M900 not registering at PJSIP via TLS

We just noticed that the REGISTER calls from the Snom M900 do not contain "Authorization" lines as the messages from our other working phones and the 401 response from the PBX is prepended by 16 unprintable characters <0x0f>.

Where can these come from? Is there a bug in the TLS implementation? Are these bogus characters eventually preventing the M900 from parsing the PBX response and sending the auth data?

Hi,

have you setup registrar and outbound proxy on port 5061?

I tried adding :5061 to the server names. It does not make a difference, unfortunately.

Hi, I have run some tests and the registration via TLS works smoothly, but I used another PBX, I will create a new virtual machine with FreePBX instance in next days. Try setting the logs at the Debug level and see if there is any error.

Our server is a VM running on a root server. The root server has a fixed IPv4 address and the VM is accessible via DNAT. We are running Asterisk 18.8.0 with pjsip and the following pjsip.conf (relevant parts only):

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0
external_media_address=tel.ourdomain.de
external_signaling_address=tel.ourdomain.de
external_signaling_port=5061
cert_file=/etc/ssl/private/ourdomain.de.asterisk.2021.crt
priv_key_file=/etc/ssl/private/ourdomain.de.asterisk.2021.key
ca_list_file=/etc/ssl/private/ourdomain.de.asterisk.2021.ca
ca_list_path=/etc/ssl/certs

[endpoint-common](!)
type=endpoint
dtmf_mode = auto
disallow = all
allow = g722,alaw,gsm
rtp_symmetric = yes
force_rport = yes
rewrite_contact = yes
direct_media = no
media_encryption = sdes
inband_progress = yes
language = de
rtp_ipv6=true
sdp_session=OurName
call_group = 1
pickup_group = 1
context = xy
subscribe_context = xy

[aor-single-reg](!)
type=aor
max_contacts=1
voicemail_extension=vm

[auth-common](!)
type=auth
auth_type=userpass
realm=tel.ourdomain.de

[usernamedect](aor-single-reg)

[usernamedect](auth-common)
username=usernamedect
password=xyz12345

[usernamedect](endpoint-common)
callerid=username <username>
mailboxes=username
auth=usernamedect
outbound_auth=usernamedect
aors=usernamedect

Here the configuration of the M900. We tried changing a lot of the settings without success. It worked before using the old Asterisk SIP stack:

