#941011 asterisk: Silently failing on weak certificates with no debug messages

Package:
asterisk
Source:
asterisk
Description:
Open Source Private Branch Exchange (PBX)
Submitter:
Anton Ivanov
Date:
2023-03-14 17:12:03 UTC
Severity:
minor
#941011#5
Date:
2019-09-23 12:19:33 UTC
From:
To:
Dear Maintainer,

After an upgrade from stretch to buster, my asterisk installation lost tls support.

Debug provided minimal information - it was failing to load the certificate in tcptls.c

Root cause was openssl deciding that the old certificates were too weak.

There is no debug info. There is no easy fix because the openssl error api can print the error queue only to a file/bio. It is not possible to feed into another logging framework (f.e. asterisk) and dump it at that level. I was able to stick a couple of statements dumping openssl errors to stderr, but this approach is not fit for a proper fix.

IMHO the only thing that can be done here is to add a note to the changes file and relevant warnings apt-changes.

#941011#10
Date:
2019-10-04 20:43:02 UTC
From:
To:
Am 23.09.19 um 14:19 schrieb Anton Ivanov:

Dear Anton,

Are you using chan_sip or chan_pjsip?

Since these affect everything in Buster using SSL certificates (with
both OpenSSL and GnuTLS) I don't think this is Asterisk specific and
should not be handled as such. I had to replace quite a lot of
internal/self signed certificates because they refused to load,
including unbound's local control certificate.

However, I feel your pain. I had an issue with a remote certificate, and
it drove me nuts to identify the failing peer, because it is not logged.
That has been fixed fortunately.

https://issues.asterisk.org/jira/browse/ASTERISK-26006
https://issues.asterisk.org/jira/browse/ASTERISK-28444

I'd suggest filing an issue upstream.

Bernhard

#941011#15
Date:
2019-10-04 21:07:59 UTC
From:
To:
chan_sip

Good idea. Though the way openssl handles this particular error
reporting makes capturing it quite difficult.

In any case, let's let upstream figure it out :)

Brgds,

#941011#24
Date:
2023-02-07 16:01:35 UTC
From:
To:
If you dont want to receive our emails, you can easily unsubscribe here.
#941011#29
Date:
2023-03-14 16:07:12 UTC
From:
To:
Let's talk more if you are intereted in import from China for PVC hose.










If you dont want to receive our emails, you can easily unsubscribe here.