tls: connect: error

[AlfredoCubitos]

Hi,
I'm trying to run baresip on armbian 22.05.3 Bullseye and I receive always this error when connecting to my voip provider:

tls: connect: error (r=-1, ssl_err=1)
tls: connect: error (r=-1, ssl_err=1)
tls: connect: error (r=-1, ssl_err=1)
reg: sip:xxxx@<myProvider.com> (prio 0): Register: Protocol error [71]

I tried version 1.0 and I compiled the current version 2.7.0.
Always the same error.

When I trying it on my Linux box with the same account and config everything works fine.
Any ideas whats wrong?

[alfredh]

1. please test with a tool like openssl or curl from the same box to the same Provider

2. can you please include full log and config, and also a Wireshark trace ?

More details here:

https://github.com/baresip/baresip/wiki/Guidelines-for-reporting-Issues

[alfredh]

note:

https://github.com/baresip/re/blob/main/src/tls/openssl/tls_tcp.c#L146

We could add a call to tls_flush_error() here, then we could see the OpenSSL error stack.

[AlfredoCubitos]

I would appreciate if you could add this call. :-)
This could help me to find out what is going wrong.
The -v option does not throw any hint.

[alfredh]

could you also try with Wireshark and look for any TLS errors ?

The code in tls_tcp should be easy to change, just look at tls_accept for an example.

[alfredh]

hi, any updates here ?

[AlfredoCubitos]

currently not. I keep trying.

[AlfredoCubitos]

Now I got 2 data sets, captured with tcpdump

1. the tls handshake: sudo tcpdump -i eth0 -nn -X "(tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+9] = 0x03) && (tcp[((tcp[12] & 0xf0) >>2)+10] = 0x03)" -w siphandshake.pcap
2. the tls error with: sudo tcpdump -i eth0 -nn -X " (tcp[((tcp[12] & 0xf0) >>2)] = 0x15) || (tcp[((tcp[12] & 0xf0) >>2)] = 0x21) || (tcp[((tcp[12] & 0xf0) >>2)] = 0x71)" -w siperror.pcap
3. got no data with: sudo tcpdump -i eth0 -nn -X " (tcp[((tcp[12] & 0xf0) >>2)] = 0x17) && (tcp[((tcp[12] & 0xf0) >>2)+1] = 0x03) && (tcp[((tcp[12] & 0xf0) >>2)+2] = 0x03)" -w sipappdata.pcap

I attached the two captured files, hope that helps.
siperror.zip

[alfredh]

The Wireshark trace did not reveal any details...

Can you please test if TLS works from your client:

$ openssl s_client -connect sip.domain.com:5061

Also please share with us the full config file and the full log.

NOTE: If TLS does not work, you can try TCP by adding this to accounts:

;transport=tcp

[AlfredoCubitos]

