feat(sip): add parallel -TLS endpoint, drop UseWebRTC/UseSipTls flags

boffart · boffart · commit 89d961627dac · 2026-05-19T14:36:08.000+03:00
Generates a third per-extension PJSIP endpoint [&lt;num&gt;-TLS] alongside the
existing [&lt;num&gt;] (UDP/TCP) and [&lt;num&gt;-WS] (WebRTC). Dial fanout wires all
three contact buckets so an incoming call rings any registered transport;
BLF hints and DEVICE_STATE checks cover all variants. Auth is shared via
the existing [&lt;num&gt;-AUTH] — one credential pair across UDP/TCP/WS/TLS.

Generation is gated by certificate presence (SslCertificateService probe
cached behind SIPConf::hasCertificates() + resetCertsCache() so
long-running workers pick up freshly issued certs). The previous
UseWebRTC and the new UseSipTls global flags are removed entirely from
PbxSettings, REST schema, GeneralSettings form and Volt — controlled by
cert availability alone.

Fixes a latent dialplan parser bug in [set-dial-contacts]: variables
containing ':' (PJSIP_DIAL_CONTACTS URIs) must stay outside ${IF(?:)}
since IF treats ':' as the true/false separator and silently truncates
the URI. Bucket join now uses the safe ${VAR}${IF(both?&amp;)}${OTHER}
pattern.

Switches the [messages] MessageSend From normalization from REPLACE
(per-character set removal) to STRREPLACE (substring removal) so the
suffix strip no longer mangles arbitrary 'W', 'S', 'T', 'L' bytes in
SIP From URIs.

REST API: AbstractExtensionStatusAction now emits 'is_tls' alongside
'is_webrtc' so CTI/UI can distinguish TLS-registered contacts.

Removes the UseWebRTC key from PBXCoreREST/Lib/GeneralSettings
DataStructure (breaking change in v3 schema — clients sending PUT with
that key now receive 422).
diff --git a/src/AdminCabinet/Forms/GeneralSettingsEditForm.php b/src/AdminCabinet/Forms/GeneralSettingsEditForm.php
@@ -167,7 +167,6 @@ public function initialize($entity = null, $options = null): void
                     break;
                 case PbxSettings::PBX_RECORD_CALLS:
                 case PbxSettings::PBX_RECORD_CALLS_INNER:
-                case PbxSettings::USE_WEB_RTC:
                 case PbxSettings::AJAM_ENABLED:
                 case PbxSettings::AMI_ENABLED:
                 case PbxSettings::ARI_ENABLED:
diff --git a/src/AdminCabinet/Views/GeneralSettings/sip.volt b/src/AdminCabinet/Views/GeneralSettings/sip.volt
@@ -38,17 +38,6 @@
         {{ form.render('SIPAuthPrefix') }}
     </div>
 </div>
-<div class="field">
-    <div class="ui segment">
-        <div class="ui toggle checkbox">
-            <label for="UseWebRTC">{{ t._('gs_UseWebRTC') }}
-                <i class="small info circle icon field-info-icon"
-                   data-field="UseWebRTC"></i>
-            </label>
-            {{ form.render('UseWebRTC') }}
-        </div>
-    </div>
-</div>
 
