Problem With TLS/SRTP With Asterisk 11.8.1
Hi,
I followed the TLS/SRTP tutorial on the wiki [0] using Asterisk 11.8.1
on CentOS 6.5 x86_64 and CSipSimple on a Nexus with Android 4.4.x local wifi. The phone seems to register but directly after that things fall apart (turning SELinux off made no difference):
*CLI> — Registered SIP ‘encrypted’ at 10.0.0.137:58079
> Saved useragent “CSipSimple_crespo-19/r2330” for peer encrypted SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:42] WARNING[28466]: tcptls.c:272 handle_tcptls_connection:
FILE * open failed!
[Mar 24 21:20:45] NOTICE[28460]: chan_sip.c:29584 sip_poke_noanswer:
Peer ‘encrypted’ is now UNREACHABLE! Last qualify: 0
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Mar 24 21:20:56] WARNING[28467]: tcptls.c:272 handle_tcptls_connection:
FILE * open failed!
— Unregistered SIP ‘encrypted’
sip.conf looks like this:
[general]
context=guest allowguest=no allowoverlap=no allowtransfer=no
bindaddr=0.0.0.0:5060
udpbindaddr=0.0.0.0:5060
tcpenable=no
tlsenable=yes tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/asterisk.pem tlscafile=/etc/asterisk/keys/ca.crt
tlscipher=ALL
tlsclientmethod=tlsv1
transport=udp
preferred_codec_only=no disallow=all allow=ulaw language=en trustrpid=no dtmfmode=rfc2833
videosupport=no alwaysauthreject=yes directmedia=no jbenable = yes jbforce = no
[encrypted]
type=friend secret34
context=internal callerid=”Encrypted” <1002>
host=dynamic qualify=yes canreinvite=no dtmfmode=rfc2833
disallow=all allow=alaw allow=ulaw transport=tls encryption=yes
$ ls -l /etc/asterisk/keys total 28
-rw-r–r–. 1 asterisk asterisk 1204 mrt 24 16:16 asterisk.crt
-r–r—–. 1 asterisk asterisk 887 mrt 24 16:16 asterisk.key
-r–r—–. 1 asterisk asterisk 2091 mrt 24 16:16 asterisk.pem
-rw-r–r–. 1 asterisk asterisk 1736 mrt 24 16:16 ca.crt
-r——–. 1 asterisk asterisk 3311 mrt 24 16:16 ca.key
-rw-r–r–. 1 asterisk asterisk 1208 mrt 24 16:20 nexus.crt
The certs were created with ast_tls_cert as described in the tutorial. I
created a nexus.p12 for the phone and imported it before configuring CSipSimple.
Does anyone know what’s wrong? Pointers much appreciated.
Thanks, Patrick
[0] https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
One thought on - Problem With TLS/SRTP With Asterisk 11.8.1
[snip]
So others may find the fix: make sure the server and client certificates have the proper keyUsage. The ast_gen_tls script does not set them and this caused the handshake/verification to fail.
The client certificate needs something like:
keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = clientAuth
The server certificate needs something like:
keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth
HTH, Patrick