[asterisk-users] sip tls problem

Daniel Pocock daniel at pocock.com.au
Sun Aug 5 13:23:59 CDT 2012


Package: asterisk
Version: 1:1.8.13.0~dfsg-1+b1
Severity: important


On 05/03/12 10:47, Wolfgang Pichler wrote:
> Hi all,
> 
> i have had sip TLS with an own signed certificate (using the
> ast_tls_cert script) running on asterisk-1.8.8 - i then have updated
> to 1.8.9.3 - and now i get the message "FILE * open failed!"
> 
> I have already recreated the certificates with the script - but still no luck...
> 
> Does anyone here know the source of the problem ?
> 

I'm seeing similar problems with the 1.8.13 package in Debian

[Aug  5 19:05:16] WARNING[6169]: tcptls.c:235 handle_tcptls_connection:
FILE * open failed!


1.8.8 was working (although it had other severe problems, for example,
closing the TLS connection and not receiving a BYE, keeping channels
open forever)


My cert is a Thawte 123 cert, there are actually 4 certs in the chain,
root at the top

The log claims it loads successfully:

SIP channel loading...
  == Parsing '/etc/asterisk/sip.conf':   == Found
  == Parsing '/etc/asterisk/users.conf':   == Found
  == SIP Listening on 192.168.100.1:5060
  == Using SIP CoS mark 4
SSL certificate ok


With 1.8.8, this was fine

With 1.8.13, I connect to the server using `openssl s_client', and it
only shows the text of ONE of the certificates - it seems to repeat the
same certificate four times though.  This is a very bad sign.

With 1.8.8, I would see ALL four certificate in the output below.


$ openssl s_client -connect 192.168.100.1:5061 -showcerts
CONNECTED(00000003)
depth=0 /O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
verify error:num=27:certificate not trusted
verify return:1
depth=0 /O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
   i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
-----BEGIN CERTIFICATE-----
MIIETDCCAzSgAwIBAgIQWppejHk2XLkg+v70FfjEujANBgkqhkiG9w0BAQUFADBe
......
xlRmMVj1hUPeE+83S05bqB6mI09P3IGWUf0LfljDT5bmU/BFM0OhXaRe42sNHy1Y
-----END CERTIFICATE-----
---
Server certificate
subject=/O=<MY HOSTNAME>/OU=Go to
https://www.thawte.com/repository/index.html/OU=Thawte SSL123
certificate/OU=Domain Validated/CN=<MY HOSTNAME>
issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 1273 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
0DAB4C1A6E2AC5D4A86769E8F00B469810F679CAC26CACEFC9F902F267E3490F
    Session-ID-ctx:
    Master-Key:
42C512C4D1C2AA32136F79F45A98A7D6AC99FD1579734728A9AC5C213424B2D1CEAA3749CCD22D2F4CB3400853E5EC93
    Key-Arg   : None
    Start Time: 1344190380
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)



More information about the asterisk-users mailing list