 <h4 class="ui header">{{ t._('gs_KeepAliveHeader') }}</h4>
 <div class="inline field">
diff --git a/src/Common/Messages/en/GeneralSettings.php b/src/Common/Messages/en/GeneralSettings.php
@@ -24,7 +24,6 @@
     'gs_RTPStunServer' => 'STUN server address (example: stun.test.net:10000)',
     'gs_SIPAuthPrefix' => 'Auth Username prefix for authorization. The prefix will be added to the end of Username.',
     'gs_SIPAuthPrefixInvalid' => 'The Auth Username prefix can only contain Latin letters.',
-    'gs_UseWebRTC' => 'Use WebRTC',
     'gs_DisableAllModules' => 'Disable marketplace',
     'gs_ErrorSaveSettings' => 'Error saving settings',
     'gs_SSHDisablePasswordLogins' => 'Disable password authentication',
diff --git a/src/Common/Messages/ru/GeneralSettings.php b/src/Common/Messages/ru/GeneralSettings.php
@@ -26,7 +26,6 @@
     'gs_RTPStunServer' => 'Адрес STUN сервера (пример: stun.test.net:10000)',
     'gs_SIPAuthPrefix' => 'Префикс Auth Username для авторизации. Префикс будет добавлен в конец Username.',
     'gs_SIPAuthPrefixInvalid' => 'Префикс Auth Username может содержать только латинские буквы.',
-    'gs_UseWebRTC' => 'Использовать WebRTC',
     'gs_DisableAllModules' => 'Отключить маркетплейс',
     'gs_ErrorSaveSettings' => 'Ошибка сохранения настроек',
     'gs_SSHDisablePasswordLogins' => 'Отключить авторизацию по паролю',
diff --git a/src/Common/Models/PBXSettings/PbxSettingsConstantsTrait.php b/src/Common/Models/PBXSettings/PbxSettingsConstantsTrait.php
@@ -125,9 +125,6 @@ trait PbxSettingsConstantsTrait
     public const string RTP_PORT_TO = 'RTPPortTo';
     /** @FieldType('string') */
     public const string RTP_STUN_SERVER = 'RTPStunServer';
-    /** @FieldType('boolean') */
-    public const string USE_WEB_RTC = 'UseWebRTC';
-
     // IAX settings
     /** @FieldType('integer') */
     public const string IAX_PORT = 'IAXPort';
diff --git a/src/Common/Models/PBXSettings/PbxSettingsDefaultValuesTrait.php b/src/Common/Models/PBXSettings/PbxSettingsDefaultValuesTrait.php
@@ -48,7 +48,6 @@ public static function getDefaultArrayValues(): array
             PbxSettings::RTP_PORT_FROM => '10000',
             PbxSettings::RTP_PORT_TO => '10200',
             PbxSettings::RTP_STUN_SERVER => '',
-            PbxSettings::USE_WEB_RTC => '0',
             PbxSettings::IAX_PORT => '4569',
             PbxSettings::AMI_ENABLED => '1',
             PbxSettings::AMI_PORT => '5038',
diff --git a/src/Core/Asterisk/AsteriskManager.php b/src/Core/Asterisk/AsteriskManager.php
@@ -1572,8 +1572,17 @@ public function getPjSipPeer(string $peer, string $prefix = ''): array
             if ($wsResult['state'] !== 'UNKNOWN') {
                 $result = $wsResult;
             }
+            // Query SIP/TLS variant endpoint and append its contacts with a -TLS{idx} suffix
+            // so they coexist with the base and WebRTC endpoints in the same result map.
+            $tlsRes = $this->sendRequestTimeout('PJSIPShowEndpoint', ['Endpoint' => trim($peer) . "-TLS"]);
+            foreach ($tlsRes['data']['ContactStatusDetail'] ?? [] as $index => $tlsData) {
+                $suffix = "-TLS$index";
+                foreach ($tlsData as $key => $value) {
+                    $result["$key$suffix"] = $value;
+                }
+            }
             $parameters = ['Endpoint' => trim($peer)];
-            unset($wsResult);
+            unset($wsResult, $tlsRes);
         } else {
             $parameters = ['Endpoint' => trim($peer) . "-$prefix"];
         }
@@ -1626,6 +1635,15 @@ public function getPjSipPeerContacts(string $peer): array
             }
         }
 
