Roozbeh Posted April 20, 2021 Report Posted April 20, 2021 Has anyone had any success configuring twilio trunk with TLS ? I am trying to configure twilio trunk with TLS over port 5061. I have Proxy address configured as below and I have enabled Secure Trunking enabled (TLS must be used to encrypt SIP messages on port 5061, and SRTP must be used to encrypt the media packets. Any non-encrypted calls will be rejected) once configure, when dialing out I only hear white noise. My configuration works with udp transport on port 5060 with secure trunking disabled. any help would be appreciated. outbound.pcap Quote
Vodia PBX Posted April 20, 2021 Report Posted April 20, 2021 My guess there is a problem with the certificate: % curl -vv https://techguysio.pstn.umatilla.twilio.com:5061 * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Twilio, Inc.; CN=*.us2.twilio.com * start date: Feb 18 00:00:00 2021 GMT * expire date: Feb 22 23:59:59 2022 GMT * subjectAltName does not match techguysio.pstn.umatilla.twilio.com * SSL: no alternative certificate subject name matches target host name 'techguysio.pstn.umatilla.twilio.com' * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256): curl: (60) SSL: no alternative certificate subject name matches target host name 'techguysio.pstn.umatilla.twilio.com' More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. Quote
Roozbeh Posted April 20, 2021 Author Report Posted April 20, 2021 You are 100% correct, the localized URIs do not have wild card certs *.pstn.umatilla.twilio.com thus failing the handshake. I used the Termination SIP URI and it worked like a charm! Thank you!!! I will have to work with twilio to create wild card certs for their *.pstn.umatilla.twilio.com https://techguysio.pstn.twilio.com:5061 $ curl -vv https://techguysio.pstn.twilio.com:5061 * Trying 54.172.60.3:5061... * TCP_NODELAY set * Connected to techguysio.pstn.twilio.com (54.172.60.3) port 5061 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; ST=California; L=San Francisco; O=Twilio, Inc.; CN=*.pstn.twilio.com * start date: Jul 27 00:00:00 2020 GMT * expire date: Sep 29 12:00:00 2021 GMT * subjectAltName: host "techguysio.pstn.twilio.com" matched cert's "*.pstn.twilio.com" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: techguysio.pstn.twilio.com:5061 > User-Agent: curl/7.68.0 Quote
Roozbeh Posted April 20, 2021 Author Report Posted April 20, 2021 I have opened a ticket with twilio to fix their legacy termination URIs wild certificate with their new URIs. Quote
Roozbeh Posted May 5, 2021 Author Report Posted May 5, 2021 Is there an option to not require to certificate verify? Quote
Vodia PBX Posted May 6, 2021 Report Posted May 6, 2021 Sorry we always validate the certificate on SIP TLS connections that are initiated by the PBX. Quote
cwernstedt Posted December 2, 2021 Report Posted December 2, 2021 @Roozbeh I'm running into this issue too, and Twilio support is clueless. Did you receive any responses from them regarding fixing the issue? Quote
cwernstedt Posted December 10, 2021 Report Posted December 10, 2021 Update: Twilio will never install wildcard certs on their localized endpoints. Their stated reason and workaround:"Twilio does not present wildcard certificates for SIP as most standards-compliant devices don’t accept them. So you may not see a certificate that matches their personalized domain name exactly. If you can configure an “outbound proxy” or route on their SIP device, you can set this to “pstn.frankfurt.twilio.com” which will match the certificate our edge presents." This solution seems to work. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.