with the first command I get this:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
verify return:1
depth=1 C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA
verify return:1
depth=0 C = DE, O = Deutsche Telekom AG, ST = Hessen, L = Darmstadt, CN = tel.t-online.de
verify return:1
3069165584:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:
---
Certificate chain
 0 s:C = DE, O = Deutsche Telekom AG, ST = Hessen, L = Darmstadt, CN = tel.t-online.de
   i:C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA
 1 s:C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA
   i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIJqjCCCJKgAwIBAgIQL/qYkhIySm15Kv7uALi3IzANBgkqhkiG9w0BAQsFADCB
3zELMAkGA1UEBhMCREUxJTAjBgNVBAoMHFQtU3lzdGVtcyBJbnRlcm5hdGlvbmFs
IEdtYkgxHzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxHDAaBgNVBAgM
E05vcmRyaGVpbiBXZXN0ZmFsZW4xDjAMBgNVBBEMBTU3MjUwMRAwDgYDVQQHDAdO
ZXRwaGVuMSAwHgYDVQQJDBdVbnRlcmUgSW5kdXN0cmllc3RyLiAyMDEmMCQGA1UE
AwwdVGVsZVNlYyBTZXJ2ZXJQYXNzIENsYXNzIDIgQ0EwHhcNMjExMTIzMDU1MjEw
WhcNMjIxMTI3MjM1OTU5WjBqMQswCQYDVQQGEwJERTEcMBoGA1UEChMTRGV1dHNj
aGUgVGVsZWtvbSBBRzEPMA0GA1UECBMGSGVzc2VuMRIwEAYDVQQHEwlEYXJtc3Rh
ZHQxGDAWBgNVBAMTD3RlbC50LW9ubGluZS5kZTCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBANXrEM0M7Px3rvPvrAYZckT9ziFyAArYMnu7KmZp4IYWOYYy
EAFh4QROSWVRmhMKa5CdcxzniyU/vnJGxGVZNk67cCxOkhIRXmYmBcTX6Af54QAJ
74W5GE4rQzzQ0QfeJcN9B9KaqVeJoPRiz8xXDdUTQ6grTxk3C6ydww8PktAqPlBi
Ny1vrj7MMWn528NV5lNdGteV5W3WffgkCFUPU5M0zi1DuAUssNL7qPhXLY6hsjwX
36Pm0wJI6DCd8K/kUuSXt+DGL86dZsHVG7sPkjb2xpDSfmyF2+KuoBM4cTq+/d7c
uYJQK/bqWA8RK6+Y+Aut3unH7QpA/ixoQt3v0AiFd8CQlo/AOqJgEe6YVJPMfA3/
r9/LvX6PG5M92RfisNQ1bpU4NpjZ5HT93GkNR9ov451bNiIzGM1BbsVit+KV3Pyg
Ot+9YtvVtwk9DU1XeWFJ+eme4qMHY6rAHpuH47/zPC0DLplhRYY0YCH9kXNzok9z
RNID1rs1n/14tM5gkIm3kq+iVJYQ46pgRQ/wiUHWeVBFS26uMsk1TY+TfkD5kYoY
eemXOHkXeKMi5kWizuVsaZIhNdMu2HHYqy1ML7aO13XG9thNJ8OOCLOMqAv7P3yw
aifFdHfqhKY3yTtXFhQkCp3m/xINpvk/7tD3vgAN/fRefZ3fE7gRIbDdlpqXAgMB
AAGjggTUMIIE0DAfBgNVHSMEGDAWgBSUyHRG9Tq0Rkgm+CvKNB5WJgQSADAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1Ud
