PJSIP And Grandstream Wave With TSL And SRTP

Home » Asterisk Users » PJSIP And Grandstream Wave With TSL And SRTP
Asterisk Users 6 Comments

Hi,

after switching from chan_sip to chan_pjsip, a device running Grandstream Wave leads to the following error message on the asterisk console:

SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: 10.10.20.29:43357

Something with the encryption must have changed with asterisk. How can I get the device to register again?

[transport-tls]
type = transport protocol = tls bind = 0.0.0.0:5061
tos = cs5
cert_file = /etc/asterisk/cert/asterisk.pem ca_list_file = /etc/pki/tls/certs/ca-bundle.crt method = sslv23

‘method = tlsv1’ doesn’t work, either.

6 thoughts on - PJSIP And Grandstream Wave With TSL And SRTP

  • Linphone doesn’t register either, giving the same error message. So this must have to do with something with asterisk.

    Any ideas?

  • This is what mine looks like which works just fine:

    [transport-tls]
    type          = transport protocol      = tls method        = tlsv1_2
    cipher        =
    ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES256-SHA384,ECDHE-RSA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-RSA-AES128-SHA256
    cert_file     = /etc/letsencrypt/live/specialdomain.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/specialdomain.com/privkey.pem

    Kind regards, Sean

  • Thanks, it still says

    SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer: 10.10.20.29:54937

    Why does it even say ssl3 despite tlsv1_2 is set?

    Is there a way to see which cipher(s) a client is trying to use?

  • I guess I should have been more clear before – with the above settings TLS works for other phones, I hadn’t tried with Wave.

    I downloaded Wave for iOS and played around a bit and stumbled on a working configuration. Wave seems to only support TLS 1.0 which is problematic itself but it is what it is.

    I set up Asterisk 16 on a VM in AWS to test which you can try as well if you like:

    Domain: sip.seanbright.com Username: asterisk Password: asterisk

    Calls are SRTP if offered, and the number dialed just needs to be 1 or more digits. This is the configuration I ended up with:

    [transport-tls]
    type          = transport protocol      = tls method        = tlsv1
    cert_file     = /etc/letsencrypt/live/sip.seanbright.com/fullchain.pem priv_key_file = /etc/letsencrypt/live/sip.seanbright.com/privkey.pem bind          = 0.0.0.0:5061
    external_media_address     = 52.91.86.158
    external_signaling_address = 52.91.86.158

    Hope that helps, Sean

  • Thanks a lot! I tried to register and it worked. It still doesn’t work here with tlsv1.

    Then I noticed that you have priv_key_file set. I don’t have that, and I
    don’t remember which of the files that were created when I tried to create the key asterisk is using now is the private key. It seems I’ll have to spend another day or so on all the horrible key creation stuff again.

  • Ok, I created a new certificate and it still doesn’t work with your transport.

    Is CentOS 7 too old to run asterisk on? Is the android device I’m using too old?

    Why did it work before changing from SIP to PJSIP? Do I need to do anything special when creating the certificate?