Do you think I should try backreving stunnel? Josh Patten Assistant Network Administrator Brazos County IT Dept. (979) 361-4676
On 5/4/2010 7:48 AM, DANS, RAYMOND (RAYMOND) wrote: >> Subject: Re: [sipx-users] 4.2 HA CDR tunnel SSL issue >> >> Perhaps I could try regenerating all certificates? I'm not >> sure how to do this in a cluster environment. Could someone >> point me in the right direction? I know in a single node >> environment you can use this: >> http://sipx-wiki.calivia.com/index.php/SSL_Certificates but I >> haven't been able to find any instructions for doing that in a cluster. >> >> Josh Patten >> Assistant Network Administrator >> Brazos County IT Dept. >> (979) 361-4676 >> >> >> On 5/3/2010 11:37 AM, Josh Patten wrote: >> >>> What I did to build this test system was: >>> >>> Install sipX 4.0.4 from ISO >>> backup the primary production server via sipXconfig backup the >>> secondary production server from command line (sipx-backup) >>> >>> restore both the primary and secondary servers via command >>> >> line in the >> >>> test environment. >>> >>> After I do this, firefox cannot connect because of an SSL issue. To >>> get around this I load up sipXconfig on IE and send profiles >>> >> to the server. >> >>> I then perform the 4.2 upgrade. >>> >>> After the 4.2 upgrade everything ran fine for a few hours then that >>> certificate error popped up. >>> >>> stunnel on both servers is 4.28-1 >>> >>> config is identical on both servers: >>> >>> service = sipxcallresolver-agent >>> pid = /var/run/sipxpbx/sipxcallresolver-agent.pid >>> verify = 2 >>> debug = 5 >>> output = /var/log/sipxpbx/sipxcallresolver-agent.log >>> CApath = /etc/sipxpbx/ssl/authorities >>> cert = /etc/sipxpbx/ssl/ssl.crt >>> key = /etc/sipxpbx/ssl/ssl.key >>> client = no >>> foreground = yes >>> >>> [postgresql] >>> accept = 9300 >>> connect = 5432 >>> >>> >>> Josh Patten >>> Assistant Network Administrator >>> Brazos County IT Dept. >>> (979) 361-4676 >>> >>> >>> On 5/3/2010 10:40 AM, DANS, RAYMOND (RAYMOND) wrote: >>> >>> >>>>> On 4/30/2010 1:50 PM, Josh Patten wrote: >>>>> >>>>> >>>>> >>>>>> Today on my test 4.2 environment I received an alarm >>>>>> >> email that the >> >>>>>> CallResolver-Agent stopped unexpectedly on the secondary HA >>>>>> >>>>>> >>>>>> >>>>> server and >>>>> >>>>> >>>>> >>>>>> could not start. Here was the error: >>>>>> >>>>>> 2010.04.30 13:43:04 LOG7[5134:3086362320]: RAND_status claims >>>>>> sufficient entropy for the PRNG 2010.04.30 13:43:04 >>>>>> LOG7[5134:3086362320]: PRNG seeded successfully >>>>>> >> 2010.04.30 13:43:04 >> >>>>>> LOG7[5134:3086362320]: Certificate: /etc/sipxpbx/ssl/ssl.crt >>>>>> 2010.04.30 13:43:04 LOG7[5134:3086362320]: Certificate loaded >>>>>> 2010.04.30 13:43:04 LOG7[5134:3086362320]: Key file: >>>>>> /etc/sipxpbx/ssl/ssl.key 2010.04.30 13:43:04 >>>>>> >> LOG7[5134:3086362320]: >> >>>>>> Private key loaded 2010.04.30 13:43:04 LOG7[5134:3086362320]: >>>>>> Verify directory set to /etc/sipxpbx/ssl/authorities 2010.04.30 >>>>>> 13:43:04 >>>>>> LOG7[5134:3086362320]: Added /etc/sipxpbx/ssl/authorities >>>>>> revocation lookup directory 2010.04.30 13:43:04 >>>>>> LOG7[5134:3086362320]: SSL context initialized for service >>>>>> postgresql 2010.04.30 13:43:04 >>>>>> LOG3[5134:3086362320]: FIPS_mode_set: 2D06C06E: >>>>>> >> error:2D06C06E:FIPS >> >>>>>> routines:FIPS_mode_set:fingerprint does not match >>>>>> >>>>>> Any recommendation on how I should tackle this problem? It >>>>>> >>>>>> >>>>>> >>>>> looks like >>>>> >>>>> >>>>> >>>>>> I have a certificate issue but I'm not sure. >>>>>> >>>>>> >>>>>> >>>>>> >>>> Josh, can you tell me what version of stunnel you're using >>>> >> (rpm -qa | grep stunnel) and also show me your stunnel >> configuration file (usually its >> /etc/sipxpbx/sipxcallresolver-agent-config). I've never seen >> this issue before nor can I find any information on it. >> >>>> The current version of stunnel that we're using is 4.26-1. >>>> >>>> Thanks >>>> Raymond >>>> >>>> > Josh, > As Scott said, I'm not sure its actually a certificate issue. I've > found that with version 4.28 of stunnel, it makes use of FIPS (Federal > Information Processing Standards) in OpenSSL and the minimum version of > OpenSSL required is 0.9.8j. I'm not sure what version of OpenSSL you have > but I suspect that its something related to FIPS as I don't believe the > version of OpenSSL we use 0.9.8g makes use of it. > > Raymond _______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
