VIDEOCHAT  ::   FAQ  ::   Поиск  ::   Регистрация  ::   Вход

Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Проблемы Asterisk без вэб-оболочек и их решения

Модераторы: april22, Zavr2008

Ответить
imax57
Сообщения: 6
Зарегистрирован: 15 окт 2020, 22:43
Контактная информация:

Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение imax57 »

Здравствуйте.

Установил Asterisk 16.9.0 из исходников на CentOS 8, а так же FreePBX 15. В целом замечаний нет и все в целом работает, но не могу никак подцепить софтфон по TLS.

- Сертификат установлен Let's Encrypt через Certificate Management FreePBX.
- openssl s_client -connect 127.0.0.1:5061 корректно все отображает
- сертификат с номером софтфона в /etc/asterisk/keys сгенерирован

При попытке регистрации с софтфона в логах астериска выпадает следующее:
[2020-10-15 22:33:22] WARNING[1963473]: pjproject: <?>:SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <337678594> <SSL routines-tls_early_post_process_client_hello-unsupported protocol> len: 0 peer: 10.120.15.11:49918

каким образом диагностировать проблему?
Vlad1983
Сообщения: 4251
Зарегистрирован: 09 авг 2011, 11:51

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение Vlad1983 »

tcpdump-ом снять трафик и глянуть в wireshark что может сервер и что хочет клиент
ЛС: @rostel
imax57
Сообщения: 6
Зарегистрирован: 15 окт 2020, 22:43
Контактная информация:

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение imax57 »

Vlad1983 писал(а):tcpdump-ом снять трафик и глянуть в wireshark что может сервер и что хочет клиент
Снял с момента нажатия регистрации. Пробовал двумя клиентами - SIP-клиент(Телефон) на MacOS и Bria на iOS.

После softphone-ip идет NAT роутера и pbx уже с внешним адресом и открытым только SIP-TLS 5061:

Код: Выделить всё

[root@ooeweb20 /]# tcpdump -vvv -nn -i enp5s0.2801 src host [softphone-ip]
tcpdump: listening on enp5s0.2801, link-type EN10MB (Ethernet), capture size 262144 bytes
23:24:58.053496 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    [softphone-ip].50578 > [pbx-ip].5061: Flags [S], cksum 0xf8f8 (correct), seq 3248289585, win 65535, options [mss 1400,nop,wscale 5,nop,nop,TS val 115313495 ecr 0,sackOK,eol], length 0
23:24:58.073906 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    [softphone-ip].50578 > [pbx-ip].5061: Flags [.], cksum 0xc688 (correct), seq 3248289586, ack 3924046983, win 4120, options [nop,nop,TS val 115313514 ecr 1715985684], length 0
23:24:58.082551 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 257)
    [softphone-ip].50578 > [pbx-ip].5061: Flags [P.], cksum 0x2061 (correct), seq 0:205, ack 1, win 4120, options [nop,nop,TS val 115313522 ecr 1715985684], length 205
23:24:58.102933 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    [softphone-ip].50578 > [pbx-ip].5061: Flags [.], cksum 0xc57c (correct), seq 205, ack 8, win 4120, options [nop,nop,TS val 115313541 ecr 1715985713], length 0
23:24:58.102992 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    [softphone-ip].50578 > [pbx-ip].5061: Flags [.], cksum 0xc57a (correct), seq 205, ack 9, win 4120, options [nop,nop,TS val 115313541 ecr 1715985714], length 0
23:24:58.103071 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    [softphone-ip].50578 > [pbx-ip].5061: Flags [F.], cksum 0xc579 (correct), seq 205, ack 9, win 4120, options [nop,nop,TS val 115313541 ecr 1715985714], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@ooeweb20 /]# 
По локальной сети:

