[asterisk-users] sip tls problem

Vladimir Mikhelson vlad at mikhelson.com
Sun Aug 5 21:59:49 CDT 2012


Have you tried 1.8.15?

SIP TLS with self-signed certificate seems to be working fine here.  The
OS is CentOS 5.8 and there are no chained certificates in my environment.

-Vladimir




On 8/5/2012 1:23 PM, Daniel Pocock wrote:
> Package: asterisk
> Version: 1:1.8.13.0~dfsg-1+b1
> Severity: important
>
>
> On 05/03/12 10:47, Wolfgang Pichler wrote:
>> Hi all,
>>
>> i have had sip TLS with an own signed certificate (using the
>> ast_tls_cert script) running on asterisk-1.8.8 - i then have updated
>> to 1.8.9.3 - and now i get the message "FILE * open failed!"
>>
>> I have already recreated the certificates with the script - but still no luck...
>>
>> Does anyone here know the source of the problem ?
>>
> I'm seeing similar problems with the 1.8.13 package in Debian
>
> [Aug  5 19:05:16] WARNING[6169]: tcptls.c:235 handle_tcptls_connection:
> FILE * open failed!
>
>
> 1.8.8 was working (although it had other severe problems, for example,
> closing the TLS connection and not receiving a BYE, keeping channels
> open forever)
>
>
> My cert is a Thawte 123 cert, there are actually 4 certs in the chain,
> root at the top
>
> The log claims it loads successfully:
>
> SIP channel loading...
>   == Parsing '/etc/asterisk/sip.conf':   == Found
>   == Parsing '/etc/asterisk/users.conf':   == Found
>   == SIP Listening on 192.168.100.1:5060
>   == Using SIP CoS mark 4
> SSL certificate ok
>
>
> With 1.8.8, this was fine
>
> With 1.8.13, I connect to the server using `openssl s_client', and it
> only shows the text of ONE of the certificates - it seems to repeat the
> same certificate four times though.  This is a very bad sign.
>
> With 1.8.8, I would see ALL four certificate in the output below.
>
>
> $ openssl s_client -connect 192.168.100.1:5061 -showcerts
> CONNECTED(00000003)
> depth=0 /O=<MY HOSTNAME>/OU=Go to
> https://www.thawte.com/repository/index.html/OU=Thawte SSL123
> certificate/OU=Domain Validated/CN=<MY HOSTNAME>
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 /O=<MY HOSTNAME>/OU=Go to
> https://www.thawte.com/repository/index.html/OU=Thawte SSL123
> certificate/OU=Domain Validated/CN=<MY HOSTNAME>
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 /O=<MY HOSTNAME>/OU=Go to
> https://www.thawte.com/repository/index.html/OU=Thawte SSL123
> certificate/OU=Domain Validated/CN=<MY HOSTNAME>
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:/O=<MY HOSTNAME>/OU=Go to
> https://www.thawte.com/repository/index.html/OU=Thawte SSL123
> certificate/OU=Domain Validated/CN=<MY HOSTNAME>
>    i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
> -----BEGIN CERTIFICATE-----
> MIIETDCCAzSgAwIBAgIQWppejHk2XLkg+v70FfjEujANBgkqhkiG9w0BAQUFADBe
> ......
> xlRmMVj1hUPeE+83S05bqB6mI09P3IGWUf0LfljDT5bmU/BFM0OhXaRe42sNHy1Y
> -----END CERTIFICATE-----
> ---
> Server certificate
> subject=/O=<MY HOSTNAME>/OU=Go to
> https://www.thawte.com/repository/index.html/OU=Thawte SSL123
> certificate/OU=Domain Validated/CN=<MY HOSTNAME>
> issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1273 bytes and written 447 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1
>     Cipher    : AES256-SHA
>     Session-ID:
> 0DAB4C1A6E2AC5D4A86769E8F00B469810F679CAC26CACEFC9F902F267E3490F
>     Session-ID-ctx:
>     Master-Key:
> 42C512C4D1C2AA32136F79F45A98A7D6AC99FD1579734728A9AC5C213424B2D1CEAA3749CCD22D2F4CB3400853E5EC93
>     Key-Arg   : None
>     Start Time: 1344190380
>     Timeout   : 300 (sec)
>     Verify return code: 21 (unable to verify the first certificate)
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>




More information about the asterisk-users mailing list