Bug#941011: asterisk: Silently failing on weak certificates with no debug messages

Anton Ivanov anton.ivanov at kot-begemot.co.uk
Mon Sep 23 13:19:33 BST 2019 

Package: asterisk
Version: 1:16.2.1~dfsg-1+deb10u1
Severity: minor

Dear Maintainer,

After an upgrade from stretch to buster, my asterisk installation lost tls support.

Debug provided minimal information - it was failing to load the certificate in tcptls.c

Root cause was openssl deciding that the old certificates were too weak.

There is no debug info. There is no easy fix because the openssl error api can print the error queue only to a file/bio. It is not possible to feed into another logging framework (f.e. asterisk) and dump it at that level. I was able to stick a couple of statements dumping openssl errors to stderr, but this approach is not fit for a proper fix.

IMHO the only thing that can be done here is to add a note to the changes file and relevant warnings apt-changes.

-- System Information:
Debian Release: 10.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-6-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages asterisk depends on:
ii  adduser                  3.118
ii  asterisk-config          1:16.2.1~dfsg-1+deb10u1
ii  asterisk-core-sounds-en  1.6.1-1
ii  asterisk-modules         1:16.2.1~dfsg-1+deb10u1
ii  libc6                    2.28-10
ii  libcap2                  1:2.25-2
ii  libedit2                 3.1-20181209-1
ii  libjansson4              2.12-1
ii  libpopt0                 1.16-12
ii  libsqlite3-0             3.27.2-3
ii  libssl1.1                1.1.1c-1
ii  libsystemd0              241-7~deb10u1
ii  liburiparser1            0.9.1-1
ii  libuuid1                 2.33.1-0.1
ii  libxml2                  2.9.4+dfsg1-7+b3
ii  libxslt1.1               1.1.32-2.1~deb10u1
ii  lsb-base                 10.2019051400

Versions of packages asterisk recommends:
ii  asterisk-moh-opsound-gsm                         2.03-1
ii  asterisk-voicemail [asterisk-voicemail-storage]  1:16.2.1~dfsg-1+deb10u1
ii  sox                                              14.4.2+git20190427-1

Versions of packages asterisk suggests:
pn  asterisk-dahdi   <none>
pn  asterisk-dev     <none>
pn  asterisk-doc     <none>
pn  asterisk-ooh323  <none>
pn  asterisk-opus    <none>
pn  asterisk-vpb     <none>

-- no debconf information

More information about the Pkg-voip-maintainers mailing list