Код: Выделить всё

[root@ooeweb20 /]# tcpdump -vvv -nn -i enp6s0 src host 10.120.15.42
tcpdump: listening on enp6s0, link-type EN10MB (Ethernet), capture size 262144 bytes
23:23:57.724378 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 64)
    10.120.15.42.54224 > 10.0.0.5.5061: Flags [S], cksum 0x545b (correct), seq 649363345, win 65535, options [mss 1418,nop,wscale 6,nop,nop,TS val 598347167 ecr 0,sackOK,eol], length 0
23:23:57.732699 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.120.15.42.54224 > 10.0.0.5.5061: Flags [.], cksum 0x289d (correct), seq 649363346, ack 3427909858, win 2065, options [nop,nop,TS val 598347195 ecr 1720414055], length 0
23:23:57.737735 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 268)
    10.120.15.42.54224 > 10.0.0.5.5061: Flags [P.], cksum 0x5062 (correct), seq 0:216, ack 1, win 2065, options [nop,nop,TS val 598347196 ecr 1720414055], length 216
23:23:57.741752 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.120.15.42.54224 > 10.0.0.5.5061: Flags [.], cksum 0x27a9 (correct), seq 216, ack 8, win 2064, options [nop,nop,TS val 598347202 ecr 1720414070], length 0
23:23:57.741784 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.120.15.42.54224 > 10.0.0.5.5061: Flags [.], cksum 0x27a8 (correct), seq 216, ack 9, win 2064, options [nop,nop,TS val 598347202 ecr 1720414070], length 0
23:23:57.742938 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto TCP (6), length 52)
    10.120.15.42.54224 > 10.0.0.5.5061: Flags [F.], cksum 0x27a6 (correct), seq 216, ack 9, win 2064, options [nop,nop,TS val 598347203 ecr 1720414070], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@ooeweb20 /]# 
Vlad1983
Сообщения: 4251
Зарегистрирован: 09 авг 2011, 11:51

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение Vlad1983 »

выхлоп в консоль ничему не поможет.
пишите в файл опция -w.
не нужен фильтр src, ибо важны все пакеты и от хоста и к нему.
ЛС: @rostel
ded
Сообщения: 15620
Зарегистрирован: 26 авг 2010, 19:00

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение ded »

max57, не надо цитировать предыдущее сообщение.
Флаг [DF] - дефрагментировать, т.е. пакет фрагментируется, это не очень хорошо, а для локальной сети - странно.
http://asterisk.ru/knowledgebase/debug
imax57
Сообщения: 6
Зарегистрирован: 15 окт 2020, 22:43
Контактная информация:

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение imax57 »

Попробую посмотреть что tcpdump запишет в файл, а пока вот что Wireshark показал в момент регистрации софтфона по TLS. Два пакета:
38 7.280651 10.120.15.11 [PBX IP] TLSv1.2 271 Client Hello
39 7.301996 [PBX IP] 10.120.15.11 TLSv1.2 73 Alert (Level: Fatal, Description: Protocol Version)

детально раздел TLS этих пакетов.
38-ой:

Код: Выделить всё

Frame 38: 271 bytes on wire (2168 bits), 271 bytes captured (2168 bits) on interface en0, id 0
Ethernet II, Src: Apple_1c:e7:73 (c8:2a:14:1c:e7:73), Dst: Routerbo_bd:a3:6d (6c:3b:6b:bd:a3:6d)
Internet Protocol Version 4, Src: 10.120.15.11, Dst: [PBX IP]
Transmission Control Protocol, Src Port: 50850, Dst Port: 5061, Seq: 1, Ack: 1, Len: 205
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 200
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 196
            Version: TLS 1.2 (0x0303)
            Random: 6bf4fe0c3ba36827de024f000a398f4410e527bba3523051…
                GMT Unix Time: May 25, 2027 07:05:32.000000000 MSK
                Random Bytes: 3ba36827de024f000a398f4410e527bba352305180e9c647…
            Session ID Length: 0
            Cipher Suites Length: 76
            Cipher Suites (38 suites)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
                Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
                Cipher Suite: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xccaa)
                Cipher Suite: Unknown (0xff85)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c4)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_GOSTR341001_WITH_28147_CNT_IMIT (0x0081)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00be)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 79
            Extension: server_name (len=25)
                Type: server_name (0)
                Length: 25
                Server Name Indication extension
                    Server Name list length: 23
                    Server Name Type: host_name (0)
                    Server Name length: 20
                    Server Name: pbx.oreloblenergo.ru
            Extension: ec_point_formats (len=2)
                Type: ec_point_formats (11)
                Length: 2
                EC point formats Length: 1
                Elliptic curves point formats (1)
                    EC point format: uncompressed (0)
            Extension: supported_groups (len=8)
                Type: supported_groups (10)
                Length: 8
                Supported Groups List Length: 6
                Supported Groups (3 groups)
                    Supported Group: x25519 (0x001d)
                    Supported Group: secp256r1 (0x0017)
                    Supported Group: secp384r1 (0x0018)
            Extension: session_ticket (len=0)
                Type: session_ticket (35)
                Length: 0
                Data (0 bytes)
            Extension: signature_algorithms (len=24)
                Type: signature_algorithms (13)
                Length: 24
                Signature Hash Algorithms Length: 22
                Signature Hash Algorithms (11 algorithms)
                    Signature Algorithm: rsa_pss_rsae_sha512 (0x0806)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (6)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                        Signature Hash Algorithm Hash: SHA512 (6)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha384 (0x0805)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (5)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
                        Signature Hash Algorithm Hash: Unknown (8)
                        Signature Hash Algorithm Signature: Unknown (4)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: ECDSA (3)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: ECDSA (3)
39-ый:

