• V20: 3CX Re-engineered. Get V20 for increased security, better call management, a new admin console and Windows softphone. Learn More.

TLS not working anymore for mobile clients since SP6

Status
Not open for further replies.

Marco Bankers

Customer
Joined
Jul 25, 2017
Messages
44
Reaction score
10
Since we upgraded to SP6 we cannot register secure mobile clients anymore. With a fixed phone it keeps working but the mobile clients it does not work anymore. I cannot find the issue in any log. The firewall indicates the traffic is allowed and delivered to 3CX. But the log in 3cx does not mention the register request to 5061.
When we try the same thing with a fixed phone we do see the logs in 3cx to 5061. Before the update i remember TLS worked like a charm with mobile clients. This issue is suddenly for all mobile clients IOS and also Android.
 
ERR_EMPTY_RESPONSE

Fixed phone is ok over another wan link. So firewall seems ok. And it worked before.
 
Can you be a little more specific? What secure mobile client? 3CX app or are you using something else?
 
Sorry. Yes the 3CX mobile app. Also a second 3CX server has the same issue. I'm going to prep a new VM with the old version (SP5) to see if i can get it working again on the old version.
 
Did you remove "Disallow use of extension outside the LAN" tag also?
 
Yes for both SP6 PBX.
 
A new Android beta build will be out soon that will have improvements on this part, i'd suggest you sign up for the beta and try it once it's out.
 
But the issue is also on IOS. started at the same time. 90% use IOS in our organisation.
 
But the issue is also on IOS. started at the same time. 90% use IOS in our organisation.

An iOS improvement on this will also become available very soon with fixes and changes specifically for this. Are you signed up for the beta/s?
 
@Marco, also check the Let's Encrypt certificate on your PBX.
A test of 3CX Windows client would be also useful.
 
certificate is not changed since SP5 to SP6. However because nginx did not pass the intermediate and root certificated i added this to the config. https://voipemea-nl.msi.com

A yealink T54S works fine with TLS (When accepting all certificates) over wan link. Will test 3CX windows client in a few hours.

It was and still is a wildcard certificate.
 
15.5 SP5 has the same issue. Suddendly the free pbx in UA works with TLS. Now im testing to replace our own certificate with the let's encrypt certificate to see if this makes any difference.
(cannot change title to remove SP6 from this subject- :()
 
TLS:

With own certificate not working on completly newly generated PBX.(fixed phones are ok. 3cx windows client is ok.(TLS port 5061 : Secure only) Mobile client on android and IOS not working. wild card or single domain certificate does not matter. Also tested with the new IOS Testflight version. Same result.
traffic from mobile clients is not shown in activity log. From fixed phones and 3cx windows client traffic is seen in activity log. When running wireshark directly on the pbx traffic is received clearly on the pbx. Cannot read because its encrypted of course.

With free license and a certificate from Let's encrypt its working also on the mobile clients.
 

Attachments

  • mobile phone to pbx with own certificate. IOS.PNG
    mobile phone to pbx with own certificate. IOS.PNG
    48.8 KB · Views: 3
The upcoming beta versions have been tested thoroughly with TLS. As long as your configuration is correct, TLS will work. I'll give you a nudge in this thread once these betas are available.
 
I installed the BETA version for IOS already. (15.5.18.451)
 
Installed a new server with fresh installation of 3CX. enabled SSL/TLS. (voipemea-nltest.msi.com)
Even bought an extra official license for it to test properly.

Sometimes a call seems to come through but when try to pickup nothing happens.
 

Attachments

  • Image-2.jpg
    Image-2.jpg
    73.1 KB · Views: 4
Service not available indicates an issue with your extension's, DNS or PBX configuration.

  • In the extension's provisioning settings, can you select the PBX FQDN instead of the IP as the Network interface for registration and provisioning?

  • Also in the options page of your extension, disable "Disallow use of extension outside the LAN".
 
those are correct.and to be sure tried both. turned 3cx upsidedown already.

However the last 10 minutes i do exactly the same as with own certificate except the free license with domain and certificate from 3cx. and voila: all ok.

even same server. Just remove 3CX and remove programdata\3cx and reinstall with free license with 3cx domain.(https://voipemea-nltest.3cx.nl)
 

Attachments

  • Image-1.jpg
    Image-1.jpg
    70.6 KB · Views: 3
same WAN ip. Same firewall rules. Did not touch that part.
 
Status
Not open for further replies.

Getting Started - Admin

Latest Posts

Forum statistics

Threads
141,632
Messages
748,964
Members
144,751
Latest member
TECHXNEPAL
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.