This is the common name part of the certificate sent by Telnyx:
But that is not the domain name part of the URI that Asterisk has been told to connect back to. It has been told to connect back to the one in the Record Route header, which is:
Record-Route: <sip:192.76.120.10:5061;transport=tls;lr;r2=on;ftag=XyBXH90cyy91g>
The hostname part of which is 192.76.120.10. “192.76.120.10” !=
so server verification fails, and the TLS session has to be abandoned, unused.
The full certificate, from Telnyx, as decoded by wireshark, is:
Certificate: 3082065930820541a003020102021100a666b33f0c81f28ea1a204898ac944b4300d0609… (id-at-commonName=sip.telnyx.com)
signedCertificate
version: v3 (2)
serialNumber: 0x00a666b33f0c81f28ea1a204898ac944b4
signature (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
issuer: rdnSequence (0)
rdnSequence: 5 items (id-at-commonName=Sectigo RSA Domain Validation Secure Server CA,id-at-organizationName=Sectigo Limited,id-at-localityName=Salford,id-at-stateOrProvinceName=Greater Manchester,id-at-countryName=GB)
RDNSequence item: 1 item (id-at-countryName=GB)
RelativeDistinguishedName item (id-at-countryName=GB)
Object Id: 2.5.4.6 (id-at-countryName)
CountryName: GB
RDNSequence item: 1 item (id-at-stateOrProvinceName=Greater Manchester)
RelativeDistinguishedName item (id-at-stateOrProvinceName=Greater Manchester)
Object Id: 2.5.4.8 (id-at-stateOrProvinceName)
DirectoryString: printableString (1)
printableString: Greater Manchester
RDNSequence item: 1 item (id-at-localityName=Salford)
RelativeDistinguishedName item (id-at-localityName=Salford)
Object Id: 2.5.4.7 (id-at-localityName)
DirectoryString: printableString (1)
printableString: Salford
RDNSequence item: 1 item (id-at-organizationName=Sectigo Limited)
RelativeDistinguishedName item (id-at-organizationName=Sectigo Limited)
Object Id: 2.5.4.10 (id-at-organizationName)
DirectoryString: printableString (1)
printableString: Sectigo Limited
RDNSequence item: 1 item (id-at-commonName=Sectigo RSA Domain Validation Secure Server CA)
RelativeDistinguishedName item (id-at-commonName=Sectigo RSA Domain Validation Secure Server CA)
Object Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: Sectigo RSA Domain Validation Secure Server CA
validity
notBefore: utcTime (0)
utcTime: 2023-04-13 00:00:00 (UTC)
notAfter: utcTime (0)
utcTime: 2024-05-12 23:59:59 (UTC)
subject: rdnSequence (0)
rdnSequence: 1 item (id-at-commonName=sip.telnyx.com)
RDNSequence item: 1 item (id-at-commonName=sip.telnyx.com)
RelativeDistinguishedName item (id-at-commonName=sip.telnyx.com)
Object Id: 2.5.4.3 (id-at-commonName)
DirectoryString: printableString (1)
printableString: sip.telnyx.com
subjectPublicKeyInfo
algorithm (rsaEncryption)
Algorithm Id: 1.2.840.113549.1.1.1 (rsaEncryption)
subjectPublicKey: 3082010a0282010100bcdd08ccceef76c6bb38f4f9624af3c1a07af60fcc86a1dd91e5e0…
modulus: 0x00bcdd08ccceef76c6bb38f4f9624af3c1a07af60fcc86a1dd91e5e012d157412d0176fc…
publicExponent: 65537
extensions: 9 items
Extension (id-ce-authorityKeyIdentifier)
Extension Id: 2.5.29.35 (id-ce-authorityKeyIdentifier)
AuthorityKeyIdentifier
keyIdentifier: 8d8c5ec454ad8ae177e99bf99b05e1b8018d61e1
Extension (id-ce-subjectKeyIdentifier)
Extension Id: 2.5.29.14 (id-ce-subjectKeyIdentifier)
SubjectKeyIdentifier: cfb2d329a762daec86c62b9806ae866bd468f830
