Geek Answers Handbook

Linphone Android: TLS communication error with self-signed certificate

I am trying to use a self-signed certificate to configure TLS in Linphone Android in order to be able to communicate with the SIP FreeSWITCH server. But SSL handshake fails with the following errors:

Channel [0x9ec3c000]: SSL handshake failed: X509 - Certificate verification error, for example. CRL, CA, or signature verification failed. Cannot connect to [TLS: //52.3.207.224: 5061]

Can anyone suggest which way forward to debug this problem? Or how can we set up a self-signed certificate in Linphone Android.

NOTE. I do not want to disable TLS server certificate verification as suggested below

[SIP] verify_server_certs = 0

+4
source share
2 answers

This is because a self-signed certificate cannot be recognized by those third-party CAs that pre-configured the official linphone application.

linphone uses its own CA root repository list, where the cert server will be checked by linphone when it received a certificate from your sip server.

If you do not want to disable server certificate verification (well, to avoid a man in the middle attack), and since there is no CA that pre-configured linphone, you can verify your certificate, you must create your own CA and add it to the Linphone CA list.

you can find the CA list in linphone source android: res/raw/rootca.pem just add your CA to it and recompile.

I am not familiar with linphone, but I think this is the way to go.

some useful links:

Create your own SSL Certificate Authority (and bootable, self-configuring certificates)

Using self-signed certificates with Android Linphone

+3
source

There are various solutions to this problem:

  • If you have access to the shell on your Linphone server, you can install the corresponding certificate, either buy one or (which I recommend) using the free Allow encryption

  • If this is not possible, install the self-signed certificate in the Android keystore: Download the certificate (if Linphone offers a web interface, you can download it using Chrome in PEM format by clicking on the lock symbol in the address bar) and place it on the SD card. Then go to Android Settings / Security / Certificate Management / Install from the repository and select the file. However, you are likely to have ongoing notification that your network can be monitored.

  • If you do not want this notification and have root access, follow the previous step and move the newly added file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/ . Then reboot the device and the message should disappear.

0
source

More articles:


All Articles