BUG IncrediblePBX 13.13 VMware in full TLS mode?

qtlnx

Member
Joined
Mar 9, 2016
Messages
214
Reaction score
13
I would like to get help finding instructions for enabling TLS and SRTP for extensions and PBX to PBX trunks. Long time ago I somehow managed to manually configure stand alone asterisk. Should the same steps be followed or there is UI support here?
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
FWIW, I've found that IAX2 seems overall to be more robust than SIP under various PBX-to-PBX trunking environments.

Can you explain that a bit more? Setting up SIP between two pbxes under your own control is basically a four-line peer definition and just works. What does iax2 add to make it more robust?
 

restamp

Member
Joined
Apr 24, 2016
Messages
97
Reaction score
53
Can you explain that a bit more? Setting up SIP between two pbxes under your own control is basically a four-line peer definition and just works. What does iax2 add to make it more robust?
Maybe it boils down to being a question of what/which you are familiar with, and I'm certainly no expert on SIP (or IAX2 for that matter). And granted, it's easy enough to configure a simple SIP trunk between two servers on the Internet (or on a local LAN). But add a firewall or two to the equation (perhaps with SIP/Alg), an unforgiving NAT, or the need for encrypted voice traffic, and the SIP route starts to look anything but simple. Now add in SIP's need for separate paths for call set-up and voice traffic -- useful in some contexts, but additional complexity if you don't need it -- and things start to get really dicey. I follow the usual forums and there is a steady stream of complaints and questions about one-way audio, spontaneous disconnects, etc.

For awhile now, I've been trying to figure out a TLS problem which apparently starts with an SSL error: "SSL SSL_ERROR_SSL (Read): Level: 0 err: <336151548> <SSL routines-SSL3_READ_BYTES-sslv3 alert bad record mac> len: 32000" that seems to occur randomly several times a day on some SIP trunks but not others. The session gets torn down, then re-established, and all is good once again, unless of course there is a call ongoing at the time.

OTOH, I've had few problems with my IAX2 trunks, although admittedly I do not use them a broadly as SIP. For me, *they* just work. But take that as a data point as opposed to the Bible.

Here's a dated article which compares the two standards: (It may be biased, but it's worth the read.)

https://www.voip-info.org/wiki/view/IAX+versus+SIP

Anyone else have any experience here? Any opinions? Chime in!
 

qtlnx

Member
Joined
Mar 9, 2016
Messages
214
Reaction score
13
https://wiki.freepbx.org/display/PHON/TLS+and+SRTP for the extensions

For trunks, there's no GUI option. You just need to put "transport=tls" and "port=5061" into your peer definition.

Thanks, that was all I needed. Followed all instructions, e.g. requested certificate from let's encrypt, had to do it manually via dns because port 80 is permanently disabled, entered certificate into UI, switched chan_sip default 701 extension to TLS only - all seems to work. Then enabled SRTP in the extension and SIP client, iOS BRIA. Attempt to dial a number caused asterisk to crash with:
Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fc9839b5700 (LWP 3839)]
0x0000003f77656ac0 in _IO_vfscanf_internal (s=<value optimized out>, format=0x5eef3a "", argptr=0x7fc9839b0070, errp=0x0)
at vfscanf.c:1772
1772 *ARG (unsigned int *) = (unsigned int) num.ul;
(gdb) where
#0 0x0000003f77656ac0 in _IO_vfscanf_internal (s=<value optimized out>, format=0x5eef3a "", argptr=0x7fc9839b0070, errp=0x0)
at vfscanf.c:1772
#1 0x0000003f77669535 in _IO_vsscanf (string=0x7fc9839b0160 "1", format=0x5eef36 "%30d", args=0x7fc9839b0070) at iovsscanf.c:45
#2 0x0000003f77663598 in __sscanf (s=<value optimized out>, format=<value optimized out>) at sscanf.c:34
#3 0x0000000000596639 in ast_sdp_crypto_process (rtp=0x7fc9d801b190, srtp=0x7fc9d801a730, attr=
0x7fc9d801516a "1 AES_CM_128_HMAC_SHA1_80 inline:xxxxxxxxxx+n/xxxxxxxxxxxxxxx+rc") at sdp_srtp.c:263
#4 0x00007fc98b056fea in process_crypto (p=0x7fc9d8006db0, rtp=0x7fc9d801b190, srtp=0x7fc9d80081b8, a=
0x7fc9d801516a "1 AES_CM_128_HMAC_SHA1_80 inline:xxxxxxxxxx+n/xxxxxxxxxxxxxxx+rc", secure_transport=1)
at chan_sip.c:33918
#5 0x00007fc98b06af84 in process_sdp (p=0x7fc9d8006db0, req=0x7fc9839b3c90, t38action=1) at chan_sip.c:10753
#6 0x00007fc98b0bd362 in handle_request_invite (p=0x7fc9d8006db0, req=<value optimized out>, addr=0x7fc9cc1bf480, seqno=2,
recount=0x7fc9839b213c, e=0x7fc9d8014cef "sip:[email protected]", nounlock=0x7fc9839b2138) at chan_sip.c:26346
#7 0x00007fc98b0bff5a in handle_incoming (p=0x7fc9d8006db0, req=0x7fc9839b3c90, addr=0x7fc9cc1bf480, recount=0x7fc9839b213c,
nounlock=0x7fc9839b2138) at chan_sip.c:28882
#8 0x00007fc98b0c1822 in handle_request_do (req=0x7fc9839b3c90, addr=0x7fc9cc1bf480) at chan_sip.c:29091
#9 0x00007fc98b0c215c in _sip_tcp_helper_thread (tcptls_session=0x7fc9cc1bf460) at chan_sip.c:3090
#10 0x00000000005bd645 in handle_tcptls_connection (data=0x7fc9cc1bf460) at tcptls.c:792
#11 0x00000000005cd41b in dummy_start (data=<value optimized out>) at utils.c:1238
#12 0x0000003f77a07aa1 in start_thread (arg=0x7fc9839b5700) at pthread_create.c:301
#13 0x0000003f776e8bcd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115
 