DgQWBBR6/WapBsam+0O4fuAXgomC935NizBlBgNVHSAEXjBcMFAGCisGAQQBvUcN
FwEwQjBABggrBgEFBQcCARY0aHR0cDovL2RvY3Muc2VydmVycGFzcy50ZWxlc2Vj
LmRlL2Nwcy9zZXJ2ZXJwYXNzLmh0bTAIBgZngQwBAgIwSwYDVR0fBEQwQjBAoD6g
PIY6aHR0cDovL2NybC5zZXJ2ZXJwYXNzLnRlbGVzZWMuZGUvcmwvU2VydmVyUGFz
c19DbGFzc18yLmNybDCBmQYIKwYBBQUHAQEEgYwwgYkwMwYIKwYBBQUHMAGGJ2h0
dHA6Ly9vY3NwLnNlcnZlcnBhc3MudGVsZXNlYy5kZS9vY3NwcjBSBggrBgEFBQcw
AoZGaHR0cDovL2NybC5zZXJ2ZXJwYXNzLnRlbGVzZWMuZGUvY3J0L1RlbGVTZWNf
U2VydmVyUGFzc19DbGFzc18yX0NBLmNlcjAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT
MBGCD3RlbC50LW9ubGluZS5kZTCCAuMGCisGAQQB1nkCBAIEggLTBIICzwLNAHUA
RqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF9S1oIPwAABAMARjBE
AiAUcAwI9vmCI4hbYzXLPfakg7Qi+6B1dirmgAgERmZOjwIgGQW8hZuSBlwQBVKU
g+mtUOpKc10IebnHSBCt60ji4bQAdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG
jbIImjfZEwAAAX1LWghxAAAEAwBGMEQCIAhKmJ+SugXjrJbUrSWCAJQ+CZl6PTdp
ejtjXPljxku2AiB47Q3LIRF9LSauBKlKYgh0PdNia4a5p9slktS3T9pjfQB3ACl5
vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfUtaCHMAAAQDAEgwRgIh
AOor876CoRRUKkb4OpBVyEWvL98GhBTFQVo/VEDemqq+AiEAjXiDm69sDi8u6IvG
HaE27TPQ/NgrCUdac3FwMqADbdUAdQBByMqx3yJGShDGoToJQodeTjGLGwPr60vH
aPCQYpYG9gAAAX1LWgi+AAAEAwBGMEQCIDWbr6qsIW1GH7Pwnga2q4gAL5qGG+TJ
HQ1yqMvLbuKnAiAQPSvD0xIP+ICn4/N1SNUR2M/39zANW8Me55k45aW2JAB2AFWB
1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABfUtaCXkAAAQDAEcwRQIh
AKJYX3RX9qzRT0EGoLmMa6f0UVyTkiWbDyAzcEpxDzOyAiAfhEc77yVyVZbKsP3/
RLwrFGoDPiozPI2kEp0RU1yPWwB1AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKa
Df7UiwXlAAABfUtaCd4AAAQDAEYwRAIgfRcHdr6ic1vTOg0ASDCx4U3cOm34HhsS
yJDPmEZvpAoCIHzFX2Xo4cx/tJUGMLM+8MT+6Iz8E/wcC3pwfiR9AIkBMA0GCSqG
SIb3DQEBCwUAA4IBAQBUbC9o1gqQTdff2NcAmDsYsoiqFvkZXUbKdb3GnTX9IefY
FoVZGv4mqCXKwADyFml6J82ghejS5OPoS/rVfY+/W1fSUksDbGW1yOLzMhylKwLm
WgsPg06lZzmFnKMMRgdAcZAZuHtPnKdNTXLZLdEgvyEmQ0RGb+0HTabl66ePOkH6
2PVqcSXQ3FYraVN+XVddj982yx/ENEUkdoRKejRsq2Yn4vEI7aM8LqAxf48c/mjr
uwW/00zWgTf9axVrYjfHT61ae9y4wYqCYDY61ziuAyr65dHLfoTEwoE+bTHjXJ4b
IKtCNVI7ENbxdaunFz+3o7hrmqfKSV+PoyschMte
-----END CERTIFICATE-----
subject=C = DE, O = Deutsche Telekom AG, ST = Hessen, L = Darmstadt, CN = tel.t-online.de

