Jump to content

Recommended Posts

Posted

Has anyone had any success configuring twilio trunk with TLS ? 

I am trying to configure twilio trunk with TLS over port 5061. I have Proxy address configured as below and I have enabled Secure Trunking enabled (TLS must be used to encrypt SIP messages on port 5061, and SRTP must be used to encrypt the media packets. Any non-encrypted calls will be rejected)

once configure, when dialing out I only hear white noise. 

My configuration works with udp transport on port 5060 with secure trunking disabled.  

image.thumb.png.1c109145683caa905184b7088dcb5319.png

 

any help would be appreciated. 

outbound.pcap

Posted

My guess there is a problem with the certificate:

% curl -vv https://techguysio.pstn.umatilla.twilio.com:5061
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twilio, Inc.; CN=*.us2.twilio.com
*  start date: Feb 18 00:00:00 2021 GMT
*  expire date: Feb 22 23:59:59 2022 GMT
*  subjectAltName does not match techguysio.pstn.umatilla.twilio.com
* SSL: no alternative certificate subject name matches target host name 'techguysio.pstn.umatilla.twilio.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'techguysio.pstn.umatilla.twilio.com'
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

 

Posted

You are 100% correct, the localized URIs do not have wild card certs *.pstn.umatilla.twilio.com thus failing the handshake. I used the Termination SIP URI and it worked like a charm!

Thank you!!!

I will have to work with twilio to create wild card certs for their *.pstn.umatilla.twilio.com

https://techguysio.pstn.twilio.com:5061

$ curl -vv https://techguysio.pstn.twilio.com:5061
*   Trying 54.172.60.3:5061...
* TCP_NODELAY set
* Connected to techguysio.pstn.twilio.com (54.172.60.3) port 5061 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Twilio, Inc.; CN=*.pstn.twilio.com
*  start date: Jul 27 00:00:00 2020 GMT
*  expire date: Sep 29 12:00:00 2021 GMT
*  subjectAltName: host "techguysio.pstn.twilio.com" matched cert's "*.pstn.twilio.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=Thawte RSA CA 2018
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: techguysio.pstn.twilio.com:5061
> User-Agent: curl/7.68.0

 

  • 3 weeks later...
  • 6 months later...
Posted

Update: 

Twilio will never install wildcard certs on their localized endpoints. Their stated reason and workaround:

"Twilio does not present wildcard certificates for SIP as most standards-compliant devices don’t accept them. So you may not see a certificate that matches their personalized domain name exactly. If you can configure an “outbound proxy” or route on their SIP device, you can set this to “pstn.frankfurt.twilio.com” which will match the certificate our edge presents."

This solution seems to work.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...