<?xml version="1.0" encoding="UTF-8"?>
<settings>
<global>
<!-- <ac_code>**********</ac_code> -->
<country_region_id>0</country_region_id>
<tone_scheme>GER</tone_scheme>
<dialplan_enabled>off</dialplan_enabled>
<dialplan_maxlength>0</dialplan_maxlength>
<dialplan_prefix></dialplan_prefix>
<dst_by_country_region>on</dst_by_country_region>
<dst_enable>auto</dst_enable>
<dst_fixed_day_enable>on</dst_fixed_day_enable>
<dst_start_date>0</dst_start_date>
<dst_start_day_of_week>1</dst_start_day_of_week>
<dst_start_month>3</dst_start_month>
<dst_start_time>2</dst_start_time>
<dst_start_wday_last_in_month>5</dst_start_wday_last_in_month>
<dst_stop_date>0</dst_stop_date>
<dst_stop_day_of_week>1</dst_stop_day_of_week>
<dst_stop_month>10</dst_stop_month>
<dst_stop_time>3</dst_stop_time>
<dst_stop_wday_last_in_month>5</dst_stop_wday_last_in_month>
<timezone></timezone>
<language></language>
<web_language>Deutsch</web_language>
<max_jittbuf_depth>7</max_jittbuf_depth>
<min_jittbuf_depth>2</min_jittbuf_depth>
<number_of_base_stations>50</number_of_base_stations>
<timezone_by_country_region>on</timezone_by_country_region>
<auto_dect_register>on</auto_dect_register>
<auto_resync_days>0</auto_resync_days>
<auto_resync_max_delay>15</auto_resync_max_delay>
<auto_resync_period>0</auto_resync_period>
<auto_resync_polling>disabled</auto_resync_polling>
<auto_resync_time>0</auto_resync_time>
<central_dir_lookup_disable>off</central_dir_lookup_disable>
<tls_server_authentication>off</tls_server_authentication>
<custom_location_identifier></custom_location_identifier>
<eth_driver_initialize>off</eth_driver_initialize>
<fwu_tftp_server_image_path></fwu_tftp_server_image_path>
<text_msg_terminal_auto_stop_allow>off</text_msg_terminal_auto_stop_allow>
<text_msg_terminal_auto_stop_delay>30</text_msg_terminal_auto_stop_delay>
<text_msg_terminal_keep_alive>0</text_msg_terminal_keep_alive>
<ldap_username></ldap_username>
<ldap_search_filter></ldap_search_filter>
<ldap_home_number>homePhone</ldap_home_number>
<ldap_mobile_number>mobile</ldap_mobile_number>
<ldap_work_number>telephoneNumber</ldap_work_number>
<ldap_name_attributes>cn</ldap_name_attributes>
<ldap_number_attributes>telephoneNumber mobile homePhone</ldap_number_attributes>
<!-- <ldap_password>**********</ldap_password> -->
<ldap_port></ldap_port>
<ldap_base></ldap_base>
<ldap_server></ldap_server>
<ldap_sort_attribute>255</ldap_sort_attribute>
<ldap_tls>off</ldap_tls>
<ldap_use_ext_nbr_to_ldap_bind>disabled</ldap_use_ext_nbr_to_ldap_bind>
<ldap_virtual_lists>on</ldap_virtual_lists>
<lldp_enable>off</lldp_enable>
<http_user>admin</http_user>
<!-- <http_pass>**********</http_pass> -->
<secure_web>off</secure_web>
<phone_name>Our M900</phone_name>
<log_last_config>disabled</log_last_config>
<!-- <http_client_password>**********</http_client_password> -->
<management_transfer_protocol>http</management_transfer_protocol>
<management_upload_script>/CfgUpload</management_upload_script>
<http_client_user></http_client_user>
<mdns_support>off</mdns_support>
<setting_server></setting_server>
<network_sntp_broadcast_enable>on</network_sntp_broadcast_enable>
<ntp_server>de.pool.ntp.org</ntp_server>
<ntp_refresh_timer>3600</ntp_refresh_timer>
<stun_server>stun.dus.net</stun_server>
<vlan_id>0</vlan_id>
<network_vlan_synchronization>on</network_vlan_synchronization>
<vlan_qos>0</vlan_qos>
<dhcp_option_pnp>on</dhcp_option_pnp>
<dhcp>on</dhcp>
<dns_server1>0.0.0.0</dns_server1>
<dns_server2>0.0.0.0</dns_server2>
<gateway>0.0.0.0</gateway>
<ip_adr>0.0.0.0</ip_adr>
<netmask>255.255.255.0</netmask>
<phonebook_filename></phonebook_filename>
<phonebook_location></phonebook_location>
<phonebook_reload_time>0</phonebook_reload_time>
<phonebook_server_location>0</phonebook_server_location>
<repeater_legacy_support>on</repeater_legacy_support>
<rsx_trace_internal>disabled</rsx_trace_internal>
<rtp_collision_control>off</rtp_collision_control>
<sip_check_sync_always_reboot>off</sip_check_sync_always_reboot>
<sip_conf_key_dtmf_string></sip_conf_key_dtmf_string>
<network_failover_sip_timer_reconnect>60</network_failover_sip_timer_reconnect>
<pnp_config>on</pnp_config>
<enable_rport_rfc3581>off</enable_rport_rfc3581>
<rtp_port_start>50004</rtp_port_start>
<rtp_port_end>50257</rtp_port_end>
<codec_tos>160</codec_tos>
