SSL Error

[joao-tomas-albergaria123]

Hi, recently I started developing an app with Asterisk v18.04 and decided to add the browser phone to it. And I stumbled across an error with the SSL certificates. I saw a few issues and stumbled upon one with the same error but didn't have a solution. Well, I have everything set in a docker, and I can send messages but when I try to contact MOH or any other extension that I have the call is not accepted, and the Asterisk logs display the same 3 errors:

[2024-03-27 23:42:29] ERROR[384]: iostream.c:647 ast_iostream_start_tls: Problem setting up ssl connection: error:00000001:lib(0):func(0):reason(1), Internal SSL error [2024-03-27 23:42:29] ERROR[384]: tcptls.c:179 handle_tcptls_connection: Unable to set up ssl connection with peer 'domain.com:port' [2024-03-27 23:42:29] ERROR[384]: iostream.c:552 ast_iostream_close: SSL_shutdown() failed: error:00000001:lib(0):func(0):reason(1), Internal SSL error

How can I solve this?

[InnovateAsterisk]

This seems like an Asterisk issue, or a problem with OpenSSL (Something compiled into Asterisk). Make sure you are on the latest version of OpenSSL, and then re-build Asterisk

[joao-tomas-albergaria123]

HI, thank you for the response! As said i rebuilt the Asterisk project and used the latest version of OpenSSL, but the error still remains. Is it possible to use the browser-phone without the use of SSL's ?

[InnovateAsterisk]

There are two ways that SSL is used in Asterisk for WebRTC.

1. Connecting to the HTTP server over TLS - When you connect your web browser (websocket) to the Asterisk HTTPS port, it will need to use a server certificate that you provide. Modern Browsers don't allow this connection without a valid TLS connection, so this is required, but ist not required from the Asterisk side - this is useful because you can end your TLS connection at a load balancer or proxy, and pass the WSS:// connection on to WS:// This essentially terminates your secure connection out-side of Asterisk, and take that load off Asterisk.
2. The DTLS stream - When you establish a WebRTC call, it's mandatory for SDP to establish a secure stream, this means an exchange of certificates must happen. This is the problem you are currently having, and unfortunately, no, you have to have certificate exchange handshake as part of the DTLS connection. Especially since the actual DTLS stream must connect point-to-point (or browser-to-asterisk) and cannot pass through a proxy. (Even if you use a TURN server, the TURN server does no packet inspection.) But, there are two options. You can allow Asterisk to create the certificates, by using dtls_auto_generate_cert=yes , or you can setup the certificates yourself. You can test to see if the handshake is failing by using wireshark to capture packets between the browser and Asterisk - it should be clear there.

Other things to check: are you on the latest distribution of your OS. Its often that the SSL library only supports the OS to a certain point.

I would first trace the DTSL connection with wireshark and note the point of failure with the Certificate Handshake. Then try different distributions, OS, and versions until you find it working. I have used Ubuntu and Debian in various versions over the years.