I'm trying to use a self-signed certificate to configure TLS in Linphone Android to be able to communicate with FreeSWITCH SIP server. But the SSL handshake fails with the following errors:
Channel [0x9ec3c000]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
Cannot connect to [TLS://52.3.207.224:5061]
Can anyone please suggest what's the way forward to debug this issue? Or how can we configure self-signed certificate in Linphone Android.
NOTE: I don't want to disable TLS server certificate verification as suggested below
[sip]
verify_server_certs=0
It is because self-signed cert can not recognized by those third-party CAs that official linphone app pre-configured.
linphone uses it's own root CA store list where server-cert is going to be verified used by linphone when it received cert from your sip server.
If you don't want to disable server cert verification (it's good to avoid Man-in-the-middle attack), and since there is no CA that linphone pre-configured can verify your cert, you must create your own CA and add it into linphone's CA list.
you can find the CA list in linphone android source: res/raw/rootca.pem
just add your CA into it and recompiled.
I'm not familiar with linphone, but I think it is the way to go.
some useful links:
Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs)
Using Self-Signed Certs With Android Linphone
There are different solutions to this problem:
If you have shell access to your Linphone server, you can install a proper certificate, either buy one or (which I recommend) use a free one from Let's Encrypt
If that is not possible, install the self-signed certificate into your Android keystore: Download the certificate (if Linphone offers a web gui, you can download it with Chrome in the PEM format, by clicking on the lock symbol in the addressbar) and put it on your SD-card. Then go to Android Settings / Security / Certificate Management / Install from storage and select your file. You will probably have a permanent notification however, that your network might be monitored.
If you don't want that notification and have root access, follow the previous step and move the newly added file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/. Then reboot your device and the message should be gone.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷的心禁止访问 的文章《Linphone Android: TLS Handshake Error with Self Si》','https://www.manongdao.com/article-376099.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}