<sip_r_key_dtmf_string></sip_r_key_dtmf_string>
<network_id_port>5061</network_id_port>
<signaling_tos>160</signaling_tos>
<sip_stun_bindtime_determine>on</sip_stun_bindtime_determine>
<sip_stun_bindtime_guard>80</sip_stun_bindtime_guard>
<stun_binding_interval>90</stun_binding_interval>
<network_failover_sip_timer_b>5</network_failover_sip_timer_b>
<network_failover_sip_timer_f>5</network_failover_sip_timer_f>
<sip_use_different_ports>off</sip_use_different_ports>
<srv_xsi_caller_id_blocking>disabled</srv_xsi_caller_id_blocking>
<log_level>6</log_level>
<syslog_server></syslog_server>
<syslog_server_port>514</syslog_server_port>
<syslog_tls>off</syslog_tls>
<text_msg_keep_alive>30</text_msg_keep_alive>
<text_msg_mode>disabled</text_msg_mode>
<text_msg_port>1300</text_msg_port>
<text_msg_responce_time>30</text_msg_responce_time>
<text_msg_server></text_msg_server>
<text_msg_ttl>0</text_msg_ttl>
<voip_sip_auto_upload>off</voip_sip_auto_upload>
<web_inputs_allowed>on</web_inputs_allowed>
<xml_minibrowser_add_info_to_url>0</xml_minibrowser_add_info_to_url>
<xsi_contacts_enterprise>Enterprise</xsi_contacts_enterprise>
<xsi_contacts_enterprise_common>Enterprisecommon</xsi_contacts_enterprise_common>
<xsi_contacts_enterprise_common_enable>on</xsi_contacts_enterprise_common_enable>
<xsi_contacts_enterprise_enable>on</xsi_contacts_enterprise_enable>
<xsi_contacts_group>Group</xsi_contacts_group>
<xsi_contacts_group_common>Groupcommon</xsi_contacts_group_common>
<xsi_contacts_group_common_enable>on</xsi_contacts_group_common_enable>
<xsi_contacts_group_enable>on</xsi_contacts_group_enable>
<xsi_contacts_personal>Personal</xsi_contacts_personal>
<xsi_contacts_personal_enable>off</xsi_contacts_personal_enable>
<xsi_server></xsi_server>
</global>
<server>
<srv_att_transfer_2nd_call_on_hold idx="1">on</srv_att_transfer_2nd_call_on_hold>
<srv_broadsoft_calllog_enable idx="1">off</srv_broadsoft_calllog_enable>
<srv_broadsoft_calllog_server_addr idx="1"></srv_broadsoft_calllog_server_addr>
<srv_bw_directed_call_pickup_code idx="1"></srv_bw_directed_call_pickup_code>
<srv_bw_directed_call_pickup_enable idx="1">off</srv_bw_directed_call_pickup_enable>
<srv_bw_group_call_pickup_code idx="1"></srv_bw_group_call_pickup_code>
<srv_bw_group_call_pickup_enable idx="1">off</srv_bw_group_call_pickup_enable>
<srv_client_initiated_connections_enable idx="1">off</srv_client_initiated_connections_enable>
<dial_plan_subscription idx="1">2</dial_plan_subscription>
<srv_dtmf_payload_type idx="1">101</srv_dtmf_payload_type>
<user_dtmf_info idx="1">off</user_dtmf_info>
<srv_failover_sip_deregister_after_failback idx="1">disabled</srv_failover_sip_deregister_after_failback>
<MediasSec_Over_TLS_Only idx="1">disabled</MediasSec_Over_TLS_Only>
<MediaSec_Request idx="1">enabled</MediaSec_Request>
<alert_info_playback idx="1">on</alert_info_playback>
<user_srtp idx="1">enabled</user_srtp>
<semi_attend_transfer idx="1">enabled</semi_attend_transfer>
<srv_sip_cli_mode idx="1">0</srv_sip_cli_mode>
<srv_sip_enable_blind_transfer idx="1">on</srv_sip_enable_blind_transfer>
<timer_support idx="1">on</timer_support>
<user_hold_inactive idx="1">off</user_hold_inactive>
<keepalive_interval idx="1">on</keepalive_interval>
<user_moh idx="1"></user_moh>
<srv_sip_rtp_base_equal idx="1">disabled</srv_sip_rtp_base_equal>
<codec_size idx="1">20</codec_size>
<srv_sip_server_alias idx="1">OurServer</srv_sip_server_alias>
<session_timer idx="1">600</session_timer>
<srv_sip_show_ext_name_in_hs idx="1">off</srv_sip_show_ext_name_in_hs>
<srv_sip_signal_tcp_port idx="1">on</srv_sip_signal_tcp_port>
<srv_sip_transport idx="1">tls</srv_sip_transport>
<codec_priority_list idx="1">pcmu, pcma, g726, g722</codec_priority_list>
<conferencing idx="1"></conferencing>
<user_host idx="1">tel.ourdomain.de:5061</user_host>
<user_outbound idx="1">tel.ourdomain.de:5061</user_outbound>
<user_expiry idx="1">600</user_expiry>
<srv_sip_ua_data_server_nat_adaption idx="1">disabled</srv_sip_ua_data_server_nat_adaption>
<srv_sip_use_one_tcp_conn_per_ext idx="1">off</srv_sip_use_one_tcp_conn_per_ext>
<user_full_sdp_answer idx="1">off</user_full_sdp_answer>
<srv_srtp_auth idx="1">on</srv_srtp_auth>
<user_auth_tag idx="1">both</user_auth_tag>
<srv_use_sip_for_xsi_login idx="1">off</srv_use_sip_for_xsi_login>
</server>
<extension>
