sip tls problem

Home » Asterisk Users » sip tls problem
Asterisk Users 3 Comments

Hi all,

i have had sip TLS with an own signed certificate (using the
ast_tls_cert script) running on asterisk-1.8.8 – i then have updated
to 1.8.9.3 – and now i get the message “FILE * open failed!”

I have already recreated the certificates with the script – but still no luck…

Does anyone here know the source of the problem ?

best regards,
Wolfgang Pichler

3 thoughts on - sip tls problem

  • Package: asterisk Version: 1:1.8.13.0~dfsg-1+b1
    Severity: important

    I’m seeing similar problems with the 1.8.13 package in Debian

    [Aug 5 19:05:16] WARNING[6169]: tcptls.c:235 handle_tcptls_connection:
    FILE * open failed!

    1.8.8 was working (although it had other severe problems, for example, closing the TLS connection and not receiving a BYE, keeping channels open forever)

    My cert is a Thawte 123 cert, there are actually 4 certs in the chain, root at the top

    The log claims it loads successfully:

    SIP channel loading…
    == Parsing ‘/etc/asterisk/sip.conf’: == Found
    == Parsing ‘/etc/asterisk/users.conf’: == Found
    == SIP Listening on 192.168.100.1:5060
    == Using SIP CoS mark 4
    SSL certificate ok

    With 1.8.8, this was fine

    With 1.8.13, I connect to the server using `openssl s_client’, and it only shows the text of ONE of the certificates – it seems to repeat the same certificate four times though. This is a very bad sign.

    With 1.8.8, I would see ALL four certificate in the output below.

    $ openssl s_client -connect 192.168.100.1:5061 -showcerts CONNECTED(00000003)
    depth=0 /O=/OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123
    certificate/OU=Domain Validated/CN=

    verify error:num :unable to get local issuer certificate verify return:1
    depth=0 /O=
    /OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123
    certificate/OU=Domain Validated/CN=

    verify error:num’:certificate not trusted verify return:1
    depth=0 /O=
    /OU=Go to https://www.thawte.com/repository/index.html/OU=Thawte SSL123
    certificate/OU=Domain Validated/CN=

    verify error:num!:unable to verify the first certificate verify return:1

  • Have you tried 1.8.15?

    SIP TLS with self-signed certificate seems to be working fine here. The OS is CentOS 5.8 and there are no chained certificates in my environment.

    -Vladimir

  • I’m trying 1.8.13 because that is the versions currently scheduled for release in Debian 7 (wheezy)

    http://packages.debian.org/wheezy/asterisk

    If 1.8.15 contains definite solutions for TLS problems, then either

    a) they can be applied as patches on the Debian package of 1.8.13

    b) there could be some attempt to get 1.8.15 accepted into Debian (the catalog for wheezy is technically frozen now for final testing before release, so they are not keen to accept whole new versions of packages)

    The original poster was also using self-signed certs

    I’ve observed the problem using chained certs (with 1 root, 2
    intermediate, and then my server cert)