billsimon

Well-Known Member
Joined
Jan 2, 2011
Messages
1,534
Reaction score
727
Thanks, that was all I needed. Followed all instructions, e.g. requested certificate from let's encrypt, had to do it manually via dns because port 80 is permanently disabled, entered certificate into UI, switched chan_sip default 701 extension to TLS only - all seems to work. Then enabled SRTP in the extension and SIP client, iOS BRIA. Attempt to dial a number caused asterisk to crash with:
Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 0x7fc9839b5700 (LWP 3839)]
0x0000003f77656ac0 in _IO_vfscanf_internal (s=<value optimized out>, format=0x5eef3a "", argptr=0x7fc9839b0070, errp=0x0)
at vfscanf.c:1772
1772 *ARG (unsigned int *) = (unsigned int) num.ul;
(gdb) where
#0 0x0000003f77656ac0 in _IO_vfscanf_internal (s=<value optimized out>, format=0x5eef3a "", argptr=0x7fc9839b0070, errp=0x0)
at vfscanf.c:1772
#1 0x0000003f77669535 in _IO_vsscanf (string=0x7fc9839b0160 "1", format=0x5eef36 "%30d", args=0x7fc9839b0070) at iovsscanf.c:45
#2 0x0000003f77663598 in __sscanf (s=<value optimized out>, format=<value optimized out>) at sscanf.c:34
#3 0x0000000000596639 in ast_sdp_crypto_process (rtp=0x7fc9d801b190, srtp=0x7fc9d801a730, attr=
0x7fc9d801516a "1 AES_CM_128_HMAC_SHA1_80 inline:xxxxxxxxxx+n/xxxxxxxxxxxxxxx+rc") at sdp_srtp.c:263
#4 0x00007fc98b056fea in process_crypto (p=0x7fc9d8006db0, rtp=0x7fc9d801b190, srtp=0x7fc9d80081b8, a=
0x7fc9d801516a "1 AES_CM_128_HMAC_SHA1_80 inline:xxxxxxxxxx+n/xxxxxxxxxxxxxxx+rc", secure_transport=1)
at chan_sip.c:33918
#5 0x00007fc98b06af84 in process_sdp (p=0x7fc9d8006db0, req=0x7fc9839b3c90, t38action=1) at chan_sip.c:10753
#6 0x00007fc98b0bd362 in handle_request_invite (p=0x7fc9d8006db0, req=<value optimized out>, addr=0x7fc9cc1bf480, seqno=2,
recount=0x7fc9839b213c, e=0x7fc9d8014cef "sip:[email protected]", nounlock=0x7fc9839b2138) at chan_sip.c:26346
#7 0x00007fc98b0bff5a in handle_incoming (p=0x7fc9d8006db0, req=0x7fc9839b3c90, addr=0x7fc9cc1bf480, recount=0x7fc9839b213c,
nounlock=0x7fc9839b2138) at chan_sip.c:28882
#8 0x00007fc98b0c1822 in handle_request_do (req=0x7fc9839b3c90, addr=0x7fc9cc1bf480) at chan_sip.c:29091
#9 0x00007fc98b0c215c in _sip_tcp_helper_thread (tcptls_session=0x7fc9cc1bf460) at chan_sip.c:3090
#10 0x00000000005bd645 in handle_tcptls_connection (data=0x7fc9cc1bf460) at tcptls.c:792
#11 0x00000000005cd41b in dummy_start (data=<value optimized out>) at utils.c:1238
#12 0x0000003f77a07aa1 in start_thread (arg=0x7fc9839b5700) at pthread_create.c:301
#13 0x0000003f776e8bcd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

I'd keep an eye out for Asterisk updates because it looks like the version you've got has a bug in SRTP. Otherwise, glad to see that you were able to get the config right!
 

qtlnx

Member
Joined
Mar 9, 2016
Messages
214
Reaction score
13
Opened the same thread in BUGS forum topic, since fresh install from source still has the same problem.
 

qtlnx

Member
Joined
Mar 9, 2016
Messages
214
Reaction score
13

qtlnx

Member
Joined
Mar 9, 2016
Messages
214
Reaction score
13
was the vmware image updated? solution is available and in install script already. just asking so this topic can be closed.
 

Members online

No members online now.

Forum statistics

Threads
25,781
Messages
167,507
Members
19,201
Latest member
troutpocket
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top