 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate >> depth=[1], flags=[]: >> >> cert. version : 3 >> >> serial number : 40:01:75:04:83:14:A4:C8:21:8C:84:A9:0C:16:CD:DF >> >> issuer name : O=Digital Signature Trust Co., CN=DST Root CA X3 >> >> subject name : C=US, O=Let's Encrypt, CN=R3 >> >> issued on : 2020-10-07 19:21:40 >> >> expires on : 2021-09-29 19:21:40 >> >> signed using : RSA with SHA-256 >> >> RSA key size : 2048 bits >> >> basic constraints : CA=true, max_pathlen=0 >> >> key usage : Digital Signature, Key Cert Sign, CRL Sign >> >> ext key usage : TLS Web Server Authentication, TLS Web Client >> Authentication >> >> >> 2021-02-11 13:26:32:674 [linphone/belle-sip] MESSAGE Found certificate >> depth=[0], flags=[CN-mismatch ]: >> >> cert. version : 3 >> >> serial number : 03:F0:83:3C:5D:41:76:BC:4E:B2:E6:AB:60:8C:F9:5E:27:86 >> >> issuer name : C=US, O=Let's Encrypt, CN=R3 >> >> subject name : CN=voip1.ifa.hawaii.edu >> >> issued on : 2020-12-30 02:56:29 >> >> expires on : 2021-03-30 02:56:29 >> >> signed using : RSA with SHA-256 >> >> RSA key size : 2048 bits >> >> basic constraints : CA=false >> >> subject alt name : voip1.ifa.hawaii.edu >> >> key usage : Digital Signature, Key Encipherment >> >> ext key usage : TLS Web Server Authentication, TLS Web Client >> Authentication >> >> >> 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Channel >> [0x7fc8b8000000]: SSL handshake failed : X509 - Certificate verification >> failed, e.g. CRL, CA or signature check failed >> >> 2021-02-11 13:26:32:674 [linphone/belle-sip] ERROR Cannot connect to >> [TLS://128.171.77.23:5061] >> > > I don't use linphone or have any experience so can only provide general > comments. Either the certificate chain is incomplete and the client can't > verify, or the client doesn't have the certificate authority root > certificate as trusted. As well if you aren't doing so you have to connect > to the hostname - you can't specify the IP address. > > -- > Joshua C. Colp > Asterisk Technical Lead > Sangoma Technologies > Check us out at www.sangoma.com and www.asterisk.org > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210212/502678d4/attachment.html>