Extension (id-ce-keyUsage)
Extension Id: 2.5.29.15 (id-ce-keyUsage)
critical: True
Padding: 5
KeyUsage: a0
1... .... = digitalSignature: True
.0.. .... = contentCommitment: False
..1. .... = keyEncipherment: True
...0 .... = dataEncipherment: False
.... 0... = keyAgreement: False
.... .0.. = keyCertSign: False
.... ..0. = cRLSign: False
.... ...0 = encipherOnly: False
0... .... = decipherOnly: False
Extension (id-ce-basicConstraints)
Extension Id: 2.5.29.19 (id-ce-basicConstraints)
critical: True
BasicConstraintsSyntax [0 length]
Extension (id-ce-extKeyUsage)
Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
KeyPurposeIDs: 2 items
KeyPurposeId: 1.3.6.1.5.5.7.3.1 (id-kp-serverAuth)
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
Extension (id-ce-certificatePolicies)
Extension Id: 2.5.29.32 (id-ce-certificatePolicies)
CertificatePoliciesSyntax: 2 items
PolicyInformation
policyIdentifier: 1.3.6.1.4.1.6449.1.2.2.7 (iso.3.6.1.4.1.6449.1.2.2.7)
policyQualifiers: 1 item
PolicyQualifierInfo
Id: 1.3.6.1.5.5.7.2.1 (id-qt-cps)
DirectoryString: https://sectigo.com/CPS
PolicyInformation
policyIdentifier: 2.23.140.1.2.1 (joint-iso-itu-t.23.140.1.2.1)
Extension (id-pe-authorityInfoAccess)
Extension Id: 1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccess)
AuthorityInfoAccessSyntax: 2 items
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers)
accessLocation: 6
uniformResourceIdentifier: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt
AccessDescription
accessMethod: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp)
accessLocation: 6
uniformResourceIdentifier: http://ocsp.sectigo.com
Extension (SignedCertificateTimestampList)
Extension Id: 1.3.6.1.4.1.11129.2.4.2 (SignedCertificateTimestampList)
Serialized SCT List Length: 361
Signed Certificate Timestamp (Google 'Xenon2024' log)
Serialized SCT Length: 119
SCT Version: 0
Log ID: 76ff883f0ab6fb9551c261ccf587ba34b4a4cdbb29dc68420a9fe6674c5a3a74
Timestamp: Apr 13, 2023 10:58:42.516000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 72
Signature: 3046022100db0401b5005a633c5f35a992836607def14132fbb75abb47831a363718845d…
Signed Certificate Timestamp (Cloudflare 'Nimbus2024' Log)
Serialized SCT Length: 118
SCT Version: 0
Log ID: dab6bf6b3fb5b6229f9bc2bb5c6be87091716cbb51848534bda43d3048d7fbab
Timestamp: Apr 13, 2023 10:58:42.616000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 71
Signature: 304502201504d582ebd0f2bb9516c9c29690e64f841c2606f7c08dc083377005cddca0e0…
Signed Certificate Timestamp (Google 'Argon2024' log)
Serialized SCT Length: 118
SCT Version: 0
Log ID: eecdd064d5db1acec55cb79db4cd13a23287467cbcecdec351485946711fb59b
Timestamp: Apr 13, 2023 10:58:42.553000000 UTC
Extensions length: 0
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Length: 71
Signature: 304502200668e9604a85a91b53fe76d7b89616457436d811f89d5eae34acddeee22c3438…
Extension (id-ce-subjectAltName)
Extension Id: 2.5.29.17 (id-ce-subjectAltName)
GeneralNames: 3 items
GeneralName: dNSName (2)
dNSName: sip.telnyx.com
GeneralName: dNSName (2)
dNSName: sip-anycast1.telnyx.com
GeneralName: dNSName (2)
dNSName: sip-anycast2.telnyx.com
algorithmIdentifier (sha256WithRSAEncryption)
Algorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
Padding: 0
encrypted: 5c61879a1fd972c67dd57c47d8848f43665c99d8a40e9f35140760e0985c3bd16762e9bf…