Hi Jeff, Thanks for the response. I am using PJSIP soft clients and PJSIP uses TLSv1 by default. Even on network traces (using wireshark), I can observed TLSv1 protocol is being used. I am not getting why it is falling back on sslv3.
Could you please guide me here? Polease correct me in case I miss something here. More-ever, I have something as following in "extensions.conf" exten = 100,1,Answer() same = n,Wait(1) same = n,Playback(hello-world) same = n,Hangup() And call to 100 (Req URI - INVITE sips:1...@pbx.asterisk1.org;trasnport=tls SIP/2.0) from either of PJSIP soft clients works perfectly. So I wonder, how it works here and it fails when I dial an extension configured on a soft phones -- Thanks Atul Thosar On 2 November 2014 22:50, Jeffrey Walton <noloa...@gmail.com> wrote: > > == Problem setting up ssl connection: error:14094410:SSL > > routines:SSL3_READ_BYTES:sslv3 alert handshake failure > > [Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: > FILE > > * open failed! > It sounds like SSLv3 is being used by one of the endpoints. > > SSLv3 is broken. Its been known broken for about 10 years. Its been > "more" broken recently (???). It should not have been used previous to > POODLE, and it should not be used now. > > And don't use that crap UA's came up with (TLS_FALLBACK_SCSV). Always > advertise the protocols you are willing to accept, and don't fallback > to insecure protocols. > > My protocol selections are TLS 1.0, 1.1 and 1.2. I allow TLS 1.0 for > interoperability, but I'd like to bury it too. If you control the > server and the clients, then you should be able to safely kill-off TLS > 1.0 since interop is not a concern. > > Jeff > > On Sun, Nov 2, 2014 at 11:35 AM, Atul Thosar <atultho...@gmail.com> wrote: > > Hi All, > > I am using "asterisk-11.12.0" version and I am trying to setup secure > call > > (TLS + SRTP) between two extensions and while making a call, I got > following > > error > > > > *CLI> == Using SIP RTP CoS mark 5 > > -- Executing [6004@from-office:1] Dial("SIP/6003-00000000", > > "SIP/6004,20") in new stack > > == Using SIP RTP CoS mark 5 > > -- Called SIP/6004 > > SSL certificate ok > > == Problem setting up ssl connection: error:14094410:SSL > > routines:SSL3_READ_BYTES:sslv3 alert handshake failure > > [Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection: > FILE > > * open failed! > > > > I followed instruction given in > > "https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial", > but no > > luck. > > I googled around the issue and found solution mentioned by Patrick > > ( > https://www.mail-archive.com/asterisk-users@lists.digium.com/msg274038.html > ) > > > > Did anyone has tried this solution and found it is working? I tried to > > create certificates with keyUsage/extendedKeyUsage, but it is not > working. > > > > I have one more query - When the SIP user agents are able to register > > successfully with TLS, why more handshake is required while making a > call? > > Can't Asterisk use existing TLS connection with Leg B to forward INVITE > > request? Could anyone please educate me on the same? I am little confused > > here. > > > > Thanks in advance. > > -- > > Atul Thosar > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users