PJSIP To Twilio Over TLS – Wildcard Cert Problem

Home » Asterisk Users » PJSIP To Twilio Over TLS – Wildcard Cert Problem
Asterisk Users 13 Comments

Hi,

I can’t get Asterisk to send a SIP call to Twilio over TLS because it complains about Twilio’s wildcard certificate.

This is with Asterisk 18.8.0 and PJSIP 2.10

pjsip show transport shows me this:

allow_reload : false async_operations : 1
bind : 0.0.0.0:5061
ca_list_file :
ca_list_path :
cert_file : /admin/local/asterisk-keys/asterisk.crt cipher : ADH-AES256-SHA, ADH-AES128-SHA, ECDHE-
RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-
SHA384, ECDHE-RSA-AES128-SHA256, AES256-GCM-SHA384, AES128-GCM-SHA256, AES256-SHA256, AES128-SHA256, AES256-SHA, AES128-SHA
cos : 0
domain :
external_media_address :
external_signaling_address :
external_signaling_port : 0
local_net :
method : sslv23
password :
priv_key_file : /admin/local/asterisk-keys/asterisk.key protocol : tls require_client_cert : No symmetric_transport : false tos : 0
verify_client : No verify_server : No websocket_write_timeout : 100

(also tried with method set to tlsv1).

Googling told me to set verify_server=no but as you can see this is already set.

Is there a way round this?


Cheers, Kingsley.

13 thoughts on - PJSIP To Twilio Over TLS – Wildcard Cert Problem

  • What is the exact “complaint”?

    Maybe, once we know what the error message is 🙂

    Antony.


    I wasn’t sure about having a beard at first, but then it grew on me.

    Please reply to the list;
    please *don’t* CC me.

  • Ha, OK, here it is, or rather, several copies of it as I was trying various things:

    [Nov 29 16:44:08] ERROR[25803] pjproject: tlsc0x7f1c74246778 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
    [Nov 29 16:47:41] ERROR[26205] pjproject: tlsc0x7fb2cc271cd8 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
    [Nov 29 16:54:06] ERROR[26706] pjproject: tlsc0x7f506c257798 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
    [Dec 1 17:11:21] ERROR[27092] pjproject: tlsc0x7fa20c1e9fd8 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
    [Dec 1 17:29:24] ERROR[27934] pjproject: tlsc0x7f7678347ef8 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
    [Dec 1 17:36:11] ERROR[28475] pjproject: tlsc0x7fee2c1d02f8 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!
    [Dec 1 17:57:02] ERROR[29731] pjproject: tlsc0x7fd9e80b1be8 RFC 5922 (section 7.2) does not allow TLS wildcard certificates. Advise your SIP provider, please!


    Cheers, Kingsley.

  • So, https://datatracker.ietf.org/doc/html/rfc5922#section-7.2 does seem pretty clear about this. “Implementations MUST NOT match any form of wildcard”

    Have you contacted the provider who is using a wildcard certificate in this way and referred them to the RFC?

    Antony.


    “Can you keep a secret?”
    “Well, I shouldn’t really tell you this, but… no.”

    Please reply to the list;
    please *don’t* CC me.

  • That particular error does not prevent it from connecting (at least it doesn’t in the 18.x I’m using with my own wildcard certs). The problem may be somewhere else — for example Twilio might require TLS 1.2 or later — so try adding in method=tlsv1_2

    to you transport configuration. If that doesn’t work, you’ll want to turn on pjsip debugging (https://www.asterisk.org/debugging-sip-message-traffic-with-pjsip-history/) to see if you can glean something from that.

    -Adam

  • No I haven’t, but if I did I suspect they would take no notice. Twilio is a big provider who do what they do because they can.

    And I can see why they do this, because customers can set up their own SIP trunks on their system with their unique hostname, so it makes sense for them to have a wildcard cert, whether in violation of the RFC
    or not.


    Cheers, Kingsley.

  • Hey there,

    I wanted to chime in on this because I encountered this exact problem in my own app. Deutsche Telekom in Germany also uses wildcard certificates. I proposed a patch for PJ, but it got rejected, see the PR here:

    https://github.com/pjsip/pjproject/pull/2328

    And my patch here:
    https://github.com/andreas-wehrmann/pjproject/commit/ef089cb53aa7570f7afda80a6a57f8b5778c86b4

    “Advise your SIP provider” – haha, I had a good laugh…

    All the best, Andreas

  • It shouldnt stop the call from happening. It will be something else… up your debugging level and see what else you get

    Lots of providers go against this part of the spec but I’ve run Asterisk 18
    with twilio over sip over tls and everything worked, it just spat out the error line

  • KT> I can’t get Asterisk to send a SIP call to Twilio over TLS
    KT> because it complains about Twilio’s wildcard certificate.

    the sip rfc claims that wildcard certs should be invalid for sip.

    digium insisted on following that advise as set in stone, and so asterisk refuses such certs. i doubt that stance is different under sangoma.

    the only workaround is to remind twil of the rfc and get them to replace the wildcard with an rfc-copliant cert. at least for the sip ports.

    -JimC

    James Cloos OpenPGP: 0x997A9F17ED7DAEA6

  • To be specific, this is in PJSIP land. There was no insisting or anything and it wasn’t a decision we originally made. It’s the way that Teluu implemented the TLS transport in PJSIP and since we use PJSIP then it applies to us. If someone contributed a change to Asterisk to make it configurable in some way, then we’d certainly review it. At this point though noone has done such a thing.

  • As far as I’m aware Josh, it doesnt stop a call from happening – I’ve had the same “errors” pop up when using Twilio and Simwood but calls continue just fine.

  • JC> To be specific, this is in PJSIP land. There was no insisting or anything JC> and it wasn’t a decision we originally made. It’s the way that Teluu JC> implemented the TLS transport in PJSIP and since we use PJSIP then it JC> applies to us.

    my recall is more likely a bit older than that, before pjsip.

    there was a thread either in bugs or on one of the lists.

    but as later notes pointed out (and i really ought to have thought of ☹)
    it is only relevant, as you noted, if verify is on.

    at the time i was a fan on wildcards.

    then le came along, and then added dns01 support.

    now i prefer a separate cert each plus a 3/1/1 tlsa for each port.

    but at the time it was anoying.

    -JimC

    James Cloos OpenPGP: 0x997A9F17ED7DAEA6

  • Thank you everyone for your help and comments with this.

    I can’t explain this but it has now started working. I had no luck with tlsv1 or tlsv1_2 but using sslv23 does work.

    The strange thing is, I tried that before and it DIDN’T work. I’m not sure why.

    Apologies for my delay in responding to this – I’ve been snowed under with other work and have only just been given a clear day to focus on these issues.


    Cheers, Kingsley.