On 7/6/19 10:40 AM, Michael Maier wrote: > On 05.07.19 at 22:02 hw wrote: >> >> openssl verify -CAfile ca.pem asterisk.pem >> asterisk.pem: OK >> >> >> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers >> to the SIP provider and there is no error message). Otherwise I'm >> getting the error message and asterisk does not register. >> >> Reading the comments in sip.conf.sample, I would assume that asterisk >> can not verify the certificate of the SIP provider. Yet >> >> >> openssl s_client -connect secure.sip.easybell.de:5061 > > You know that you don't need an own certificate to connect via tls to the ISP?
No, I didn't know that. However, there are local clients connecting to asterisk using encryption, so I suppose my own certificate is required. > To be able to verify the certificate of the ISP, asterisk has to know the > local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt. How did you know I'm doing this on Centos? :) Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to make a difference, so I figured that this might be figured out automatically since 'openssl s_client ...' apparently does figure it out automatically. There is much figuring involved for the wanting of clear documentation ... Now I've set 'tlscafile=/etc/pki/tls/certs/ca-bundle.crt' on the asterisk at work, but that one didn't have issues with certificates after I made a new one. I'll try the same at home when I get back to see if it makes a difference. Is 'tlscafile' the correct option for this? -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users