SIP secure and SRTP setup issues

SterlingDunn · August 13, 2025, 1:29am

Hey folks, I have been trying to get SIPS and SRTP setup with the provider Telnyx.
I have gotten most of the way there I believe but asterisk constantly complains it cant setup the call because it does not trust the certificate from Telnyx.
Error below:

[2025-08-12 10:29:38] ERROR[829338][C-00000005]: res_rtp_asterisk.c:3348 __rtp_recvfrom: DTLS failure occurred on RTP instance '0x7f514xxxxxxxxx' due to reason 'certificate verify failed', terminating

When I run a open_ssl check to verify the certificate is trusted by the system I get a OK(0) response:

openssl s_client -connect sip.telnyx.com:5061 -servername sip.telnyx.com   -CApath /etc/ssl/certs </dev/null | tail -n 2
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = sip.telnyx.com
verify return:1
DONE
Verify return code: 0 (ok)

This is my transport settings:

sudo asterisk -rx 'pjsip show transport transport-tls-608c7bb6130ab9815fbe'

Transport:  <TransportId........>  <Type>  <cos>  <tos>  <BindAddress....................>
==========================================================================================

Transport:  transport-tls-608c7bb6130ab9815fbe     tls      0      0  0.0.0.0:5061

 ParameterName               : ParameterValue
 ==================================================================================================
 allow_reload                : true
 allow_wildcard_certs        : No
 async_operations            : 1
 bind                        : 0.0.0.0:5061
 ca_list_file                :
 ca_list_path                : /etc/ssl/certs
 cert_file                   : /usr/share/vitalpbx/certificates/vitalpbx-lab.xxxxxx.com/bundle.pem
 cipher                      :
 cos                         : 0
 domain                      :
 external_media_address      : 5xxxxxx
 external_signaling_address  : 5xxxxxx
 external_signaling_port     : 5061
 local_net                   : 10.0.0.0/255.0.0.0
 local_net                   : 172.16.0.0/255.240.0.0
 method                      : tlsv1_2
 ms_signaling_address        :
 password                    :
 priv_key_file               : /usr/share/vitalpbx/certificates/vitalpbx-lab.xxxx.com/private.pem
 protocol                    : tls
 require_client_cert         : No
 symmetric_transport         : false
 tcp_keepalive_enable        : false
 tcp_keepalive_idle_time     : 30
 tcp_keepalive_interval_time : 1
 tcp_keepalive_probe_count   : 5
 tos                         : 0
 verify_client               : No
 verify_server               : Yes
 websocket_write_timeout     : 100

I also had to add the parameter “ca_list_path” to the transport for it to use the CA trusted cert. This did not seem to be an option in the gui to add this. Maybe something necessary for future releases?

Just wondering if anyone is able to assist with this. Thank you!

Blockquote

system · September 12, 2025, 1:29am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.