Package: asterisk Version: 1:1.8.13.0~dfsg-1+b1 Severity: important
On 05/03/12 10:47, Wolfgang Pichler wrote: > Hi all, > > i have had sip TLS with an own signed certificate (using the > ast_tls_cert script) running on asterisk-1.8.8 - i then have updated > to 1.8.9.3 - and now i get the message "FILE * open failed!" > > I have already recreated the certificates with the script - but still no > luck... > > Does anyone here know the source of the problem ? > I'm seeing similar problems with the 1.8.13 package in Debian [Aug 5 19:05:16] WARNING[6169]: tcptls.c:235 handle_tcptls_connection: FILE * open failed! 1.8.8 was working (although it had other severe problems, for example, closing the TLS connection and not receiving a BYE, keeping channels open forever) My cert is a Thawte 123 cert, there are actually 4 certs in the chain, root at the top The log claims it loads successfully: SIP channel loading... == Parsing '/etc/asterisk/sip.conf': == Found == Parsing '/etc/asterisk/users.conf': == Found == SIP Listening on 192.168.100.1:5060 == Using SIP CoS mark 4 SSL certificate ok With 1.8.8, this was fine With 1.8.13, I connect to the server using `openssl s_client', and it only shows the text of ONE of the certificates - it seems to repeat the same certificate four times though. This is a very bad sign. With 1.8.8, I would see ALL four certificate in the output below. $ openssl s_client -connect 192.168.100.1:5061 -showcerts CONNECTED(00000003) depth=0 /O=<MY HOSTNAME>/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=<MY HOSTNAME> verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /O=<MY HOSTNAME>/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=<MY HOSTNAME> verify error:num=27:certificate not trusted verify return:1 depth=0 /O=<MY HOSTNAME>/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=<MY HOSTNAME> verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/O=<MY HOSTNAME>/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=<MY HOSTNAME> i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA -----BEGIN CERTIFICATE----- MIIETDCCAzSgAwIBAgIQWppejHk2XLkg+v70FfjEujANBgkqhkiG9w0BAQUFADBe ...... xlRmMVj1hUPeE+83S05bqB6mI09P3IGWUf0LfljDT5bmU/BFM0OhXaRe42sNHy1Y -----END CERTIFICATE----- --- Server certificate subject=/O=<MY HOSTNAME>/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123 certificate/OU=Domain Validated/CN=<MY HOSTNAME> issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA --- No client certificate CA names sent --- SSL handshake has read 1273 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 0DAB4C1A6E2AC5D4A86769E8F00B469810F679CAC26CACEFC9F902F267E3490F Session-ID-ctx: Master-Key: 42C512C4D1C2AA32136F79F45A98A7D6AC99FD1579734728A9AC5C213424B2D1CEAA3749CCD22D2F4CB3400853E5EC93 Key-Arg : None Start Time: 1344190380 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users