+        // Also check for SIP/TLS endpoint
+        $tlsRes = $this->sendRequestTimeout('PJSIPShowEndpoint', ['Endpoint' => trim($peer) . "-TLS"]);
+        foreach ($tlsRes['data']['ContactStatusDetail'] ?? [] as $contactData) {
+            if (!empty($contactData['URI'])) {
+                $contactData['IsTls'] = true;
+                $contacts[] = $contactData;
+            }
+        }
+
         return $contacts;
     }
 
diff --git a/src/Core/Asterisk/Configs/ExtensionsConf.php b/src/Core/Asterisk/Configs/ExtensionsConf.php
@@ -62,6 +62,10 @@ public static function sortArrayByPriority(array $a, array $b): int
      */
     protected function generateConfigProtected(): void
     {
+        // Force a fresh certificate-presence probe — InternalContexts uses
+        // SIPConf::hasCertificates() to decide whether to wire WS/TLS dial buckets.
+        SIPConf::resetCertsCache();
+
         /** @scrutinizer ignore-call */
         $conf              = "[globals]" .PHP_EOL.
             "TRANSFER_CONTEXT=internal-transfer;".PHP_EOL;
@@ -124,7 +128,7 @@ private function generateOtherExten(string &$conf): void
                  'exten => _X.,1,NoOp("Sending message, To ${MESSAGE(to)}, Hint ${ARG1}, From ${MESSAGE(from)}, CID ${CALLERID}, Body ${MESSAGE(body)}")' . PHP_EOL ."\t".
                  'same => n,Gosub(set-dial-contacts,${EXTEN},1)' . PHP_EOL ."\t".
                  'same => n,While($["${SET(contact=${SHIFT(DST_CONTACT,&):6})}" != ""])' . PHP_EOL ."\t".
-                 'same => n,MessageSend(pjsip:${contact},${REPLACE(MESSAGE(from),-WS)})' . PHP_EOL ."\t".
+                 'same => n,MessageSend(pjsip:${contact},${STRREPLACE(STRREPLACE(MESSAGE(from),-WS,),-TLS,)})' . PHP_EOL ."\t".
                  'same => n,NoOp("Send status is ${MESSAGE_SEND_STATUS}")' . PHP_EOL ."\t".
                  'same => n,EndWhile' . PHP_EOL ."\t".
                  'same => n,HangUp()' . PHP_EOL .PHP_EOL;
diff --git a/src/Core/Asterisk/Configs/Generators/Extensions/InternalContexts.php b/src/Core/Asterisk/Configs/Generators/Extensions/InternalContexts.php
@@ -105,13 +105,22 @@ public function makeDialplan(): string
         $conf .= '[set-dial-contacts]'.PHP_EOL.
                  'exten => _X!,1,NoOp()'.PHP_EOL."\t";
 
