Re: [asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On Friday, January 24, 2020 6:25:48 PM CET Sean Bright wrote: > On 1/23/2020 6:04 PM, hw wrote: > >> This is what mine looks like which works just fine: > >> > >> [transport-tls] > >> type = transport > >> protocol = tls > >> method= tlsv1_2 > >> cipher= > >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES > >> 128 > >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE- > >> RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > >> cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem > > > > Thanks, it still says > > > > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 > > I guess I should have been more clear before - with the above settings > TLS works for other phones, I hadn't tried with Wave. > > I downloaded Wave for iOS and played around a bit and stumbled on a > working configuration. Wave seems to only support TLS 1.0 which is > problematic itself but it is what it is. > > I set up Asterisk 16 on a VM in AWS to test which you can try as well if > you like: > > Domain: sip.seanbright.com > Username: asterisk > Password: asterisk > > Calls are SRTP if offered, and the number dialed just needs to be 1 or > more digits. This is the configuration I ended up with: > > [transport-tls] > type = transport > protocol = tls > method= tlsv1 > cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem > bind = 0.0.0.0:5061 > external_media_address = 52.91.86.158 > external_signaling_address = 52.91.86.158 Ok, I created a new certificate and it still doesn't work with your transport. Is Centos 7 too old to run asterisk on? Is the android device I'm using too old? Why did it work before changing from SIP to PJSIP? Do I need to do anything special when creating the certificate? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On Friday, January 24, 2020 6:25:48 PM CET Sean Bright wrote: > On 1/23/2020 6:04 PM, hw wrote: > >> This is what mine looks like which works just fine: > >> > >> [transport-tls] > >> type = transport > >> protocol = tls > >> method= tlsv1_2 > >> cipher= > >> ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES > >> 128 > >> -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE- > >> RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > >> cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > >> priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem > > > > Thanks, it still says > > > > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> > ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:54937 > > I guess I should have been more clear before - with the above settings > TLS works for other phones, I hadn't tried with Wave. > > I downloaded Wave for iOS and played around a bit and stumbled on a > working configuration. Wave seems to only support TLS 1.0 which is > problematic itself but it is what it is. > > I set up Asterisk 16 on a VM in AWS to test which you can try as well if > you like: > > Domain: sip.seanbright.com > Username: asterisk > Password: asterisk > > Calls are SRTP if offered, and the number dialed just needs to be 1 or > more digits. This is the configuration I ended up with: > > [transport-tls] > type = transport > protocol = tls > method= tlsv1 > cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem > bind = 0.0.0.0:5061 > external_media_address = 52.91.86.158 > external_signaling_address = 52.91.86.158 Thanks a lot! I tried to register and it worked. It still doesn't work here with tlsv1. Then I noticed that you have priv_key_file set. I don't have that, and I don't remember which of the files that were created when I tried to create the key asterisk is using now is the private key. It seems I'll have to spend another day or so on all the horrible key creation stuff again. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On 1/23/2020 6:04 PM, hw wrote: This is what mine looks like which works just fine: [transport-tls] type = transport protocol = tls method= tlsv1_2 cipher= ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128 -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA- AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem Thanks, it still says SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: 10.10.20.29:54937 I guess I should have been more clear before - with the above settings TLS works for other phones, I hadn't tried with Wave. I downloaded Wave for iOS and played around a bit and stumbled on a working configuration. Wave seems to only support TLS 1.0 which is problematic itself but it is what it is. I set up Asterisk 16 on a VM in AWS to test which you can try as well if you like: Domain: sip.seanbright.com Username: asterisk Password: asterisk Calls are SRTP if offered, and the number dialed just needs to be 1 or more digits. This is the configuration I ended up with: [transport-tls] type = transport protocol = tls method = tlsv1 cert_file = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem bind = 0.0.0.0:5061 external_media_address = 52.91.86.158 external_signaling_address = 52.91.86.158 Hope that helps, Sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On Thursday, January 23, 2020 11:31:46 PM CET Sean Bright wrote: > On 1/21/2020 9:18 PM, hw wrote: > > [transport-tls] > > type = transport > > protocol = tls > > bind = 0.0.0.0:5061 > > tos = cs5 > > cert_file = /etc/asterisk/cert/asterisk.pem > > ca_list_file = /etc/pki/tls/certs/ca-bundle.crt > > method = sslv23 > > This is what mine looks like which works just fine: > > [transport-tls] > type = transport > protocol = tls > method= tlsv1_2 > cipher= > ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128 > -GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA- > AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 > cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem > priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem Thanks, it still says SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: 10.10.20.29:54937 Why does it even say ssl3 despite tlsv1_2 is set? Is there a way to see which cipher(s) a client is trying to use? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On 1/21/2020 9:18 PM, hw wrote: [transport-tls] type = transport protocol = tls bind = 0.0.0.0:5061 tos = cs5 cert_file = /etc/asterisk/cert/asterisk.pem ca_list_file = /etc/pki/tls/certs/ca-bundle.crt method = sslv23 This is what mine looks like which works just fine: [transport-tls] type = transport protocol = tls method = tlsv1_2 cipher = ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256 cert_file = /etc/letsencrypt/live/specialdomain.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem Kind regards, Sean -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
On Wednesday, January 22, 2020 3:18:23 AM CET hw wrote: > Hi, > > after switching from chan_sip to chan_pjsip, a device running Grandstream > Wave leads to the following error message on the asterisk console: > > > SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> ssl3_get_client_hello-no shared cipher> len: 0 peer: 10.10.20.29:43357 > > > Something with the encryption must have changed with asterisk. How can I > get the device to register again? Linphone doesn't register either, giving the same error message. So this must have to do with something with asterisk. Any ideas? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] PJSIP and Grandstream Wave with TSL and SRTP
Hi, after switching from chan_sip to chan_pjsip, a device running Grandstream Wave leads to the following error message on the asterisk console: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: 10.10.20.29:43357 Something with the encryption must have changed with asterisk. How can I get the device to register again? [transport-tls] type = transport protocol = tls bind = 0.0.0.0:5061 tos = cs5 cert_file = /etc/asterisk/cert/asterisk.pem ca_list_file = /etc/pki/tls/certs/ca-bundle.crt method = sslv23 'method = tlsv1' doesn't work, either. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users