<!-- <subscr_dect_ac_code idx="2">**********</subscr_dect_ac_code> -->
<subscr_dect_ipui idx="2">0x0328D72B50</subscr_dect_ipui>
<push_to_talk idx="2">off</push_to_talk>
<subscr_sip_hs_idx idx="2">2</subscr_sip_hs_idx>
<subscr_sip_line_name idx="2">OurName</subscr_sip_line_name>
<!-- <subscr_sip_pincode_dialout idx="2">**********</subscr_sip_pincode_dialout> -->
<user_pname idx="2">usernamedect</user_pname>
<!-- <user_pass idx="2">**********</user_pass> -->
<dfks idx="2">off</dfks>
<user_shared_line idx="2">off</user_shared_line>
<call_waiting idx="2">on</call_waiting>
<user_active idx="2">on</user_active>
<fwd_busy_enabled idx="2">off</fwd_busy_enabled>
<fwd_time_enabled idx="2">off</fwd_time_enabled>
<fwd_all_enabled idx="2">off</fwd_all_enabled>
<fwd_busy_target idx="2"></fwd_busy_target>
<fwd_time_target idx="2"></fwd_time_target>
<fwd_all_target idx="2"></fwd_all_target>
<fwd_time_secs idx="2">5</fwd_time_secs>
<subscr_sip_ua_data_server_id idx="2">1</subscr_sip_ua_data_server_id>
<user_name idx="2">usernamedect</user_name>
<user_mailbox idx="2">vm</user_mailbox>
<user_mailnumber idx="2"></user_mailnumber>
<subscr_sip_ua_pref_outg_sip_id idx="2"></subscr_sip_ua_pref_outg_sip_id>
<subscr_sip_ua_use_base idx="2">255</subscr_sip_ua_use_base>
<subscr_ua_data_bw_blf_reslist_uri idx="2"></subscr_ua_data_bw_blf_reslist_uri>
<user_shared_line_mapping idx="2">65535, 65535, 65535, 65535, 65535, 65535, 65535, 65535</user_shared_line_mapping>
<user_realname idx="2">User Name</user_realname>
<subscr_ua_data_emergency_line idx="2">65535</subscr_ua_data_emergency_line>
<subscr_ua_data_emergency_number idx="2"></subscr_ua_data_emergency_number>
<subscr_ua_data_emergency_profiles idx="2">00000000</subscr_ua_data_emergency_profiles>
<xsi_auth_user idx="2"></xsi_auth_user>
<xsi_auth_pass idx="2">**********</xsi_auth_pass>
</extension>
<repeater>
</repeater>
<multicell>
<e911_solution_configured>0</e911_solution_configured>
<Ieee1588_Enabled>disabled</Ieee1588_Enabled>
<Ieee1588_External_Multicast_Alt_Domain>0</Ieee1588_External_Multicast_Alt_Domain>
<Ieee1588_External_Multicast_Domain>0</Ieee1588_External_Multicast_Domain>
<Ieee1588_External_Multicast_Ip>224.0.1.129</Ieee1588_External_Multicast_Ip>
<Ieee1588_External_Multicast_Port>319</Ieee1588_External_Multicast_Port>
<Ieee1588_External_Sync_Enabled>0</Ieee1588_External_Sync_Enabled>
<Ieee1588_Zone_Multicast_Alt_Domain>0</Ieee1588_Zone_Multicast_Alt_Domain>
<Ieee1588_Zone_Multicast_Domain>0</Ieee1588_Zone_Multicast_Domain>
<Ieee1588_Zone_Multicast_Ip>224.0.1.129</Ieee1588_Zone_Multicast_Ip>
<Ieee1588_Zone_Multicast_Port>319</Ieee1588_Zone_Multicast_Port>
<Ieee1588_Zone_Role>3</Ieee1588_Zone_Role>
<network_allow_multi_primary>off</network_allow_multi_primary>
<network_auto_multi_primary>off</network_auto_multi_primary>
<network_dect_auto_sync_tree_config>on</network_dect_auto_sync_tree_config>
<network_roaming_deregister>off</network_roaming_deregister>
<network_sync_chain_id>512</network_sync_chain_id>
<network_sync_data_transport>multicast</network_sync_data_transport>
<network_sync_debug_enable>0</network_sync_debug_enable>
<network_sync_enable>off</network_sync_enable>
<network_sync_max_sip_reg_per_base>8</network_sync_max_sip_reg_per_base>
<network_sync_primary_static_ip>0.0.0.0</network_sync_primary_static_ip>
<network_sync_time>60</network_sync_time>
</multicell>
<device-type>
<pp_menu_hide_cfb type="M70">off</pp_menu_hide_cfb>
<pp_menu_hide_cfna type="M70">off</pp_menu_hide_cfna>
<pp_menu_hide_cfu type="M70">off</pp_menu_hide_cfu>
<pp_menu_hide_dnd type="M70">off</pp_menu_hide_dnd>
<pp_menu_hide_hide_number type="M70">off</pp_menu_hide_hide_number>
<pp_menu_hide_silent type="M70">off</pp_menu_hide_silent>
</device-type>
<firmware-settings>
<fp_fwu_branch_version>7</fp_fwu_branch_version>
<fp_fwu_sw_version>530</fp_fwu_sw_version>
<firmware></firmware>
<pp_fwu_branch_version type="M70">7</pp_fwu_branch_version>
<pp_fwu_sw_version type="M70">530</pp_fwu_sw_version>
</firmware-settings>
</settings>

Do you have an idea what could be the reason for this behaviour?

Adding

method=tlsv1_2

to the PJSIP transport finally solved the issue. It seems that by default the method was set to "no ecryption at all" by Asterisk/PJSIP/Openssl which was rejected by the Snom base without proper error message.