Код: Выделить всё

Frame 39: 73 bytes on wire (584 bits), 73 bytes captured (584 bits) on interface en0, id 0
Ethernet II, Src: Routerbo_bd:a3:6d (6c:3b:6b:bd:a3:6d), Dst: Apple_1c:e7:73 (c8:2a:14:1c:e7:73)
Internet Protocol Version 4, Src: [PBX IP], Dst: 10.120.15.11
Transmission Control Protocol, Src Port: 5061, Dst Port: 50850, Seq: 1, Ack: 206, Len: 7
Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Protocol Version)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Protocol Version (70)
imax57
Сообщения: 6
Зарегистрирован: 15 окт 2020, 22:43
Контактная информация:

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение imax57 »

Здравствуйте.

Предварительно выявил, что Asterisk получается работает на TLSv1.3, а клиенты похоже ломятся с TLSv1.0,TLSv1.2. Как во FreePBX 15 настроить на TLSv1.0,TLSv1.2 пока не понял, т.к. вероятно весь вопрос в сертификате Let's Encrypt, который автоматом подтягивается через Certificate Management. В настройках FreePBX если выбирать TLSv1.0,TLSv1.2, то по факту ничего не меняется. Может кто подсказать вопрос в сертификате? Если да, то как подтянуть сертификат для TLSv1.0,TLSv1.2?

Код: Выделить всё

[root@asterisk keys]# openssl s_client -connect pbx.domain.ru:5061
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = pbx.domain.ru
verify return:1
---
Certificate chain
 0 s:CN = pbx.domain.ru
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
 2 s:O = Digital Signature Trust Co., CN = DST Root CA X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGYDCCBUigAwIBAgISBAuL8/ZGYzpIvSZTp7mYeTKtMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDExMDMxOTUyNDFaFw0y
MTAyMDExOTUyNDFaMB8xHTAbBgNVBAMTFHBieC5vcmVsb2JsZW5lcmdvLnJ1MIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3bsfzlaawW6vJzA1twyBHzVQ
Rq/ZOYBwEvH3QTS1dsNiv7XPzdA7dYAM2A1UQlFgU9iR2c0KzzeKJpGda81u2hcH
D3hVvy1Y2ef8MME/Vzi1vzVsdhX4zPUM+C+OHVJUE2ChTNLdSxhZJ8PMMHUEthKt
EYBiAn6hhYKKDXuM74SkFXA9hA2hLhEa30JCVyoiFzqo3tM4DZay4BGOPdefO4kK
Mz1b3qpxMfsGGDP7GbQFZqL7L7rmyOkNdBL0h/xbt4apu/t4PBSgaiImnOCZIfuT
qfIM01UlsMKo9/gs0eSxCeoPKD6kLxZ4O5X3ESkHgAAOG/N2p5JTYj9Cl7YoV9JR
s60wbBuy39NpoFDH7x92OUZT6XojpyrlMMZ+tHTJrXDjJ6GLweicOXmhPvG9NEQH
44tyP4D+sTrrhqeqpmn0pdUq4whgExFSrmFaPf1H45IWV38E8PUxUylzlNX2wGiQ
CPtKCkhtt+ARooZEzsrQAn4fQ5ioqvNGsmLlGKN5FlcnuEVF+0jdWJbTKOcso4Ip
5jzMrPf7DD5p3JhzCGwA9fAOhJNERJfYi4UPYllPHcOy/rUTxrMtjKYauf8P8j3p
oO5QlWTxoEaTS0Fpsrk2k0UdAfs1T+ClnPxxSORuNdZ+18Gk/IA68sJZfrlwHAZc
v4eTxcH/+J0kYp3sfhECAwEAAaOCAmkwggJlMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUEbHcTbs89Hc3xBvnpeT24ubLWiwwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2Nz
cC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy
dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAfBgNVHREEGDAWghRwYngub3JlbG9i
bGVuZXJnby5ydTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9Y
TaLCAAABdY/iG2YAAAQDAEcwRQIgeGEBLdOehBIjuTDlfx3eWDN6QhXGcepITb4a
nv01qZwCIQDI9RmzHU4+IkQKqLv/lt9+J6gbKXUydMuptMPsEuxC5AB2AH0+8viP
/4hVaCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABdY/iG5EAAAQDAEcwRQIhAKcg
YaM9ghpLhFAaXPNeKcmbLtkZFxn4+P7q8oMGFq2fAiB6HYNUXsxevCLYtVNb/LRb
sN7RPZfHtCXbMgpQDhwTXzANBgkqhkiG9w0BAQsFAAOCAQEAVCvbmbMiDZC3uIMG
ITYad6haf5v+1F0qUHDGRWOsxWnPX33ADoL8I8Ww35uuJaMx+5wh8P8LLmD4ShF7
3i0/X04fgUWxHKrqtx7eTMPltipbVgPAOki8qDOzi+3S2QdvpQY4brHt2/qP0vaK
Mvyfa+smLm8wqYDTq9Z8lRB5m3LdTdfsUWpL2UQ68HLo+7U6eU+jaOLfsQ+F04MJ
pGKVA45FVLaFO61MVDBNRL1eg/VtkmpkZhkji7++xCuMu5BrPk5seyvV7N/pAVgI
S+6F529/gnqCdbVMGSjv42EQ+okAQcpJoldqBo7CuKIh7wvh6kVzjyMSOvrIK0iy
N2ymPg==
-----END CERTIFICATE-----
subject=CN = pbx.domain.ru

