[asterisk-users] sip tls problem
Daniel Pocock
daniel at pocock.com.au
Sun Aug 5 13:23:59 CDT 2012
Package: asterisk
Version: 1:1.8.13.0~dfsg-1+b1
Severity: important
On 05/03/12 10:47, Wolfgang Pichler wrote:
> Hi all,
>
> i have had sip TLS with an own signed certificate (using the
> ast_tls_cert script) running on asterisk-1.8.8 - i then have updated
> to 1.8.9.3 - and now i get the message "FILE * open failed!"
>
> I have already recreated the certificates with the script - but still no luck...
>
> Does anyone here know the source of the problem ?
>
I'm seeing similar problems with the 1.8.13 package in Debian
[Aug 5 19:05:16] WARNING[6169]: tcptls.c:235 handle_tcptls_connection:
FILE * open failed!
1.8.8 was working (although it had other severe problems, for example,
closing the TLS connection and not receiving a BYE, keeping channels
open forever)
My cert is a Thawte 123 cert, there are actually 4 certs in the chain,
root at the top
The log claims it loads successfully:
SIP channel loading...
== Parsing '/etc/asterisk/sip.conf': == Found
== Parsing '/etc/asterisk/users.conf': == Found
== SIP Listening on 192.168.100.1:5060
== Using SIP CoS mark 4
SSL certificate ok
With 1.8.8, this was fine
With 1.8.13, I connect to the server using `openssl s_client', and it
only shows the text of ONE of the certificates - it seems to repeat the
same certificate four times though. This is a very bad sign.
With 1.8.8, I would see ALL four certificate in the output below.
$ openssl s_client -connect 192.168.100.1:5061 -showcerts
CONNECTED(00000003)
depth=0 /O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgIQWppejHk2XLkg+v70FfjEujANBgkqhkiG9w0BAQUFADBe
......
xlRmMVj1hUPeE+83S05bqB6mI09P3IGWUf0LfljDT5bmU/BFM0OhXaRe42sNHy1Y
-----END CERTIFICATE-----
---
Server certificate
subject=/O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1273 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
0DAB4C1A6E2AC5D4A86769E8F00B469810F679CAC26CACEFC9F902F267E3490F
Session-ID-ctx:
Master-Key:
42C512C4D1C2AA32136F79F45A98A7D6AC99FD1579734728A9AC5C213424B2D1CEAA3749CCD22D2F4CB3400853E5EC93
Key-Arg : None
Start Time: 1344190380
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
More information about the asterisk-users
mailing list