[Blink] TLS Server Verify not functioning

Dr. Karl Heinz Grube grube at technikum-wien.at
Fri Mar 20 14:22:59 CET 2020 

Hello!

I have an Asterisk server running and with Linphone and Jami I am able 
to verify the TLS certificates, but with blink it does not work:

pjsip_trace.txt:

[blink 5147] (5) 2020-03-20 12:07:33.353       endpoint Request msg 
REGISTER/cseq=1 (tdta0x7f648010daf0) created.
[blink 5147] (5) 2020-03-20 12:07:33.353 tsx0x7f648010c .Transaction 
created for Request msg REGISTER/cseq=1 (tdta0x7f648010daf0)
[blink 5147] (5) 2020-03-20 12:07:33.353 tsx0x7f648010c Sending Request 
msg REGISTER/cseq=1 (tdta0x7f648010daf0) in state Null
[blink 5147] (5) 2020-03-20 12:07:33.353  sip_resolve.c .Target 
'10.47.0.14:0' type=TLS resolved to '10.47.0.14:5061' type=TLS (TLS 
transport)
[blink 5147] (4) 2020-03-20 12:07:33.353 tlsc0x7f648018 .TLS client 
transport created
[blink 5147] (4) 2020-03-20 12:07:33.353 tlsc0x7f648018 .TLS transport 
10.133.0.3:43721 is connecting to 10.47.0.14:5061...
[blink 5147] (5) 2020-03-20 12:07:33.353 tsx0x7f648010c .State changed 
from Null to Calling, event=TX_MSG
[blink 5147] (3) 2020-03-20 12:07:33.412 tlsc0x7f648018 TLS connect() 
error: SSL certificate verification error (PJSIP_TLS_ECERTVERIF) 
[code=171173]
[blink 5147] (3) 2020-03-20 12:07:33.412 tsx0x7f648010c Failed to send 
Request msg REGISTER/cseq=1 (tdta0x7f648010daf0)! err=171173 (SSL 
certificate verification error (PJSIP_TLS_ECERTVERIF))
[blink 5147] (5) 2020-03-20 12:07:33.412 tsx0x7f648010c State changed 
from Calling to Terminated, event=TRANSPORT_ERROR
[blink 5147] (5) 2020-03-20 12:07:33.412 tlsc0x7f648018 TLS send() 
error, sent=-171173
[blink 5147] (5) 2020-03-20 12:07:33.416 tsx0x7f648010c Timeout timer event
[blink 5147] (5) 2020-03-20 12:07:33.416 tsx0x7f648010c .State changed 
from Terminated to Destroyed, event=TIMER
[blink 5147] (5) 2020-03-20 12:07:33.416 tsx0x7f648010c Transaction 
destroyed!

/etc/asterisk/sip.conf:

[general]
context=public
bindaddr=::
tlsbindaddr=::
allowoverlap=yes
externip=(replaced for this email)
localnet=10.0.0.0/255.0.0.0
qualify=yes
qualifyfreq=60
transport=tls,udp
tlsclientmethod=tlsv1.2
tlsenable=yes
udpenable=yes
tcpenable=no
encryption=yes
tlscipher=EDH+aRSA+AES256:EECDH+aRSA+AES256
tlscertfile=(replaced for this email)
tlsprivatekey=(replaced for this email)
rtcachefriends=yes
nat=auto_force_rport,auto_comedia
directmedia=no
subscribecontext=phone-hints
callcounter=yes
videosupport=yes
disallow=all
allow=g722
allow=speex
allow=speex16
allow=speex32
allow=ulaw
allow=alaw
allow=ilbc
allow=gsm
allow=vp8


I use /etc/ssl/certs/ca-certificates as the CA.


Oh and I used openssl strace and the certificate is valid (with this CA 
as well)


-- Karl

More information about the Blink mailing list