4

I'm trying to use a self-signed certificate to configure TLS in Linphone Android to be able to communicate with FreeSWITCH SIP server. But the SSL handshake fails with the following errors:

Channel [0x9ec3c000]: SSL handshake failed : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed Cannot connect to [TLS://52.3.207.224:5061]

Can anyone please suggest what's the way forward to debug this issue? Or how can we configure self-signed certificate in Linphone Android.

NOTE: I don't want to disable TLS server certificate verification as suggested below

[sip] verify_server_certs=0

user3160460
  • 43
  • 2
  • 7

2 Answers2

5

It is because self-signed cert can not recognized by those third-party CAs that official linphone app pre-configured.

linphone uses it's own root CA store list where server-cert is going to be verified used by linphone when it received cert from your sip server.

If you don't want to disable server cert verification (it's good to avoid Man-in-the-middle attack), and since there is no CA that linphone pre-configured can verify your cert, you must create your own CA and add it into linphone's CA list.

you can find the CA list in linphone android source: res/raw/rootca.pem just add your CA into it and recompiled.

I'm not familiar with linphone, but I think it is the way to go.

some useful links:

Creating Your Own SSL Certificate Authority (and Dumping Self Signed Certs)

Using Self-Signed Certs With Android Linphone

zxcpoiu
  • 316
  • 3
  • 6
  • this looks good but adding ca in rootca.pem is not working. x509 handshake error is generating on device. Any help from linphone team(since they have so poor community) or someone else would be highly appreciated. – Farhan Nov 09 '16 at 08:23
  • Finally it worked. Problem was in generating the certificates. and it registered after adding ca cert in rootca.pem. But now to achieve full authenticatin, how to configure linphone for client certificate verification also.? – Farhan Jan 04 '17 at 11:08
  • ^ above also worked, there is a setting in linphonerc file where we can tell where the certs are. and it worked like a charm.. :) – Farhan Jan 23 '17 at 11:35
  • Hello do you know how to disable TLS certificate verification from Android App ? – user987760 Aug 06 '19 at 15:12
  • @Farhan, can you please give details about how you resolved x509 handshake error is generating on device?. – Shiv Buyya Feb 25 '22 at 11:54
  • @ShivBuyya I do not recall completely but as per my comments from 2017. "Problem was in generating the certificates". My suggestion would be to delete the certs and re generate from step 1. – Farhan Mar 16 '22 at 16:23
1

There are different solutions to this problem:

  • If you have shell access to your Linphone server, you can install a proper certificate, either buy one or (which I recommend) use a free one from Let's Encrypt

  • If that is not possible, install the self-signed certificate into your Android keystore: Download the certificate (if Linphone offers a web gui, you can download it with Chrome in the PEM format, by clicking on the lock symbol in the addressbar) and put it on your SD-card. Then go to Android Settings / Security / Certificate Management / Install from storage and select your file. You will probably have a permanent notification however, that your network might be monitored.

  • If you don't want that notification and have root access, follow the previous step and move the newly added file from /data/misc/keychain/cacerts-added/ to /system/etc/security/cacerts/. Then reboot your device and the message should be gone.

Force
  • 6,312
  • 7
  • 54
  • 85