-        // If WebRTC is used, set up SIP and WS contacts. Otherwise, set DST contact.
-        if(PbxSettings::getValueByKey(PbxSettings::USE_WEB_RTC) === '1') {
-            $conf .= 'same => n,Set(SIP_CONTACT=${PJSIP_DIAL_CONTACTS(${EXTEN})})'.PHP_EOL."\t".
-                     'same => n,Set(WS_CONTACTS=${PJSIP_DIAL_CONTACTS(${EXTEN}-WS)})'.PHP_EOL."\t".
-                     'same => n,Set(DST_CONTACT=${SIP_CONTACT}${IF($["${SIP_CONTACT}x" != "x" && "${WS_CONTACTS}x" != "x"]?&)}${WS_CONTACTS})'.PHP_EOL."\t";
-        }else{
-            $conf .= 'same => n,Set(DST_CONTACT=${PJSIP_DIAL_CONTACTS(${EXTEN})})'.PHP_EOL."\t";
+        // Resolve dial contacts for every transport variant of the extension.
+        // PJSIP_DIAL_CONTACTS returns empty string when the endpoint has no registered
+        // contacts. Buckets are stitched with '&' only when both sides are non-empty.
+        //
+        // IMPORTANT: variables containing ':' (PJSIP_DIAL_CONTACTS returns URIs like
+        // "PJSIP/201/sip:201@host:port") MUST stay outside ${IF(...?...)} — the IF
+        // function treats ':' as the true/false separator and would slice the URI in half.
+        // The safe pattern is: ${VAR_A}${IF(both_nonempty?&)}${VAR_B} — VAR_A/VAR_B
+        // outside the IF, only the neutral '&' inside.
+        $hasCerts = SIPConf::hasCertificates();
+        $conf .= 'same => n,Set(DST_CONTACT=${PJSIP_DIAL_CONTACTS(${EXTEN})})'.PHP_EOL."\t";
+        if ($hasCerts) {
+            $conf .= 'same => n,Set(WS_CONTACTS=${PJSIP_DIAL_CONTACTS(${EXTEN}-WS)})'.PHP_EOL."\t".
+                     'same => n,Set(DST_CONTACT=${DST_CONTACT}${IF($["${DST_CONTACT}x" != "x" && "${WS_CONTACTS}x" != "x"]?&)}${WS_CONTACTS})'.PHP_EOL."\t".
+                     'same => n,Set(TLS_CONTACTS=${PJSIP_DIAL_CONTACTS(${EXTEN}-TLS)})'.PHP_EOL."\t".
+                     'same => n,Set(DST_CONTACT=${DST_CONTACT}${IF($["${DST_CONTACT}x" != "x" && "${TLS_CONTACTS}x" != "x"]?&)}${TLS_CONTACTS})'.PHP_EOL."\t";
         }
         $conf .= 'same => n,return'.PHP_EOL.PHP_EOL;
 
@@ -403,7 +412,12 @@ private function generateInternalUsers(): string
 
         // Generate additional modules internal users context
         $conf .= $this->generateAdditionalModulesInternalUsersContext();
-        $conf .= 'same => n,ExecIf($["${DEVICE_STATE(' . $this->technology . '/${EXTEN})}" == "BUSY" || "${DEVICE_STATE(' . $this->technology . '/${EXTEN}-WS)}" == "BUSY"]?Set(IS_BUSY=1))' . " \n\t";
+        $busyCheck = '"${DEVICE_STATE(' . $this->technology . '/${EXTEN})}" == "BUSY"';
+        if (SIPConf::hasCertificates()) {
+            $busyCheck .= ' || "${DEVICE_STATE(' . $this->technology . '/${EXTEN}-WS)}" == "BUSY"'
+                . ' || "${DEVICE_STATE(' . $this->technology . '/${EXTEN}-TLS)}" == "BUSY"';
+        }
+        $conf .= 'same => n,ExecIf($[' . $busyCheck . ']?Set(IS_BUSY=1))' . " \n\t";
         $conf .= 'same => n,ExecIf($["${IS_BUSY}" == "1"]?Set(DIALSTATUS=BUSY))' . " \n\t";
         $conf .= 'same => n,GotoIf($["${IS_BUSY}" == "1" && "${QUEUE_SRC_CHAN}x" == "x"]?fw_start)' . " \n\t";
 
diff --git a/src/Core/Asterisk/Configs/RtpConf.php b/src/Core/Asterisk/Configs/RtpConf.php
@@ -59,21 +59,18 @@ protected function generateConfigProtected(): void
             "rtpstart={$rtpStart}".PHP_EOL.
             "rtpend={$rtpEnd}".PHP_EOL;
             