issuer=C = DE, O = T-Systems International GmbH, OU = T-Systems Trust Center, ST = Nordrhein Westfalen, postalCode = 57250, L = Netphen, street = Untere Industriestr. 20, CN = TeleSec ServerPass Class 2 CA

---
No client certificate CA names sent
---
SSL handshake has read 4846 bytes and written 290 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: DC92AD8B5AB610E10F760595E7D1D3E8CC33C062AED844EE682EE81CE62997A3
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1664530223
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

The second hint doesn't work either :-(

[AlfredoCubitos]

Well, I tried it with a different account on a different provider, which seems to work.
xxxx@sipgate.de: (prio 0) {0/UDP/v4} 200 OK () [1 binding]
But I didn't get a All 1 useragent registered successfully! (306 ms) message, is that correct?

[AlfredoCubitos]

I found out that baresip is using less libraries on my linux box then on armbian:

Armbian

ldd /usr/local/bin/baresip
        linux-vdso.so.1 (0xbee1b000)
        libre.so.9 => /usr/local/lib/libre.so.9 (0xb6e9f000)
        libpthread.so.0 => /lib/arm-linux-gnueabihf/libpthread.so.0 (0xb6e79000)
        librem.so.3 => /usr/local/lib/librem.so.3 (0xb6e5d000)
        libc.so.6 => /lib/arm-linux-gnueabihf/libc.so.6 (0xb6d5e000)
        libdl.so.2 => /lib/arm-linux-gnueabihf/libdl.so.2 (0xb6d4b000)
        libssl.so.1.1 => /lib/arm-linux-gnueabihf/libssl.so.1.1 (0xb6ce5000)
        libcrypto.so.1.1 => /lib/arm-linux-gnueabihf/libcrypto.so.1.1 (0xb6b29000)
        libz.so.1 => /lib/arm-linux-gnueabihf/libz.so.1 (0xb6b06000)
        /lib/ld-linux-armhf.so.3 (0xb6f64000)
        libm.so.6 => /lib/arm-linux-gnueabihf/libm.so.6 (0xb6a9e000)

OpenSuse

ldd /usr/bin/baresip 
        linux-vdso.so.1 (0x00007ffca011e000)
        libre.so.7 => /lib64/libre.so.7 (0x00007f3f345a1000)
        librem.so.3 => /lib64/librem.so.3 (0x00007f3f3458e000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f3f34394000)
        libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007f3f342f1000)
        libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007f3f33fba000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f3f33f9c000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f3f33eb8000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f3f346a9000)

[AlfredoCubitos]

I made a new full tcpdump and I found the following error:

12	0.261713	217.0.21.67	192.168.0.47	TLSv1.2	553	Server Key Exchange, Server Hello Done
13	0.261944	192.168.0.47	217.0.21.67	TCP	54	33188 → 5061 [ACK] Seq=308 Ack=4856 Win=64128 Len=0
14	0.261714	217.0.21.67	192.168.0.47	TCP	553	[TCP Spurious Retransmission] 5061 → 33188 [PSH, ACK] Seq=4357 Ack=308 Win=16384 Len=499
15	0.262081	192.168.0.47	217.0.21.67	TCP	54	[TCP Dup ACK 13#1] 33188 → 5061 [ACK] Seq=308 Ack=4856 Win=64128 Len=0
16	0.262408	192.168.0.47	217.0.21.67	TLSv1.2	61	Alert (Level: Fatal, Description: Handshake Failure)

hope that helps finally

[alfredh]

The error is coming from the client, and does not reveal any details.

If would suggest adding the debug code to tls_connect and try to see what is going on.

[alfredh]

can you please try this patch for re:

diff --git a/src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c
index c3071ce..410d68a 100644
--- a/src/tls/openssl/tls_tcp.c
+++ b/src/tls/openssl/tls_tcp.c
@@ -140,15 +140,17 @@ static int tls_connect(struct tls_conn *tc)
 
        ERR_clear_error();
 
-       if (tls_get_session_reuse(tc))
+       if (tls_get_session_reuse(tc)) {
+               DEBUG_NOTICE("tls_reuse_session\n");
                (void) tls_reuse_session(tc);
+       }
+
+       ERR_clear_error();
 
        r = SSL_connect(tc->ssl);
        if (r <= 0) {
                const int ssl_err = SSL_get_error(tc->ssl, r);
 
-               ERR_clear_error();
-
                switch (ssl_err) {
 
                case SSL_ERROR_WANT_READ:
@@ -157,9 +159,12 @@ static int tls_connect(struct tls_conn *tc)
                default:
                        DEBUG_WARNING("connect: error (r=%d, ssl_err=%d)\n",
                                      r, ssl_err);
+                       tls_flush_error();
                        err = EPROTO;
                        break;
                }
+
+               ERR_clear_error();
        }
 
        return err;

Please try again with latest version of re,rem,baresip

Please also share the full config file.

