[Blink] Repository OpenPGP Key Fingerprint?

2016-10-06 Thread Lars Noodén 
I have Blink 1.4.2trusty for Ubuntu 14.04 LTS on amd64.  APT is now
asking for a different key than what I've had for while.  Has the key
changed?   If so, what is the fingerprint for the current key?

I have this one in my keychain dated from 2007:

 fingerprint7B02 469D 7BFD D281 9F7E  C4A6 07C0 EF03 163A 0DF5
 for AG Projects Debian Package Signing Key 

The instructions for the Debian and Ubuntu repositories [1] list the URL
for a key [2] without listing what the fingerprint should be.  That one
is dated 4 Oct but I've seen no announcement on the list or on the web
page about the fingerprint or the change.

Regards,
Lars

[1] http://projects.ag-projects.com/projects/documentation/wiki/Repositories

[2] http://download.ag-projects.com/agp-debian-gpg.key

which is:

 2016-10-04 AG Projects Debian Package Signing Key 
 fingerprintFEBA 7E75 4C9C C6B1 10D1  5DFF F740 46C3 16D8 F9F5
___
Blink mailing list
Blink@lists.ag-projects.com
http://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] Repository OpenPGP Key Fingerprint?

2016-10-07 Thread Lars Noodén 
On 10/07/2016 11:23 AM, Dan Pascu wrote:
> On 6 Oct 2016, at 12:40, Lars Nood�n wrote:
[snip]
>> 2016-10-04 AG Projects Debian Package Signing Key 
>> fingerprint  FEBA 7E75 4C9C C6B1 10D1  5DFF F740 46C3 16D8 F9F5
> 
> This is the fingerprint from the new key.

Thanks.

Regards,
Lars



___
Blink mailing list
Blink@lists.ag-projects.com
http://lists.ag-projects.com/mailman/listinfo/blink

[Blink] Blink not connecting SIP account

2017-01-04 Thread Lars Noodén 
I'm working via e-mail with someone trying to get Blink up and running.
The symptom is that Blink starts connecting the SIP account but never
finishes establishing a connection.

SIP on Blink used to work there in the past but there have been some
networking changes, including more layers of NAT because of mobile
modem.  So my uneducated guess is that the network might be the cause.
However, since I am using a very similar arrangement, that might not
actually be the problem.  Thus I am asking for help.

Which logs and other information are needed to help solve this?   The
setup in question is Blink 1.4.2 on Ubuntu 14.04:

$ apt-cache policy blink
blink:
   Installed: 1.4.2trusty
   Candidate: 1.4.2trusty
   Version table:
  *** 1.4.2trusty 0
 500 http://ag-projects.com/ubuntu/ trusty/main i386
Packages
 100 /var/lib/dpkg/status

$ lsb_release -rd
Description:Ubuntu 14.04.5 LTS
Release:14.04

ICE via the menu Blink-> Preferences-> Accounts-> Network-> Use ICE...
has had no noticeable effect.

Regards,
Lars
___
Blink mailing list
Blink@lists.ag-projects.com
http://lists.ag-projects.com/mailman/listinfo/blink

[Blink] blink Segmentation fault on Devuan

2019-03-22 Thread Lars Noodén 
I'm getting segmentation faults whenever I receive a call or connect to
someone else.  However, the Echo Test number works just fine.  It's only
when I get an incoming or outgoing connection established does it crash.
Very briefly the connection window pops up but then it and the rest of
blink disappears before sound comes through.

Is there anything I can adjust on my end?
Or is there data I should collect for a bug report?

/Lars

$ blink
Segmentation fault

$ lsb_release -rd
Description:Devuan GNU/Linux 2.0 (ascii)
Release:2.0

$ apt-cache policy blink
blink:
  Installed: 3.2.0stretch
  Candidate: 3.2.0stretch
  Version table:
 *** 3.2.0stretch 500
500 http://ag-projects.com/debian stretch/main amd64 Packages
100 /var/lib/dpkg/status

___
Blink mailing list
Blink@lists.ag-projects.com
http://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] blink Segmentation fault on Devuan

2019-03-24 Thread Lars Noodén 
On 3/23/19 1:19 PM, Dan Pascu wrote:
> ...
> It may be that when you try to talk with other people, something in
> the SIP messages formatted by their devices triggers the problem. Try
> to use 2 blink instances with sip2sip accounts to see if they crash
> when they talk with each other.
> ...

It seems to work fine when connecting to another Blink instance.
However, Blink-to-Jitsi fails.

/Lars

___
Blink mailing list
Blink@lists.ag-projects.com
http://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] blink Segmentation fault on Devuan

2019-03-23 Thread Lars Noodén 
On 3/23/19 1:19 PM, Dan Pascu wrote:
>
> On 22 Mar 2019, at 21:55, Lars Noodén wrote:
> ...
>> Is there anything I can adjust on my end? Or is there data I should
>> collect for a bug report?
>
> A gdb backtrace could help.

