I know I've bumped this already now, but I do need to resolve this and I've only been replying to myself.

I've tried another client now (Jitsi), which was the only one with tls/srtp support that will run on freebsd, and it suffers the same problem.

I am very confused now as to why the only client that is demonstrated in the docs is blink and is the only client to support a client certificate. Is this the only way that this works- to have a server _and_ a client certificate? Is this the source of the problem? Does this mean asterisk is broken in this regard?


On 06/13/11 10:44, Da Rock wrote:
I'm still no further advanced on this, but I think I have narrowed it down to tls. I have sip debug logs which shows that the server cannot contact the tls enabled phone at the same time this error crops up. The log says "calling <user>" and then the error.

With TLS disabled, though, SRTP still doesn't work either though. I have no knowledge of how to move forward on this, so some pointers would be very much appreciated.


On 06/07/11 12:11, Da Rock wrote:
I'm having trouble setting up tls/srtp secure communications on my Asterisk server- I'm still rather new at working with Asterisk.

I have enabled tls and encryption and I have csipsimple with tls build on the phone. I'm currently only testing one phone with this capability so far, and the rest still work in the current state.

My logging looks like this with verbose turned up:

[Jun 7 11:44:13] NOTICE[88483]: chan_sip.c:19842 handle_response_peerpoke: Peer '<user>' is now Reachable. (171ms / 2000ms) [Jun 7 11:46:17] NOTICE[88483]: chan_sip.c:25072 sip_poke_noanswer: Peer '<user>' is now UNREACHABLE! Last qualify: 203 [Jun 7 11:46:29] NOTICE[88483]: chan_sip.c:19842 handle_response_peerpoke: Peer '<user>' is now Reachable. (1888ms / 2000ms)

When I call on this phone I get:

[Jun 7 11:40:47] WARNING[88483]: chan_sip.c:3280 __sip_xmit: sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: Invalid argument [Jun 7 11:41:01] WARNING[88483]: chan_sip.c:3280 __sip_xmit: sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: Invalid argument [Jun 7 11:41:15] WARNING[88483]: chan_sip.c:3280 __sip_xmit: sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: Invalid argument [Jun 7 11:41:29] WARNING[88483]: chan_sip.c:3280 __sip_xmit: sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:36129 returned -2: Invalid argument
    -- Registered SIP '<user>' at 192.168.0.200:57805
[Jun 7 11:41:31] NOTICE[88483]: chan_sip.c:19842 handle_response_peerpoke: Peer '<user>' is now Reachable. (10ms / 2000ms)

When I call from another phone I get:

[Jun 7 11:55:30] NOTICE[88483]: chan_sip.c:25072 sip_poke_noanswer: Peer '<tls user>' is now UNREACHABLE! Last qualify: 13
    -- SIP/<tls user>-00000024 is circuit-busy
  == Everyone is busy/congested at this time (1:0/1/0)
-- Auto fallthrough, channel 'SIP/<user>-00000023' status is 'CONGESTION' [Jun 7 11:56:22] WARNING[88483]: chan_sip.c:3280 __sip_xmit: sip_xmit of 0x2c992000 (len 599) to 192.168.0.200:45931 returned -2: Interrupted system call

and eventually:

[Jun 7 11:57:46] WARNING[88483]: chan_sip.c:3280 __sip_xmit: sip_xmit of 0x2cefb000 (len 599) to 192.168.0.200:45931 returned -2: Unknown error: 0

I'm using my own CA setup for purposes beyond just this need, so I'm using openssl commands directly and everything works elsewhere- so my CA setup is fine (includes SAN).

My config for tls/srtp looks like this (remember, the rest works very happily):

[global]
encryption             =       yes
tlsenable               =       yes
tlsbindaddr             =       0.0.0.0
tlscertfile = /path/to/asterisk/certificate/and/key/in/a/single/file
tlscafile               =       /path/to/CA/certificate
tlscipher               =       ALL
tlsclientmethod         =       tlsv1

[tls user]
transport                =    tls

Can someone give me any clues to what is happening? I've checked my packet flow with tcpdump and wireshark as well, but I'm still left mystified.

Cheers

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to