#2303 Unable to register via TLS when "Check server" is enabled

[Anonymous]

Originally created by: bensjob...@gmail.com

What steps will reproduce the problem?

1. Set up an account with TLS transport
2. Enable "Check server" in the secure transport settings.
3. Connection fails with "service unavailable" message. Log message: "TLS connect() error: SSL certificate verification error (PJSIP_TLS_ECERTVERIF) [code=171173]"

What is the expected output? What do you see instead?

With a valid certificate, the connection should be established.

What version of the product are you using? On what operating system?

[r2174], Android 4.2.2, LG Nexus 4.

Please provide any additional information below.

My certificate is valid - I'm able to connect to sip.mydomain.com:5061 via curl, openssl s_client, or through a web browser without issue. (Including via the phone's browser, so the root cert is definitely installed.) Unfortunately the log message is a bit vague, so I'm not sure what exactly pjsip isn't liking about the certificate. Is there any way to get a more detailed error message?

[Anonymous]

Originally posted by: r3gis...@gmail.com

Can you send me full logs from the app.
(see HowToCollectLogs wiki page - it's send only to my address)

There is some context I'd like to have to understand how things are configured and what is the path used by the app to register.
(For example usage of sips scheme and usage of sips proxy might have a big impact here).

Besides there is something that I don't get in your details. You tell you have no problem while browsing on a webbrowser... Well... you are connecting over "sips" protocol here... so it's a different certificate normally. With a remote name or subj_alt_name or cn that is the sip uri. It's what the verify option does. It checks that the issued name match with the actually connected remote.

Status: Need-Details

[Anonymous]

Originally posted by: pabstr...@compuserve.com

> Is there any way to get a more detailed error message?

Code 171173 is nothing else than PJSIP_TLS_ECERTVERIF, consequently that error number does not provide more details. PJSIP_TLS_ECERTVERIF means, the certificate could not be verified, no reason given. Which is a pity because the underlying OpenSSL library [https://www.openssl.org/docs/apps/verify.html provides] 32 different reasons as status.

Because CSipSimple is based on the PJSIP, I compiled PJSIP myself and was able to debug my issue on Ubuntu 14.04 LTS:
$ sudo apt-get build-dep pjproject
$ apt-get source pjproject
$ dpkg-buildpackage -us -uc -nc
$ sudo make install
$ pjsip-apps/bin/pjsua* --config-file ~/dustel.conf
# put the following into a new file called
# dustel.conf, within your home folder
# https://www.dus.net/en/sip-default-settings
--app-log-level 4
--id sip:00038799999@proxy.dus.net
--registrar sip:proxy.dus.net;transport=tls
--proxy sip:proxy.dus.net;transport=tls
--realm *
--username 00038799999
--password yourPassword
--use-tls
--tls-ca-file /etc/ssl/certs/ca-certificates.crt
--tls-verify-server

1. Enhancement Request
Please, use pj_ssl_cert_get_verify_status_strings for the log. This does not provide the 32 reasons from OpenSSL but at least 12 from [http://www.pjsip.org/pjlib/docs/html/group__PJ__SSL__SOCK.htm#gace0713defa5446c9455f3cce37453f30 PJSIP]. Perhaps even show any error in the graphical user-interface.

2. Enhancement Request
Please, move check-server from
Options » Settings » Network » Secure transport
to the accounts. Rationale: I have one SIP account which does verify just fine, another one (the one mentioned above) won’t ever because they use a wildcard SSL certificate. Wildcards are not supported by PJSIP.

3. Enhancement Request
Please, link the Android CertStore. Until then, please, add a default certificate-authorities [https://pki.google.com/roots.pem PEM] file.