-        // Add DTLS configuration for WebRTC if enabled
-        $useWebRTC = PbxSettings::getValueByKey(PbxSettings::USE_WEB_RTC);
-        if ($useWebRTC === '1') {
-            // Prepare certificates for DTLS
-            $certs = SslCertificateService::prepareAsteriskCertificates('asterisk-rtp-dtls');
-            
-            if (!empty($certs['certPath']) && !empty($certs['keyPath'])) {
-                $conf .= PHP_EOL .
-                    "; DTLS configuration for WebRTC\n" .
-                    "dtlsenable=yes".PHP_EOL.
-                    "dtlscertfile={$certs['certPath']}".PHP_EOL.
-                    "dtlsprivatekey={$certs['keyPath']}".PHP_EOL.
-                    "dtlssetup=actpass".PHP_EOL.
-                    "dtlsverify=no".PHP_EOL;
-            }
+        // Add DTLS configuration for WebRTC when certificates are available.
+        // WebRTC clients require DTLS-SRTP; without certs the WSS transport and
+        // -WS endpoints aren't generated either, so this block stays consistent.
+        $certs = SslCertificateService::prepareAsteriskCertificates('asterisk-rtp-dtls');
+        if (!empty($certs['certPath']) && !empty($certs['keyPath'])) {
+            $conf .= PHP_EOL .
+                "; DTLS configuration for WebRTC\n" .
+                "dtlsenable=yes".PHP_EOL.
+                "dtlscertfile={$certs['certPath']}".PHP_EOL.
+                "dtlsprivatekey={$certs['keyPath']}".PHP_EOL.
+                "dtlssetup=actpass".PHP_EOL.
+                "dtlsverify=no".PHP_EOL;
         }
         
         $conf .= PHP_EOL;
diff --git a/src/Core/Asterisk/Configs/SIPConf.php b/src/Core/Asterisk/Configs/SIPConf.php
@@ -89,6 +89,12 @@ class SIPConf extends AsteriskConfigClass
     // Database batch processing
     private const int PEERS_BATCH_SIZE = 150;
 
+    /**
+     * Cached TLS-certificate presence check.
+     * Used to gate WebRTC (-WS) and SIP/TLS (-TLS) endpoint generation.
+     */
+    private static ?bool $hasCertsCache = null;
+
     // Default tone zone for unspecified languages (Russian market focus)
     private const string DEFAULT_TONE_ZONE = 'ru';
 
@@ -685,6 +691,40 @@ private function getOutRoutes(): array
      *
      * @return string
      */
+    /**
+     * Whether Asterisk has a usable TLS certificate file pair available.
+     *
+     * Result is cached per-process because the underlying SslCertificateService call
+     * is invoked from generatePeerAor/Endpoint for every extension and from
+     * InternalContexts dialplan generation. Only file presence is checked — expiry
+     * validation is intentionally left to Asterisk at TLS handshake time.
+     *
+     * In long-running workers (WorkerApiCommands, WorkerSafeScriptsCore) the cache
+     * can outlive the certificate file lifecycle (e.g. cert was created after the
+     * first false-result was cached). resetCertsCache() must be called at the
+     * start of every fresh config regeneration to force a re-probe.
+     *
+     * @return bool True if both certPath and keyPath are non-empty.
+     */
+    public static function hasCertificates(): bool
+    {
+        if (self::$hasCertsCache === null) {
+            $certs = SslCertificateService::prepareAsteriskCertificates('asterisk-pjsip');
+            self::$hasCertsCache = !empty($certs['certPath']) && !empty($certs['keyPath']);
+        }
+        return self::$hasCertsCache;
+    }
+
+    /**
+     * Invalidate the cached TLS-certificate presence flag. Called from the top of
+     * every fresh pjsip.conf / dialplan generation so a long-running worker picks
+     * up newly-issued certificates without process restart.
+     */
+    public static function resetCertsCache(): void
+    {
+        self::$hasCertsCache = null;
+    }
+
     public static function getTechnology(): string
     {
         return self::TYPE_PJSIP;
@@ -727,8 +767,9 @@ public function extensionGenHints(): string
             $data_peers = $this->getPeers();
             foreach ($data_peers as $peer) {
                 $hint = "$this->technology/$peer[extension]";
-                if (PbxSettings::getValueByKey(PbxSettings::USE_WEB_RTC) === '1') {
+                if (self::hasCertificates()) {
                     $hint .= "&$this->technology/$peer[extension]-WS";
+                    $hint .= "&$this->technology/$peer[extension]-TLS";
                 }
                 $conf .= "exten => $peer[extension],hint,$hint&Custom:$peer[extension] \n";
             }
@@ -786,6 +827,10 @@ public function extensionGenInternalTransfer(): string
      */
     protected function generateConfigProtected(): void
     {
+        // Force a fresh certificate-presence probe so long-running workers pick up
+        // newly-issued certs without restart.
+        self::resetCertsCache();
+
         $conf  = $this->generateGeneralPj();
         $conf .= $this->generateProvidersPj();
         $conf .= $this->generatePeersPj();
@@ -2265,7 +2310,7 @@ private function generatePeerAuth(array $peer, array $manual_attributes): string
      * It creates the aor section with the qualify frequency, qualify timeout, and max contacts options.
      * The PJSIP options can be overridden using the overridePJSIPOptionsFromModules() method.
      * The manual attributes are applied using the Util::overrideConfigurationArray() method.
-     * If the "UseWebRTC" general setting is enabled, it also generates an additional aor section for WebRTC.
+     * When TLS certificates are present, it also generates additional aor sections for WebRTC (-WS) and SIP/TLS (-TLS).
      *
      * @param array $peer The data of the SIP peer.
      * @param array $manual_attributes The manual attributes for the peer.
@@ -2323,8 +2368,9 @@ private function generatePeerAor(array $peer, array $manual_attributes): string
             $conf .= "[{$peer['extension']}](aor-common)\n\n";
         }
 
