[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linphone-users] TLS handshake failiure

From: Trent Creekmore
Subject: Re: [Linphone-users] TLS handshake failiure
Date: Tue, 7 Sep 2021 16:22:18 -0500
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0

Well, SSL is used for https.

In FreePBX it has a Certificate manager which allows the use of certificates, not only for SSL in the PBX web interface, but also be used for TLS in SIP..

As I have mentioned when first set up this TLS connection some months ago, it was connecting. Certificate still valid.

I did not mention I am using Android client.

Here is more of the log (redacted a bit)

2021-09-07 14:06:08:999 [org.linphone/belle-sip] MESSAGE Trying to connect to [TLS://::ffff:2myIP Address:5061] 2021-09-07 14:06:09:078 [org.linphone/belle-sip] MESSAGE Channel [0x784aec40]: Connected at TCP level, now doing TLS handshake with cname=pbx,domain 2021-09-07 14:06:09:079 [org.linphone/belle-sip] MESSAGE Channel [0x784aec40]: SSL handshake in progress... 2021-09-07 14:06:09:180 [org.linphone/belle-sip] MESSAGE Found certificate depth=[0], flags=[not-trusted ]:
cert. version     : 3
serial number     : 82:C5:42:9A:10:CA:4F:D1:A6:D8:D1:63:A4:64:78:AA
issuer name : C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA
subject name      : CN=pbx.domain
issued  on        : 2021-05-11 00:00:00
expires on        : 2022-06-11 23:59:59
signed using      : RSA with SHA-256
RSA key size      : 2048 bits
basic constraints : CA=false
subject alt name  :
    dNSName : pbx.domain
    dNSName : www.pbx.domain
key usage         : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, TLS Web Client Authentication
certificate policies : ???, ???

2021-09-07 14:06:09:181 [org.linphone/belle-sip] ERROR Channel [0x784aec40]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed 2021-09-07 14:06:09:181 [org.linphone/belle-sip] ERROR Cannot connect to [TLS://pbx.domain:5061] 2021-09-07 14:06:09:181 [org.linphone/belle-sip] MESSAGE channel[0x784aec40]: entering state ERROR

-----Original Message-----
From: Linphone-users <> On Behalf Of Dennis Filder
Sent: Tuesday, September 7, 2021 4:06 PM
Subject: [Linphone-users] TLS handshake failiure

On Tue, Sep 07, 2021 at 02:24:41PM -0500, Trent Creekmore wrote:
Got a valid certificate from Sectigo, and the same certificate is
being used for SSL access to the PBX. I was able to connect via TLS
shortly after installing the certificate, but unable to connect now.

You could be a bit more precise here: Do you mean you also use it for HTTPS?

Using it in FreePBX, and also turned off the "Verify Client" and
"Verify Server."

"2021-09-07 14:06:10:860 [org.linphone/belle-sip] ERROR Channel
[0x784ae480]: SSL handshake failed : X509 - Certificate verification
failed, e.g. CRL, CA or signature check failed"

Version is 4.5.1

Do you have the Sectigo CA certificate in your CA store(s)? Linphone uses whatever is configured in linphonerc under section "[sip]" with the key "root_ca" (on my system the value is "/etc/ssl/certs").

If adding that doesn't make it work you've got many hours of looking at output of openssl's s_client ahead of you. Common issues:

* someone doesn't send the intermediate certificates
* interoperability issues (rare, but possible)
* using a self-signed certificate (probably irrelevant here)

Good luck.

Linphone-users mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]