Puzzling over this thread a bit, it seems to me that Asterisk’s “verify server” does not work correctly. Indeed, it wouldn’t even work when connecting to another Asterisk server with a valid certificate. Perhaps someone could show a scenario where it does work?
How it should work
Asterisk should validate the certificate on initial requests, ensuring the certificate is valid and the CN in the certificate matches the server we (as UAC) are connecting to. Then it should retain some knowledge of that certificate for the duration of a dialog and make sure the certificate does not change. (without continuing to validate the CN matches the request)
How it currently works
Asterisk validates every connection as if new, even in-dialog. This succeeds on initial requests where we are talking to e.g. sip.telnyx.com and fails when we are talking to the IP address.
This is a problem because proxies generally do not put DNS names in their Record-Route headers. And even in a simpler network where we are connecting directly back to the address listed in the Contact header, it’s typically an IP. It would fail in a TLS dialog with another Asterisk server because Asterisk puts its IP into the Contact header.
So I propose that this is not the service provider’s fault, it’s Asterisk’s fault for using rather naive verification logic that even its own SIP stack would fail.