Bug#941011: asterisk: Silently failing on weak certificates with no debug messages
Bernhard Schmidt
berni at debian.org
Fri Oct 4 21:43:02 BST 2019
Am 23.09.19 um 14:19 schrieb Anton Ivanov:
Dear Anton,
> Package: asterisk
> Version: 1:16.2.1~dfsg-1+deb10u1
> Severity: minor
>
> Dear Maintainer,
>
> After an upgrade from stretch to buster, my asterisk installation lost tls support.
>
> Debug provided minimal information - it was failing to load the certificate in tcptls.c
>
> Root cause was openssl deciding that the old certificates were too weak.
>
> There is no debug info. There is no easy fix because the openssl error api can print the error queue only to a file/bio. It is not possible to feed into another logging framework (f.e. asterisk) and dump it at that level. I was able to stick a couple of statements dumping openssl errors to stderr, but this approach is not fit for a proper fix.
>
> IMHO the only thing that can be done here is to add a note to the changes file and relevant warnings apt-changes.
Are you using chan_sip or chan_pjsip?
Since these affect everything in Buster using SSL certificates (with
both OpenSSL and GnuTLS) I don't think this is Asterisk specific and
should not be handled as such. I had to replace quite a lot of
internal/self signed certificates because they refused to load,
including unbound's local control certificate.
However, I feel your pain. I had an issue with a remote certificate, and
it drove me nuts to identify the failing peer, because it is not logged.
That has been fixed fortunately.
https://issues.asterisk.org/jira/browse/ASTERISK-26006
https://issues.asterisk.org/jira/browse/ASTERISK-28444
I'd suggest filing an issue upstream.
Bernhard
More information about the Pkg-voip-maintainers
mailing list