I know I've bumped this already now, but I do need to resolve this and
I've only been replying to myself.
I've tried another client now (Jitsi), which was the only one with
tls/srtp support that will run on freebsd, and it suffers the same problem.
I am very confused now as to why the only client that is demonstrated in
the docs is blink and is the only client to support a client
certificate. Is this the only way that this works- to have a server
_and_ a client certificate? Is this the source of the problem? Does this
mean asterisk is broken in this regard?
On 06/13/11 10:44, Da Rock wrote:
I'm still no further advanced on this, but I think I have narrowed it
down to tls. I have sip debug logs which shows that the server cannot
contact the tls enabled phone at the same time this error crops up.
The log says "calling <user>" and then the error.
With TLS disabled, though, SRTP still doesn't work either though. I
have no knowledge of how to move forward on this, so some pointers
would be very much appreciated.
On 06/07/11 12:11, Da Rock wrote:
I'm having trouble setting up tls/srtp secure communications on my
Asterisk server- I'm still rather new at working with Asterisk.
I have enabled tls and encryption and I have csipsimple with tls
build on the phone. I'm currently only testing one phone with this
capability so far, and the rest still work in the current state.
My logging looks like this with verbose turned up:
[Jun 7 11:44:13] NOTICE[88483]: chan_sip.c:19842
handle_response_peerpoke: Peer '<user>' is now Reachable. (171ms /
2000ms)
[Jun 7 11:46:17] NOTICE[88483]: chan_sip.c:25072 sip_poke_noanswer:
Peer '<user>' is now UNREACHABLE! Last qualify: 203
[Jun 7 11:46:29] NOTICE[88483]: chan_sip.c:19842
handle_response_peerpoke: Peer '<user>' is now Reachable. (1888ms /
2000ms)
When I call on this phone I get:
[Jun 7 11:40:47] WARNING[88483]: chan_sip.c:3280 __sip_xmit:
sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2:
Invalid argument
[Jun 7 11:41:01] WARNING[88483]: chan_sip.c:3280 __sip_xmit:
sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2:
Invalid argument
[Jun 7 11:41:15] WARNING[88483]: chan_sip.c:3280 __sip_xmit:
sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2:
Invalid argument
[Jun 7 11:41:29] WARNING[88483]: chan_sip.c:3280 __sip_xmit:
sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2:
Invalid argument
-- Registered SIP '<user>' at 192.168.0.200:57805
[Jun 7 11:41:31] NOTICE[88483]: chan_sip.c:19842
handle_response_peerpoke: Peer '<user>' is now Reachable. (10ms /
2000ms)
When I call from another phone I get:
[Jun 7 11:55:30] NOTICE[88483]: chan_sip.c:25072 sip_poke_noanswer:
Peer '<tls user>' is now UNREACHABLE! Last qualify: 13
-- SIP/<tls user>-00000024 is circuit-busy
== Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'SIP/<user>-00000023' status is
'CONGESTION'
[Jun 7 11:56:22] WARNING[88483]: chan_sip.c:3280 __sip_xmit:
sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:45931 returned -2:
Interrupted system call
and eventually:
[Jun 7 11:57:46] WARNING[88483]: chan_sip.c:3280 __sip_xmit:
sip_xmit of 0x2cefb000 (len 599) to 192.168.0.200:45931 returned -2:
Unknown error: 0
I'm using my own CA setup for purposes beyond just this need, so I'm
using openssl commands directly and everything works elsewhere- so my
CA setup is fine (includes SAN).
My config for tls/srtp looks like this (remember, the rest works very
happily):
[global]
encryption = yes
tlsenable = yes
tlsbindaddr = 0.0.0.0
tlscertfile =
/path/to/asterisk/certificate/and/key/in/a/single/file
tlscafile = /path/to/CA/certificate
tlscipher = ALL
tlsclientmethod = tlsv1
[tls user]
transport = tls
Can someone give me any clues to what is happening? I've checked my
packet flow with tcpdump and wireshark as well, but I'm still left
mystified.
Cheers
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