-        // Generate the WebRTC aor section if enabled
-        if (PbxSettings::getValueByKey(PbxSettings::USE_WEB_RTC) === '1') {
+        // Generate the WebRTC aor section when TLS certificates are present
+        // (WSS transport and endpoint-wss template depend on the same certs).
+        if (self::hasCertificates()) {
             // WebRTC AOR also needs to match extension name for registration
             if ($hasCustomizations) {
                 $conf .= "[{$peer['extension']}-WS](aor-common)\n";
@@ -2347,6 +2393,30 @@ private function generatePeerAor(array $peer, array $manual_attributes): string
             }
         }
 
+        // Generate the SIP/TLS aor section when TLS certificates are present.
+        if (self::hasCertificates()) {
+            // TLS AOR also needs to match endpoint name for registration
+            if ($hasCustomizations) {
+                $conf .= "[{$peer['extension']}-TLS](aor-common)\n";
+                $customParams = array_diff_assoc($overriddenOptions, $options);
+                foreach ($customParams as $key => $value) {
+                    if ($key !== 'type') {
+                        $conf .= "$key = $value\n";
+                    }
+                }
+                if (!empty($manual_attributes['aor'])) {
+                    foreach ($manual_attributes['aor'] as $key => $value) {
+                        if ($key !== 'type') {
+                            $conf .= "$key = $value\n";
+                        }
+                    }
+                }
+                $conf .= "\n";
+            } else {
+                $conf .= "[{$peer['extension']}-TLS](aor-common)\n\n";
+            }
+        }
+
         return $conf;
     }
 
@@ -2523,8 +2593,8 @@ private function generatePeerEndpoint(
         $conf .= $this->hookModulesMethod(AsteriskConfigInterface::GENERATE_PEER_PJ_ADDITIONAL_OPTIONS, [$peer]);
         $conf .= "\n";
 
