Yealink T46s PJSIP Cipher Issues

Posted by Michael Palmer on Wednesday, December 13, 2023

I’ve been having a lot of issues with older Yealink phones not working with pjsip and TLS. Keep getting busy, and end up setting taking the lazy road (and less secure), and setting old broken endpoints to use UDP instead. You can also downgrade the extension to SIP and sometimes TLS will work, but moving it to PJSIP just breaks it. For security sake, please set your phones behind a VPN if you’re going to register without TLS. I happen to be spending more time at the office lately and wanted to take my spare T46s up there to use, since I was on a Polycom VVX 310 or something (I can’t stand Polycom, I dont know why). When I happen to move my T46s over from home to the office, I had some free time and decided to fix it.

T46s Ciphers

After I moved my T46s phone to the office, I decided use TLS again, and IPv6 (at home, I have a VPN to the colo, and my phones ride that, so using UDP was not a super big issue). Manually edited my phone and changed to TLS. As soon as I changed the config, I noticed it was showing “register failed”. Checking in the server, I get an error message spamming the log pretty much every few seconds:

WARNING[17529] pjproject: SSL SSL_ERROR_SSL (Read): Level: 0 err: <218910881> len: 65535 peer: WARNING[19805] pjproject: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <336109761> len: 0 peer:

Well that’s not good. What the heck!

Yealink forums, FreePBX forums, and even Reddit had plenty of people asking the question having this error, but seems like nobody was able to solve it. Lots of people blaming Letsencrypt/Certbot, other people blaming their cert provider, or the fact that a while ago Yealink had an issue with expiring root certs that were bundled with Letsencrypt certs. But nobody seemed to have a fix for it. I did find someone having issues with ciphers on a 3CX post I found, which gave me the idea, it must be something I can fix, just gotta figure out how to force asterisk to only allow certain ciphers.

I decided, well, it must be the fact that the algorythms in this yealink were not the same as on the system, so I dug in to find out.

Getting it working

You can start by making sure your PBX has the cipher you want to use:

openssl ciphers -v ‘ALL’ | grep ‘TLSv1’

I’m not sure if this is the right one, but for ease of use, I picked the easy one AES128-SHA256.

I decided not to break any of my current phones, so I created a new transport on a different port, just for these broken phones.

Edit your /etc/asterisk/pjsip.transports_custom.conf file.
Link your letsencrypt certs, you can find them in /etc/asterisk/keys.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
[cipherfix-tls]
type=transport
protocol=tls
bind=0.0.0.0:5069
ca_list_file=/etc/asterisk/keys/wee-pbx-are-cool.com-ca-bundle.crt
cert_file=/etc/asterisk/keys/wee-pbx-are-cool.com.pem
priv_key_file=/etc/asterisk/keys/wee-pbx-are-cool.com.key
method=tlsv1_2
cipher=AES128-SHA256
verify_client=no
verify_server=no
allow_reload=no
tos=cs3
cos=3

Save this. Do a full fwconsole restart.

All done. It worked!

After the reload, changed my T46s to use the SIP bind port above, and BAM registration. No errors in the logs, phone works after reboot. Phone works after system restart too. Looks like we’ve fixed it. Hopefully this helps anyone out there searching for the same issue I had. It was a pain. I might have some older T23g and T27g out in the field that could be having the same issue. When I get around to it, I’ll work on that customer and see if I can resolve it for those models using the above method. I’ll update this post if I do!

Merry Christmas Everyone!


comments powered by Disqus