TLS:peer not authenticated / TLS-failed

lperezu

1. Brekeke Product Name and Version:
Brekeke SIP Server 3.3.9.3/379-8

2. Java version:
1.7.0_25

3. OS type and the version:
Linux RedHat 6

4. UA (phone), gateway or other hardware/software involved:
Webrtc2sip

5. Your problem:

What is the cause of this message? :
TLS:peer not authenticated;
SIP return code = 603
TLS-failed

In Log File:

tls-listener: reject: incoming: XXX.XXX.XXX.XXX:57531 -> 0.0.0.0:5061: Couldn't create SSL session: SSLSession=[Session-1, SSL_NULL_WITH_NULL_NULL] at 03/05/15 12:24:44.120

I´m making calls from Webrtc implement (Webrtc2sip) to Avaya PBX through Brekeke Sip Server.

Please helpme.

james · Brekeke Master Guru Joined: 10 Dec 2007 Posts: 498

lperezu,

Who sent SIP packet to the Brekeke SIP Server over TLS ?
Is it Webrtc2sip?

If so, you need to install the Brekeke SIP Server's TLS certificate in Webrtc2sip.

Are you using a self-signed certificate?

tcares · Posted: Wed Jul 15, 2015 2:16 pm Post subject:

Hi,

I'm running into the same problem. I'm using a Linphone client on my iPhone to try and register with my SIP server. It works fine with UDP, but when I try TLS, I get that "Couldn't create SSL session:" error in the server logs.

In the Linphone client logs, it looks like it recognizes the cert (it is self-signed) but fails on the SSL handshake:

2015-07-15 14:08:48:865 MESSAGE Channel [0x10509c000]: Connected at TCP level, now doing TLS handshake
2015-07-15 14:08:48:869 MESSAGE Channel [0x10509c000]: SSL handshake in progress...
2015-07-15 14:08:48:962 ERROR Channel [0x10509c000]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed

Maybe this is just a problem with the Linphone client, not sure.

snuyzm · Brekeke Talented Joined: 11 Feb 2015 Posts: 97

Is the certificate shown in the SIP Server's [Server Status] page?

tcares · Posted: Thu Jul 16, 2015 9:23 am Post subject:

Yes, it is. Here's what it looks like:

Certificate Information
Certificate 1 Chain.1: Cert.1/1
Type X.509
Version 3
Serial# 00:e2:6a:b9:22:90:2c:8d:50
Validity valid, 07/15/15 23:41:53.000 - 07/12/25 23:41:53.000
Subject 1.2.840.113549.1.9.1=#16137463617265734062726574656c6f6e2e636f6d,CN=ec2-52-26-85-20.us-west-2.compute.amazonaws.com,OU=Software Development,O=Bretelon,L=San Diego,ST=CA,C=US
Issuer 1.2.840.113549.1.9.1=#16137463617265734062726574656c6f6e2e636f6d,CN=ec2-52-26-85-20.us-west-2.compute.amazonaws.com,OU=Software Development,O=Bretelon,L=San Diego,ST=CA,C=US
Signature Algorithm SHA1withRSA
Signature 256 bytes: 13:9d:df:cb:3c:97:fa:c8...
MD5 e2:ec:8d:8a:2f:a4:d8:1b:b2:f0:79:10:a9:ea:71:49
Key Algorithm RSA
Key Format X.509
Key Size 2048

snuyzm · Brekeke Talented Joined: 11 Feb 2015 Posts: 97

Tim,
Did you install the same self-signed certificate in the Linphone?

FYI: It seems you need to rebuild the Linphone app.
https://lists.gnu.org/archive/html/linphone-developers/2015-04/msg00027.html

For testing TLS, using a Windows based SIP client will be easier.

tcares · Posted: Thu Jul 16, 2015 9:54 am Post subject:

Ah, okay, thank you. I can try rebuilding the app using source.

I actually have a Mac though I can get to a Windows machine if necessary. Do you have a recommendation on a Windows-based SIP client?

Thanks,
Tim

snuyzm · Brekeke Talented Joined: 11 Feb 2015 Posts: 97

I'm using Linphone on Mac for my Brekeke SIP Server over TLS!

The file of root-CA is:
/Applications/Linphone.app/Contents/Resources/share/linphone/rootca.pem

If you use your own self-signed certificate, append it to the above pem file.

tcares · Posted: Thu Jul 16, 2015 12:13 pm Post subject:

Thank you, I got the Mac client to work using your steps.

Tim