1.9 KiB
For more information: https://wiki.asterisk.org/wiki/display/AST/SIP+TLS+Transport
The recommended cipher list for tlscipher:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
There are issues, like voip.ms does not support PFS, so if you’re connecting to voip.ms, you need to add: AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA to the cipher list.
Getting verification of the remote server is a little tricky. For example, FreeBSD 11’s ca_root_nss package puts a single file in /usr/local/share/certs/ca-root-nss.crt. This is not the format the asterisk needs it to be in. To make things work, first split the file out into individual PEM files, using:
awk 'BEGIN {c=0} /^Certificate:/{c++; p=1} p==1 { fname="cert." c ".pem"; print > fname} /END CERT/ {p = 0 }' < ca-root-nss.crt
Then you can hash them, using OpenSSL’s c_rehash ..
After doing the above, you can point tlscapath to this directory, and remote server should verify fine.
Error messages: Certificate did not verify: unable to get local issuer certificate This means that you didn’t setup thetlscapath properly. Follow the above instructions.
Problem setting up ssl connection: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
This likely means that the list of ciphers in tlscipher does not match the server. To figure out what cipher might be missing, you can use testssl.sh with the -e option, e.g. testssl.sh -e hostname:5061, to figure out what ciphers are supported.