TLS connection

Discussion in 'Windows' started by botan, Jan 18, 2013.

Thread Status:
Not open for further replies.
  1. botan

    Joined:
    Jan 18, 2013
    Messages:
    4
    Likes Received:
    0
    HI !

    I have problems with connection from 3cx phone client to 3cx phone server with TLS.
    I created my own CA, cert for server. All works good with Eyebeam client, but 3cx do not wish to bind with PBX.
    root_cert_....pem was imported in advanced settings
    3cx server show nothing in the logs - that's why I think the problem is in SSL handshake.
    My CA miss CRL url in its certificate. Can it be the reason ?

    Debug log of 3cx phone client :

    Attempting to connect 3cx.server.host:5061
    Phone got as local port 53097
    Jabra not connected
    RTP engine OK
    SIP engine OK
    Sound mic device OK [{F6B56C44-BB9E-49DC-98E7-11D6660B17ED}]
    Sound ring device OK []
    Sound speaker device OK [{CD6B7C2E-410C-4FA5-A87B-B1F1DD31E947}]
    Not connected: Server unreachable
    Phone has been disconnected - error: 503
    Phone is no longer connected
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,375
    Likes Received:
    231
    Did you change the port in 3CX (PBX) to 5061? The default is 5060.
     
  3. botan

    Joined:
    Jan 18, 2013
    Messages:
    4
    Likes Received:
    0
    Yes, I use port 5061 :

    Attempting to connect 3cx.server.host:5061
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,375
    Likes Received:
    231
    Does it work if you don't use TLS?
     
  5. botan

    Joined:
    Jan 18, 2013
    Messages:
    4
    Likes Received:
    0
    Without TLS it works on port 5060
     
  6. botan

    Joined:
    Jan 18, 2013
    Messages:
    4
    Likes Received:
    0
    Couple of minutes ago I tried using STunnel between 3cx phone and 3cx pbx - and it worked well. Phone is on hook.
    I changed TLS to TCP in advanced settings of 3cx phone then pointed server address to localhost:5061.

    2013.01.19 11:36:03 LOG5[6744]: Service [xxx] accepted connection from 127.0.0.1:57415
    2013.01.19 11:36:03 LOG5[6744]: connect_blocking: connected s.s.s.s:5061
    2013.01.19 11:36:03 LOG5[6744]: Service [xxx] connected remote server from c.c.c.c:57416
    2013.01.19 11:37:55 LOG5[6744]: Connection closed: 7382 byte(s) sent to SSL, 5221 byte(s) sent to socket


    I'm almost sure problem is in SSL cert handling. May be some additional fields in certificate required and 3cx check them.
    My CA was created using microsoft makecert.exe
    Code:
    makecert.exe -r -n "CN=PRIVATE" -pe -sv PRIVATE.pvk -a sha1 -len 2048 -e 01/01/2022 -sp "Microsoft strong cryptographic provider" -sky exchange -cy authority PRIVATE.cer
    pvk2pfx -pvk PRIVATE.pvk -pfx PRIVATE.pfx -f -spc PRIVATE.cer
    makecert.exe -n "CN=3cx.server.host" -pe -sky exchange -sv 3cx.server.host.pvk -ic PRIVATE.cer -iv PRIVATE.pvk   -a sha1 -len 2048 -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -ip "Microsoft strong cryptographic provider" -sp "Microsoft strong cryptographic provider" 3cx.server.host.cer
    pvk2pfx -pvk 3cx.server.host.pvk -pfx 3cx.server.host.pfx -f -spc 3cx.server.host.cer
    openssl x509 -inform der -in private.cer  -outform pem -out private.cer.pem
    openssl x509 -inform der -in 3cx.server.host.cer  -outform pem -out 3cx.server.host.cer.pem
    pvk -in PRIVATE.pvk -out private.pvk.pem -nocrypt
    pvk -in 3cx.server.host.pvk -out 3cx.server.host.pvk.pem -nocrypt
    
    As far as I understand 3cx phone do not use windows cryptoapi and do SSL and cert checking internally. Correct ?
    Could you pls generate example of your own CA and server certificate that work so I can compare them with my version and learn the difference ?
     
  7. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,375
    Likes Received:
    231
    I don't use it myself, but, someone else may be able to oblige.
     
Thread Status:
Not open for further replies.