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4549 bytes and written 438 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: F8BE5F095688796D6127EF193CD7E7E5170A39C4AE48C6807E6A6FA60F6F152E
    Session-ID-ctx: 
    Resumption PSK: C08F0A8121CC299C68EF867851DE8BBDE6E3B69C83FBF9B356AE8C0BF26BBAD0F3687EA4E74C5AB230D5702734952710
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ea b4 10 62 01 58 bf 06-6b 1a d8 c4 1d f3 24 20   ...b.X..k.....$ 
    0010 - a3 30 7d fc 5a 5c 1c a4-a3 48 9e cf e9 36 2e 23   .0}.Z\...H...6.#
    0020 - 2a 32 8d ec c1 11 6a 3f-37 31 ea 31 dd d8 6f 59   *2....j?71.1..oY
    0030 - 87 92 79 fa e3 75 48 76-51 32 5d 8a 7c 8c f0 40   ..y..uHvQ2].|..@
    0040 - c7 8a 0e 52 fe f1 c6 34-fe 2b b3 22 fc 8a f5 c7   ...R...4.+."....
    0050 - 50 fd 66 e8 d6 dd 38 11-55 72 18 90 bd f5 5a ce   P.f...8.Ur....Z.
    0060 - 88 b6 76 fd e2 5b d8 b3-a2 7d 67 84 ea 34 c2 d7   ..v..[...}g..4..
    0070 - 58 f4 66 41 d6 ae c1 f4-68 ac 88 c0 f8 25 25 71   X.fA....h....%%q
    0080 - b8 c1 6b 9c d1 2d 49 0e-a4 82 fa 47 ce 87 20 08   ..k..-I....G.. .
    0090 - a6 21 2f 1a 97 ac a4 14-11 0c c7 ce 4b c7 ed c5   .!/.........K...
    00a0 - 78 ca 5a bd 69 34 98 fd-ca 7e 44 47 34 45 97 b4   x.Z.i4...~DG4E..
    00b0 - 39 6b f0 80 28 c7 05 85-b8 ab 97 3b 1a 32 76 7b   9k..(......;.2v{