[AlfredoCubitos]

I'm sorry, I need a little help to implement that patch.
I never did this before.
I cannot find src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c

[juha-h]

AlfredoCubitos writes:

I'm sorry, I need a little help to implement that patch. I never did this before. I cannot find ` src/tls/openssl/tls_tcp.c b/src/tls/openssl/tls_tcp.c`

It is in re source.

[alfredh]

Take the above patch and save it as e.g. foo.diff

Go to the libre source code, apply the patch and rebuild:

$ cd re
$ patch -p1 < foo.diff
$ make
$ sudo make install

Then go back to baresip and try again. Please pay attention to any warnings.

[AlfredoCubitos]

well, its seems that the diff above is not valid anymore.
I got this error:

patching file src/tls/openssl/tls_tcp.c
Hunk #1 FAILED at 140.
Hunk #2 FAILED at 157.
2 out of 2 hunks FAILED -- saving rejects to file src/tls/openssl/tls_tcp.c.rej

[alfredh]

could be some whitespace difference. Please try this:

$ patch -l -p1 < ~/tmp/foo.diff 

[alfredh]

you can also try try this branch from re:

baresip/re#573

[AlfredoCubitos]

ok, I changed the code manually.
I compiled it -> no errors.
I installed it with make install:

install -m 0644 include/re_rtmp.h include/re_httpauth.h include/re_srtp.h include/re_msg.h include/re_udp.h include/re_rtp.h include/re_uri.h include/re_mbuf.h include/re_telev.h include/re_trace.h include/re_odict.h include/re_types.h include/re_conf.h include/re_jbuf.h include/re_sa.h include/re_md5.h include/re_av1.h include/re_base64.h include/re_h264.h include/re_dbg.h include/re_sdp.h include/re_stun.h include/re_websock.h include/re_ice.h include/re_atomic.h include/re_hmac.h include/re_tmr.h include/re_bfcp.h include/re_tls.h include/re_mqueue.h include/re_turn.h include/re_trice.h include/re_net.h include/re_tcp.h include/re_shim.h include/re_fmt.h include/re_sip.h include/re_sha.h include/re_crc32.h include/re_thread.h include/re_sipreg.h include/re_list.h include/re_convert.h include/re_sipsess.h include/re.h include/re_aes.h include/re_http.h include/re_h265.h include/re_mem.h include/re_async.h include/re_sipevent.h include/re_dns.h include/re_mod.h include/re_btrace.h include/re_json.h include/re_main.h include/re_hash.h include/re_pcp.h include/re_sys.h \
        /usr/local/include/re
install -m 0755 libre.so /usr/local/lib/libre.so.10.9.0
cd /usr/local/lib && ln -sf libre.so.10.9.0 libre.so && \
        ln -sf libre.so.10.9.0 libre.so.10
install -m 0755 libre.a /usr/local/lib
install -m 0644 libre.pc /usr/local/lib/pkgconfig
install -m 0644 mk/re.mk /usr/local/share/re

running baresip -> same issue and no extra error text:

baresip v2.7.0 Copyright (C) 2010 - 2022 Alfred E. Heggestad et al.
Local network addresses:
       eth0:  192.168.0.47
    docker0:  172.17.0.1
       eth0:  fe80::ba7c:46e4:45c5:5c6
ua: adding SIP CA file: /etc/ssl/certs/ca-certificates.crt
ua: adding SIP CA path: 
aucodec: PCMU/8000/1
aucodec: PCMA/8000/1
aufilt: auconv
aufilt: auresamp
medianat: stun
medianat: turn
medianat: ice
mediaenc: srtp
mediaenc: srtp-mand
mediaenc: srtp-mandf
using stunserver: 'stun:stun.t-online.de:3478'
012233@sipprovider.de: Using sipnat: 'outbound'
Populated 1 account
Populated 3 contacts
Populated 2 audio codecs
Populated 2 audio filters
Populated 0 video codecs
Populated 0 video filters
baresip is ready.
tls: connect: error (r=-1, ssl_err=1)
tls: connect: error (r=-1, ssl_err=1)
tls: connect: error (r=-1, ssl_err=1)
reg: sip:012233@sipprovider.de (prio 0): Register: Protocol error [71]

:-(

I assume we need a better debug output during the registration process. So somewhere in ua.c, amirite?

