On Friday, January 24, 2020 6:25:48 PM CET Sean Bright wrote: > On 1/23/2020 6:04 PM, hw wrote: > >> This is what mine looks like which works just fine: > >> > >> [transport-tls] > >> type = transport > >> protocol = tls > >> method = tlsv1_2 > >> cipher = > >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES > >> 128 > >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE- > >> RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > >> cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem > > > > Thanks, it still says > > > > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> <SSL routines- > > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 > > I guess I should have been more clear before - with the above settings > TLS works for other phones, I hadn't tried with Wave. > > I downloaded Wave for iOS and played around a bit and stumbled on a > working configuration. Wave seems to only support TLS 1.0 which is > problematic itself but it is what it is. > > I set up Asterisk 16 on a VM in AWS to test which you can try as well if > you like: > > Domain: sip.seanbright.com > Username: asterisk > Password: asterisk > > Calls are SRTP if offered, and the number dialed just needs to be 1 or > more digits. This is the configuration I ended up with: > > [transport-tls] > type = transport > protocol = tls > method = tlsv1 > cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem > bind = 0.0.0.0:5061 > external_media_address = 52.91.86.158 > external_signaling_address = 52.91.86.158
Thanks a lot! I tried to register and it worked. It still doesn't work here with tlsv1. Then I noticed that you have priv_key_file set. I don't have that, and I don't remember which of the files that were created when I tried to create the key asterisk is using now is the private key. It seems I'll have to spend another day or so on all the horrible key creation stuff again. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