-        // Generate the WebRTC endpoint section if enabled
-        if (PbxSettings::getValueByKey(PbxSettings::USE_WEB_RTC) === '1') {
+        // Generate the WebRTC endpoint section when TLS certificates are present.
+        if (self::hasCertificates()) {
             $conf .= "[{$peer['extension']}-WS](endpoint-wss)\n";
             $conf .= "callerid = $calleridname <{$peer['extension']}>\n";
             $conf .= "aors = {$peer['extension']}-WS\n";  // WebRTC AOR matches endpoint name
@@ -2570,6 +2640,41 @@ private function generatePeerEndpoint(
             $conf .= $this->hookModulesMethod(AsteriskConfigInterface::GENERATE_PEER_PJ_ADDITIONAL_OPTIONS, [$peer]);
             $conf .= "\n";
         }
+
+        // Generate the SIP/TLS endpoint section when TLS certificates are present.
+        // Inherits transport=transport-tls and media_encryption=sdes from [endpoint-tls] template
+        // (created only when TLS certificates exist — see generateEndpointTemplates()).
+        if (self::hasCertificates()) {
+            $conf .= "[{$peer['extension']}-TLS](endpoint-tls)\n";
+            $conf .= "callerid = $calleridname <{$peer['extension']}>\n";
+            $conf .= "aors = {$peer['extension']}-TLS\n";
+            $conf .= "auth = {$peer['extension']}-AUTH\n";
+            $conf .= "outbound_auth = {$peer['extension']}-AUTH\n";
+            $conf .= "dtmf_mode = $dtmfmode\n";
+
+            // Mirror call-waiting toggle on the TLS endpoint.
+            if (!empty($peer['accept_multiple_calls'])) {
+                $conf .= "device_state_busy_at = 2\n";
+            }
+
+            // Add ACL if exists
+            if (!empty($peer['permit']) || !empty($peer['deny'])) {
+                $conf .= "acl = acl_{$peer['extension']}\n";
+            }
+
+            // Apply manual attributes for TLS endpoint
+            if (!empty($manual_attributes['endpoint'])) {
+                foreach ($manual_attributes['endpoint'] as $key => $value) {
+                    if (!in_array($key, ['type', 'callerid', 'aors', 'auth', 'outbound_auth', 'dtmf_mode', 'acl', 'transport', 'media_encryption'])) {
+                        $conf .= "$key = $value\n";
+                    }
+                }
+            }
+
+            $conf .= $this->hookModulesMethod(AsteriskConfigInterface::GENERATE_PEER_PJ_ADDITIONAL_OPTIONS, [$peer]);
+            $conf .= "\n";
+        }
+
         return $conf;
     }
 
diff --git a/src/Core/Asterisk/Configs/lua/extensions.lua b/src/Core/Asterisk/Configs/lua/extensions.lua
@@ -303,10 +303,11 @@ function monitorEnable(src, dst, fromPeer)
     src = string.sub(src, -9);
     dst = string.sub(dst, -9);
 
-    -- Normalize FROM_PEER: strip WebRTC "-WS" suffix so the endpoint name
-    -- "204-WS" matches the extension "204" stored in [monitor-exceptions].
+    -- Normalize FROM_PEER: strip transport variant suffix ("-WS" for WebRTC,
+    -- "-TLS" for SIP/TLS) so endpoint names like "204-WS" or "204-TLS" match
+    -- the extension "204" stored in [monitor-exceptions].
     if(fromPeer and fromPeer ~= '')then
-        fromPeer = fromPeer:gsub("%-WS$", "");
+        fromPeer = fromPeer:gsub("%-WS$", ""):gsub("%-TLS$", "");
         fromPeer = string.sub(fromPeer, -9);
     else
         fromPeer = '';
diff --git a/src/Core/Workers/Libs/WorkerModelsEvents/ProcessPBXSettings.php b/src/Core/Workers/Libs/WorkerModelsEvents/ProcessPBXSettings.php
diff --git a/src/PBXCoreREST/Lib/Extensions/AbstractExtensionStatusAction.php b/src/PBXCoreREST/Lib/Extensions/AbstractExtensionStatusAction.php
diff --git a/src/PBXCoreREST/Lib/GeneralSettings/DataStructure.php b/src/PBXCoreREST/Lib/GeneralSettings/DataStructure.php
