[asterisk-users] Asterisk 16.14.0 pjsip transport-tls cert parsing error
Ruisheng Peng
rpeng at ifa.hawaii.edu
Mon Feb 1 14:36:27 CST 2021
Michael,
There weren't any open or openat actions on the cert files (located under
/home/asterisk/certs). The same is true for cert files located under
/etc/asterisk/keys:
24138 stat("/etc/asterisk/keys/fullchain.pem", {st_mode=S_IFREG|0640,
st_size=34
44, ...}) = 0
24138 geteuid() = 1002
24138 getegid() = 1002
24138 getuid() = 1002
24138 getgid() = 1002
24138 access("/etc/asterisk/keys/fullchain.pem", R_OK) = 0
24138 stat("/etc/asterisk/keys/privkey.pem", {st_mode=S_IFREG|0640,
st_size=1704
, ...}) = 0
24138 geteuid() = 1002
24138 getegid() = 1002
24138 getuid() = 1002
24138 getgid() = 1002
24138 access("/etc/asterisk/keys/privkey.pem", R_OK) = 0
24138 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16
24138 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1
ENOPROTOOPT (
Protocol not available)
24138 setsockopt(16, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
24138 setsockopt(16, SOL_TCP, TCP_NODELAY, [1], 4) = 0
24138 bind(16, {sa_family=AF_INET, sin_port=htons(5061),
sin_addr=inet_addr("0.0
.0.0")}, 16) = 0
24138 listen(16, 5) = 0
24138 ioctl(16, FIONBIO, [1]) = 0
24138 getsockopt(16, SOL_SOCKET, SO_TYPE, [1], [4]) = 0
24138 epoll_ctl(11, EPOLL_CTL_ADD, 16, {EPOLLIN|EPOLLERR, {u32=23894976,
u64=238
94976}}) = 0
24138 accept(16, 0x1a765c0, [28]) = -1 EAGAIN (Resource temporarily
unavai
lable)
24138 getsockname(16, {sa_family=AF_INET, sin_port=htons(5061),
sin_addr=inet_ad
dr("0.0.0.0")}, [16]) = 0
In the latter case transport-tls was successfully established.
On Fri, Jan 29, 2021 at 9:42 PM Michael Maier <m1278468 at mailbox.org> wrote:
>
> On 29.01.21 at 22:33 Ruisheng Peng wrote:
> > Thanks for the detailed explanation Michael.
> >
> > I stop the current asterisk process (started by systemd), and restart it
> as
> > asterisk:
> >
> > [asterisk at voip1 ~]$ strace -f -o /home/asterisk/strace.log asterisk -fmq
> > -vvv -C /etc/asterisk/asterisk.conf
> >
> >
> > from the log there was no attempt to even open the cert file. I edited
> > /etc/asterisk/pjsip.conf to add a "method = tlsv1" line to the
> > transport-tls section. Rerun the strace command, and here the part re
> cert
> > files:
> >
> > 8189 stat("/home/asterisk/certs/asterisk.crt", {st_mode=S_IFREG|0640,
> > st_size=1
> >
> > 212, ...}) = 0
> >
> > 8189 geteuid() = 1002
> >
> > 8189 getegid() = 1002
> >
> > 8189 getuid() = 1002
> >
> > 8189 getgid() = 1002
> >
> > 8189 access("/home/asterisk/certs/asterisk.crt", R_OK) = 0
> >
> > 8189 stat("/home/asterisk/certs/asterisk.key", {st_mode=S_IFREG|0640,
> > st_size=8
> >
> > 91, ...}) = 0
> >
> > 8189 geteuid() = 1002
> >
> > 8189 getegid() = 1002
> >
> > 8189 getuid() = 1002
> >
> > 8189 getgid() = 1002
> >
> > 8189 access("/home/asterisk/certs/asterisk.key", R_OK) = 0
> >
> > 8189 socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 16
> >
> > 8189 setsockopt(16, SOL_SOCKET, 0xffff /* SO_??? */, [1], 4) = -1
> > ENOPROTOOPT (
>
> I'm missing the "open" (or "openat") and the following "read" call -
> weren't there
> any or didn't you post them? These are the important calls! They will
> show, if the
> file is used at all or not (and possibly the reason, why it is not used -
> EACCESS
> e.g.).
>
>
> Thanks
> Michael
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
> http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20210201/8185b4e0/attachment.html>
More information about the asterisk-users
mailing list