Have you tried 1.8.15? SIP TLS with self-signed certificate seems to be working fine here. The OS is CentOS 5.8 and there are no chained certificates in my environment.
-Vladimir On 8/5/2012 1:23 PM, Daniel Pocock wrote: > Package: asterisk > Version: 1:1.8.13.0~dfsg-1+b1 > Severity: important > > > On 05/03/12 10:47, Wolfgang Pichler wrote: >> Hi all, >> >> i have had sip TLS with an own signed certificate (using the >> ast_tls_cert script) running on asterisk-1.8.8 - i then have updated >> to 1.8.9.3 - and now i get the message "FILE * open failed!" >> >> I have already recreated the certificates with the script - but still no >> luck... >> >> Does anyone here know the source of the problem ? >> > I'm seeing similar problems with the 1.8.13 package in Debian > > [Aug 5 19:05:16] WARNING[6169]: tcptls.c:235 handle_tcptls_connection: > FILE * open failed! > > > 1.8.8 was working (although it had other severe problems, for example, > closing the TLS connection and not receiving a BYE, keeping channels > open forever) > > > My cert is a Thawte 123 cert, there are actually 4 certs in the chain, > root at the top > > The log claims it loads successfully: > > SIP channel loading... > == Parsing '/etc/asterisk/sip.conf': == Found > == Parsing '/etc/asterisk/users.conf': == Found > == SIP Listening on 192.168.100.1:5060 > == Using SIP CoS mark 4 > SSL certificate ok > > > With 1.8.8, this was fine > > With 1.8.13, I connect to the server using `openssl s_client', and it > only shows the text of ONE of the certificates - it seems to repeat the > same certificate four times though. This is a very bad sign. > > With 1.8.8, I would see ALL four certificate in the output below. > > > $ openssl s_client -connect 192.168.100.1:5061 -showcerts > CONNECTED(00000003) > depth=0 /O=<MY HOSTNAME>/OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=<MY HOSTNAME> > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 /O=<MY HOSTNAME>/OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=<MY HOSTNAME> > verify error:num=27:certificate not trusted > verify return:1 > depth=0 /O=<MY HOSTNAME>/OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=<MY HOSTNAME> > verify error:num=21:unable to verify the first certificate > verify return:1 > --- > Certificate chain > 0 s:/O=<MY HOSTNAME>/OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=<MY HOSTNAME> > i:/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA > -----BEGIN CERTIFICATE----- > MIIETDCCAzSgAwIBAgIQWppejHk2XLkg+v70FfjEujANBgkqhkiG9w0BAQUFADBe > ...... > xlRmMVj1hUPeE+83S05bqB6mI09P3IGWUf0LfljDT5bmU/BFM0OhXaRe42sNHy1Y > -----END CERTIFICATE----- > --- > Server certificate > subject=/O=<MY HOSTNAME>/OU=Go to > https://www.thawte.com/repository/index.html/OU=Thawte SSL123 > certificate/OU=Domain Validated/CN=<MY HOSTNAME> > issuer=/C=US/O=Thawte, Inc./OU=Domain Validated SSL/CN=Thawte DV SSL CA > --- > No client certificate CA names sent > --- > SSL handshake has read 1273 bytes and written 447 bytes > --- > New, TLSv1/SSLv3, Cipher is AES256-SHA > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : AES256-SHA > Session-ID: > 0DAB4C1A6E2AC5D4A86769E8F00B469810F679CAC26CACEFC9F902F267E3490F > Session-ID-ctx: > Master-Key: > 42C512C4D1C2AA32136F79F45A98A7D6AC99FD1579734728A9AC5C213424B2D1CEAA3749CCD22D2F4CB3400853E5EC93 > Key-Arg : None > Start Time: 1344190380 > Timeout : 300 (sec) > Verify return code: 21 (unable to verify the first certificate) > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