[alfredh]

I see that you are using version 2.7.0 -- You need to use latest version from GIT.

Can you please also share your config file and create a new setup from scratch ?

$ git clone https://github.com/baresip/re
$ cd re
$ git checkout tls_connect_debug
$ cmake . && make && sudo make install
$ sudo ldconfig
$ cd ..

$ git clone https://github.com/baresip/rem
$ cd rem
$ cmake . && make && sudo make install
$ sudo ldconfig
$ cd ..

$ git clone https://github.com/baresip/baresip
$ cd baresip
$ cmake . && make && sudo make install
$ baresip

[alfredh]

perhaps there is something wrong with the Server's TLS certificate:

3069165584:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:

There are also some config items to play around with:

# SIP
#sip_listen             0.0.0.0:5060
#sip_certificate        cert.pem
sip_cafile              /etc/ssl/cert.pem
#sip_transports         udp,tcp,tls,ws,wss
#sip_trans_def          udp
#sip_verify_server      yes
sip_tos                 160

[alfredh]

Can you also paste the output from this command:

$ ./baresip -e/sysinfo -eq

[AlfredoCubitos]

ok, I managed to run the git version.
Now, I got an interesting output:

baresip v2.9.0 Copyright (C) 2010 - 2022 Alfred E. Heggestad et al.
Local network addresses:
       eth0:  192.168.0.47
    docker0:  172.17.0.1
       eth0:  fe80::ba7c:46e4:45c5:5c6
ua: adding SIP CA file: /etc/ssl/certs/ca-certificates.crt
ua: adding SIP CA path: 
aucodec: PCMU/8000/1
aucodec: PCMA/8000/1
aufilt: auconv
aufilt: auresamp
medianat: stun
medianat: turn
medianat: ice
mediaenc: srtp
mediaenc: srtp-mand
mediaenc: srtp-mandf
using stunserver: 'stun:stun.t-online.de:3478'
012233@tel.t-online.de: Using sipnat: 'outbound'
Populated 1 account
Populated 3 contacts
Populated 2 audio codecs
Populated 2 audio filters
Populated 0 video codecs
Populated 0 video filters
baresip is ready.
/sysinfo

--- System info: ---
 Machine:  arm/linux
 Version:  2.9.0 (libre v2.9.0-dev)
 Build:    32-bit little endian
 Kernel:   Linux bananapipro 5.15.48-sunxi #22.05.3 SMP Wed Jun 22 07:35:10 UTC 2022 armv7l
 Uptime:   
 Started:  Wed Oct 12 14:39:25 2022
 Compiler: 10.2.1 20210110
 OpenSSL:  OpenSSL 1.1.1n  15 Mar 2022
Quit
ua: stop all (forced=0)
tls: connect: error (r=-1, ssl_err=1)
tls: 3069540656:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:
tls: connect: error (r=-1, ssl_err=1)
tls: 3069540656:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:
tls: connect: error (r=-1, ssl_err=1)
tls: 3069540656:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2157:
reg: sip:0112233@tel.t-online.de (prio 0): Register: Protocol error [71]

[alfredh]

https://stackoverflow.com/questions/36417224/openssl-dh-key-too-small-error

[alfredh]

The problem is the combination of the local OpenSSL version/config,
and the TLS Certificate from the SIP Server.

The problem is not in baresip.

Please read online resources about how to fix or workaround the problem

[AlfredoCubitos]

aaaah, THANK YOU !!!!
finally I could solve the problem

[ONiKiDSK]

aaaah, THANK YOU !!!! finally I could solve the problem

May I ask, how did you deal with it?