TLS Problem
Hi,
I´m trying to get TLS to work with asterisk and client phones, and all I´m getting from asterisk is
[Aug 23 11:46:42] WARNING[1170]: tcptls.c:673 handle_tcptls_connection: FILE * open failed!
== Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Aug 23 11:46:44] WARNING[1171]: tcptls.c:673 handle_tcptls_connection: FILE * open failed!
when clients try to connect. No client is able to register using TLS.
How can I use encrypted connections?
—
5 thoughts on - TLS Problem
hw schrieb:
Nobody having an idea? Nobody using encryption?
—
Well, what immediately stands out is:
“FILE * open failed!”
Have you triple checked that the full filepath is correct and that the user that Asterisk is running as has full permissions to access your valid certificate file?
I have it working with microsip and a free TLS cert from LetsEncrypt. When I get to the PC with that on, I can write up what settings I’ve got if that helps?
—
Jonathan H schrieb:
Yes, and it doesn´t say which file cannot be opened. I even looked at the source and found that at that point, you can´t simply add some debugging output to find out.
It says ‘SSL certificate ok’ when I ‘reload sip’. When it can´t read one of the files involved with the certificate, it says which one.
I´m using a self signed certificate, but that shouldn´t behave any differently than an externally sigend one as long as it checks out, which it apparently does.
So yes, it would be nice if you could send me the settings you´re using, thanks 🙂
—
Sorry, things got a bit behind. I was about to settle down and type something up, when I notice you mention SIP.
Sorry, I’ve not used that – I’m only familiar with the current pjsip implementation on 13.10.
Which looks like this:
[transport-tls]
type=transport protocol=tls bind=0.0.0.0:5061
cert_file=/etc/letsencrypt/live/mysite.co.uk/fullchain.pem priv_key_file=/etc/letsencrypt/live/mysite.co.uk/privkey.pem method=tlsv1
But this won’t be any good to you on sip. What version of Asterisk are you using?
—
It is not a file on your computers disk. It is a connection attempt from one of your phones. If a phone is configured to use tcp without tls and connect to the port used for tls (default 5061) you will see a message like this. (just an example – different situation here)
“WARNING[1170]: tcptls.c:673 handle_tcptls_connection …”
Handle … connection …
“Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)”
ERR_get_error returns 0 if there is no error in the queue. According to the description [1] this may happen and it would be possible to find out more about the error.
Try to connect using “openssl s_client”.
1) https://www.openssl.org/docs/manmaster/ssl/SSL_get_error.html