[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Linphone-users] TLS handshake failiure
From: |
Trent Creekmore |
Subject: |
Re: [Linphone-users] TLS handshake failiure |
Date: |
Tue, 7 Sep 2021 16:22:18 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 |
Well, SSL is used for https.
In FreePBX it has a Certificate manager which allows the use of
certificates, not only for SSL in the PBX web interface, but also be
used for TLS in SIP..
As I have mentioned when first set up this TLS connection some months
ago, it was connecting. Certificate still valid.
I did not mention I am using Android client.
Here is more of the log (redacted a bit)
2021-09-07 14:06:08:999 [org.linphone/belle-sip] MESSAGE Trying to
connect to [TLS://::ffff:2myIP Address:5061]
2021-09-07 14:06:09:078 [org.linphone/belle-sip] MESSAGE Channel
[0x784aec40]: Connected at TCP level, now doing TLS handshake with
cname=pbx,domain
2021-09-07 14:06:09:079 [org.linphone/belle-sip] MESSAGE Channel
[0x784aec40]: SSL handshake in progress...
2021-09-07 14:06:09:180 [org.linphone/belle-sip] MESSAGE Found
certificate depth=[0], flags=[not-trusted ]:
cert. version : 3
serial number : 82:C5:42:9A:10:CA:4F:D1:A6:D8:D1:63:A4:64:78:AA
issuer name : C=GB, ST=Greater Manchester, L=Salford, O=Sectigo
Limited, CN=Sectigo RSA Domain Validation Secure Server CA
subject name : CN=pbx.domain
issued on : 2021-05-11 00:00:00
expires on : 2022-06-11 23:59:59
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
subject alt name :
dNSName : pbx.domain
dNSName : www.pbx.domain
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, TLS Web Client
Authentication
certificate policies : ???, ???
2021-09-07 14:06:09:181 [org.linphone/belle-sip] ERROR Channel
[0x784aec40]: SSL handshake failed : X509 - Certificate verification
failed, e.g. CRL, CA or signature check failed
2021-09-07 14:06:09:181 [org.linphone/belle-sip] ERROR Cannot connect to
[TLS://pbx.domain:5061]
2021-09-07 14:06:09:181 [org.linphone/belle-sip] MESSAGE
channel[0x784aec40]: entering state ERROR
-----Original Message-----
From: Linphone-users
<linphone-users-bounces+trent=lindows.org@nongnu.org> On Behalf Of
Dennis Filder
Sent: Tuesday, September 7, 2021 4:06 PM
To: linphone-users@nongnu.org
Subject: [Linphone-users] TLS handshake failiure
On Tue, Sep 07, 2021 at 02:24:41PM -0500, Trent Creekmore wrote:
Got a valid certificate from Sectigo, and the same certificate is
being used for SSL access to the PBX. I was able to connect via TLS
shortly after installing the certificate, but unable to connect now.
You could be a bit more precise here: Do you mean you also use it for HTTPS?
Using it in FreePBX, and also turned off the "Verify Client" and
"Verify Server."
"2021-09-07 14:06:10:860 [org.linphone/belle-sip] ERROR Channel
[0x784ae480]: SSL handshake failed : X509 - Certificate verification
failed, e.g. CRL, CA or signature check failed"
Version is 4.5.1
Do you have the Sectigo CA certificate in your CA store(s)? Linphone
uses whatever is configured in linphonerc under section "[sip]" with the
key "root_ca" (on my system the value is "/etc/ssl/certs").
If adding that doesn't make it work you've got many hours of looking at
output of openssl's s_client ahead of you. Common issues:
* someone doesn't send the intermediate certificates
* interoperability issues (rare, but possible)
* using a self-signed certificate (probably irrelevant here)
Good luck.
_______________________________________________
Linphone-users mailing list
Linphone-users@nongnu.org
https://lists.nongnu.org/mailman/listinfo/linphone-users