For more information: https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport

The recommended cipher list for tlscipher:
```
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
```

There are issues, like voip.ms does not support PFS, so if you're connecting to voip.ms, you need to add: `AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA` to the cipher list.

Getting verification of the remote server is a little tricky.  For example, FreeBSD 11's ca_root_nss package puts a single file in /usr/local/share/certs/ca-root-nss.crt.  This is not the format the asterisk needs it to be in.  To make things work, first split the file out into individual PEM files, using:
```
awk 'BEGIN {c=0} /^Certificate:/{c++; p=1} p==1 { fname="cert." c ".pem"; print > fname} /END CERT/ {p = 0 }' < ca-root-nss.crt
```

Then you can hash them, using OpenSSL's `c_rehash .`.

After doing the above, you can point tlscapath to this directory, and remote server should verify fine.

Error messages:
Certificate did not verify: unable to get local issuer certificate
This means that you didn't setup thetlscapath properly.  Follow the above instructions.

Problem setting up ssl connection: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
This likely means that the list of ciphers in tlscipher does not match the server.  To figure out what cipher might be missing, you can use [testssl.sh](https://testssl.sh) with the -e option, e.g. `testssl.sh -e hostname:5061`, to figure out what ciphers are supported.