    Start Time: 1604437175
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 12AD5BE98764693622EDC4E4CD97F8A85C69B6ABDC8B0B91E8B5F8699CA30AE6
    Session-ID-ctx: 
    Resumption PSK: 901AB9C75E68E8190FD22367BEDC8AC4500A54A74175E771B51DB84DC19BEE70F1EE2DAAF93FCDB26A16FC4BA1447D9F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ea b4 10 62 01 58 bf 06-6b 1a d8 c4 1d f3 24 20   ...b.X..k.....$ 
    0010 - 6b 3c cc 9f 77 0e fa 9b-3e 75 36 a3 65 1c f5 79   k<..w...>u6.e..y
    0020 - 9e 43 a9 ee 95 da da 54-1d 1a 95 cd 17 2f 9a 91   .C.....T...../..
    0030 - e4 29 97 86 c4 06 e0 c7-05 1c 9b f2 9a 9c d5 aa   .)..............
    0040 - ed 84 f4 e2 0c 8d 6c 0e-84 fe a7 06 cf 46 4a d7   ......l......FJ.
    0050 - 76 00 a1 70 83 61 02 e3-2d 99 0b 9d 89 20 a9 35   v..p.a..-.... .5
    0060 - 39 39 fc a9 67 8c ad 97-25 35 41 ed e8 60 01 63   99..g...%5A..`.c
    0070 - 64 02 d9 46 ed 7b 03 27-91 6a b8 4f 73 d2 11 da   d..F.{.'.j.Os...
    0080 - 15 9a f4 03 3c 36 c0 bf-45 de 0e 66 c1 92 43 f5   ....<6..E..f..C.
    0090 - 16 e9 ac dd 40 a1 30 79-1c 40 1c be 9d 64 ce 07   ....@.0y.@...d..
    00a0 - f2 1e 68 78 b8 20 d4 2e-53 aa 31 60 3b 81 b9 a6   ..hx. ..S.1`;...
    00b0 - b8 35 1f 09 09 f1 d7 3a-dd 8b 37 52 fa f5 6f b5   .5.....:..7R..o.

    Start Time: 1604437175
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK


read:errno=0
[root@asterisk keys]# 
ded
Сообщения: 15620
Зарегистрирован: 26 авг 2010, 19:00

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение ded »

Люди пишут, что регулировать версии SSL/TLS в канале chan_sip можно указывая параметр tlsclientmethod=
А если используете канал pjsip - то надо менять исходный код ssl_sock_ossl.c и перекомпиллировать Астериск.
This is possible in chan_sip via tlsclientmethod=sslv23 (in chan_sip, the default value) and tlsdisablev1=yes (in chan_sip, SSL 2.0 and SSL 3.0 are disabled on default).

This does not work with chan_pjsip, yet. With chan_pjsip, I see three alternatives:
A) configure/build the whole OpenSSL not to use older versions, or
B) build PJSIP while you define PJ_SSL_SOCK_OSSL_CIPHERS
The latter requires at least OpenSSL 1.1.x and SECLEVEL=3, for example (source). Then, set method=sslv23 and remove any ciphers= in your pjsip.conf, otherwise you remove the level. In the file third-party/pjproject/patches/config_site.h you add:

#define PJ_SSL_SOCK_OSSL_CIPHERS "HIGH:-COMPLEMENTOFDEFAULT@SECLEVEL=3"
Then, make and install your Asterisk again.

C) If level 3 is too high in your scenario and changing OpenSSL is no option either, you have to change the source code of Asterisk (currently 13.27.0): Undo Gerrit 2783 and add:

#define PJSIP_SSL_DEFAULT_PROTO 0xFFF8
to your config_site.h. The last three bits are zero to disable SSL 2.0, SSL 3.0, and TLS 1.0. If you use OpenSSL 1.1 or newer, you have to change the source code of the PJSIP (currently 2.8) as well: remove the line ssl_method = (SSL_METHOD*)TLS_method(); in the file ssl_sock_ossl.c.
imax57
Сообщения: 6
Зарегистрирован: 15 окт 2020, 22:43
Контактная информация:

Re: Asterisk 16/FreePBX 15 SSL_ERROR_SSL (Handshake)

Сообщение imax57 »

Перешел с pjsip на chan_sip и проблема решилась.
Ответить
© 2008 — 2024 Asterisk.ru
Digium, Asterisk and AsteriskNOW are registered trademarks of Digium, Inc.
Design and development by PostMet-Netzwerk GmbH