Sslv3 Alert Handshake Failure Error

Home » Asterisk Users » Sslv3 Alert Handshake Failure Error
Asterisk Users 2 Comments

Hi All, I am using “asterisk-11.12.0” version and I am trying to setup secure call
(TLS + SRTP) between two extensions and while making a call, I got following error

*CLI> == Using SIP RTP CoS mark 5
— Executing [6004@from-office:1] Dial(“SIP/6003-00000000”,
“SIP/6004,20”) in new stack
== Using SIP RTP CoS mark 5
— Called SIP/6004
SSL certificate ok
== Problem setting up ssl connection: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Nov 2 21:20:05] WARNING[3571]: tcptls.c:673 handle_tcptls_connection:
FILE * open failed!

I followed instruction given in ”
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial”, but no luck. I googled around the issue and found solution mentioned by Patrick (
https://www.mail-archive.com/asterisk-users@lists.digium.com/msg274038.html)

Did anyone has tried this solution and found it is working? I tried to create certificates with keyUsage/extendedKeyUsage, but it is not working.

I have one more query – When the SIP user agents are able to register successfully with TLS, why more handshake is required while making a call?
Can’t Asterisk use existing TLS connection with Leg B to forward INVITE
request? Could anyone please educate me on the same? I am little confused here.

​​Thanks in advance.

2 thoughts on - Sslv3 Alert Handshake Failure Error

  • It sounds like SSLv3 is being used by one of the endpoints.

    SSLv3 is broken. Its been known broken for about 10 years. Its been
    “more” broken recently (???). It should not have been used previous to POODLE, and it should not be used now.

    And don’t use that crap UA’s came up with (TLS_FALLBACK_SCSV). Always advertise the protocols you are willing to accept, and don’t fallback to insecure protocols.

    My protocol selections are TLS 1.0, 1.1 and 1.2. I allow TLS 1.0 for interoperability, but I’d like to bury it too. If you control the server and the clients, then you should be able to safely kill-off TLS
    1.0 since interop is not a concern.

    Jeff

  • Hi Jeff, Thanks for the response. I am using PJSIP soft clients and PJSIP uses TLSv1
    by default. Even on network traces (using wireshark), I can observed TLSv1
    protocol is being used. I am not getting why it is falling back on sslv3.

    Could you please guide me here? Polease correct me in case I miss something here.

    More-ever, I have something as following in “extensions.conf”

    exten = 100,1,Answer()
    same = n,Wait(1)
    same = n,Playback(hello-world)
    same = n,Hangup()

    And call to 100 (Req URI – INVITE sips:100@pbx.asterisk1.org;trasnport=tls SIP/2.0) from either of PJSIP soft clients works perfectly. So I wonder, how it works here and it fails when I dial an extension configured on a soft phones