On 06.07.19 at 12:16 hwilmer wrote: > On 7/6/19 10:40 AM, Michael Maier wrote: >> On 05.07.19 at 22:02 hw wrote: >>> >>> openssl verify -CAfile ca.pem asterisk.pem >>> asterisk.pem: OK >>> >>> >>> When I set tlsdontverifyserver=yes, it works (i. e. asterisk registers >>> to the SIP provider and there is no error message). Otherwise I'm >>> getting the error message and asterisk does not register. >>> >>> Reading the comments in sip.conf.sample, I would assume that asterisk >>> can not verify the certificate of the SIP provider. Yet >>> >>> >>> openssl s_client -connect secure.sip.easybell.de:5061
I'm using easybell via tls, too - but with pjsip - I had never any problem. >> >> You know that you don't need an own certificate to connect via tls to the >> ISP? > > No, I didn't know that. However, there are local clients connecting to > asterisk > using encryption, so I suppose my own certificate is required. That's true - but why do you need encryption on your own LAN? Just for fun or are there any particular requirements? >> To be able to verify the certificate of the ISP, asterisk has to know the >> local CA database. For CentOS 7, this is /etc/pki/tls/certs/ca-bundle.crt. > > How did you know I'm doing this on Centos? :) This was just meant as an example - chance :-) > Setting 'tlscapath' to /etc/pki or to /etc/pki/ca-trust/source/ didn't seem to I'm sorry - I don't know how to handle ca bundles with chan_sip. With pjsip it's ca_list_file=/etc/pki/tls/certs/ca-bundle.crt in pjsip.transports.conf. Michael -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users