Thanks.  Below is a backtrace under the signature.

$ python --version; python2 --version; python3 --version
Python 2.7.13
Python 2.7.13
Python 3.5.3

$ apt-cache policy python python3
python:
  Installed: 2.7.13-2
  Candidate: 2.7.13-2
  Version table:
 *** 2.7.13-2 500
500 http://fi.deb.devuan.org/merged ascii/main amd64 Packages
100 /var/lib/dpkg/status
python3:
  Installed: 3.5.3-1
  Candidate: 3.5.3-1
  Version table:
 *** 3.5.3-1 500
500 http://fi.deb.devuan.org/merged ascii/main amd64 Packages
100 /var/lib/dpkg/status

I notice that the Blink package brought in the deprecated version of
python.  Perhaps a module is mismatched.

/Lars

$ gdb python
...
(gdb) run /usr/bin/blink
...
Thread 18 "python" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff4bfff700 (LWP 9404)]
0x7fffeeb2140a in EVP_MD_CTX_reset ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb) bt#0  0x7fffeeb2140a in EVP_MD_CTX_reset ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#1  0x7fffeeb37e8d in ?? () from
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#2  0x7fffeeb382c9 in HMAC_CTX_reset ()
   from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#3  0x7fffeaa89c8b in initializeSha1HmacContext(void*, unsigned
char*, int)
()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#4  0x7fffeaa7600a in CryptoContext::deriveSrtpKeys(unsigned long) ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#5  0x7fffea9ef903 in ?? ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#6  0x7fffeaa76f73 in
ZrtpCallbackWrapper::srtpSecretsReady(srtpSecrets*, EnableSecurity) ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#7  0x7fffeaa7d0bc in ZRtp::srtpSecretsReady(EnableSecurity) ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#8  0x7fffeaa8620c in ZrtpStateClass::evWaitConfirm1() ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#9  0x7fffeaa84f41 in ZrtpStateClass::processEvent(Event*) ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#10 0x7fffeaa7ad6d in ZRtp::processZrtpMessage(unsigned char*,
unsigned int, unsigned long) ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#11 0x7fffea9f07cb in ?? ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#12 0x7fffea9f0d61 in ?? ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#13 0x7fffeaaafe40 in ioqueue_dispatch_read_event ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#14 0x7fffeaab15a4 in pj_ioqueue_poll ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#15 0x7fffea9d8a7f in ?? ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#16 0x7fffeaab2911 in ?? ()
   from
/usr/lib/python2.7/dist-packages/sipsimple/core/_core.x86_64-linux-gnu.so
#17 0x77bc34a4 in start_thread (arg=0x7fff4bfff700)
at pthread_create.c:456
#18 0x76fe0d0f in clone ()
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97
___
Blink mailing list
Blink@lists.ag-projects.com
http://lists.ag-projects.com/mailman/listinfo/blink

[Blink] SSL certificate verification error (PJSIP_TLS_ECERTVERIF)

2021-08-07 Thread Lars Noodén 
Hello,

I am using Blink 5.1.3focal on Linux Mint 20.1 and not able to make any
outgoing calls today.  The error I get is:

SSL certificate verification error (PJSIP_TLS_ECERTVERIF)

That happens even when calling the test numbers.  What should I update
to eliminate this error?

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] SSL certificate verification error (PJSIP_TLS_ECERTVERIF)

2021-08-07 Thread Lars Noodén 
On 8/7/21 10:50 PM, Adrian Georgescu wrote:
> The quickest fix is to disable the TLS verification in Advanced settings.
>
> Adrian

Thanks.

What are the repercussion of that?

What would the slow fix?

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] SSL certificate verification error when dialing out

2021-10-08 Thread Lars Noodén 

On 8.10.2021 20.01, Jeff Pyle wrote:

Lars,

The root cause of your problem here is the same as the problem you
described in the thread "[Blink] Expired certificate for Ubuntu Focal
Repository?"  The proxy servicing sip2sip.info is using the same style of
Let's Encrypt certificates.  The solution should be the same, too.


Regards,
Jeff


Thanks!

/Lars

___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

[Blink] SSL certificate verification error when dialing out

2021-10-08 Thread Lars Noodén 

Hello,

I've got Blink [1] on Linux Mint [2] and it has worked well for a long
time but over the last month or so I started getting SSL verification
errors sometimes when dialing out.  Now for the last week or so, I
cannot dial out at all and get the errors each and every time.  However,
at least for now, I still seem to be able to receive incoming calls, at
least from Blink Pro for MacOS.

Every time I try to dial out, it fails with the message, "SSL
certificate verification error when dialing out"  This happens even with
the call test (3...@sip2sip.info) and the echo test (4...@sip2sip.info)
numbers.  Here is a line from the notifications log:

2021-10-08 18:04:10.343603 [blink 1011]: Notification
name=SIPRequestDidFail sender=

data=NotificationData(code=503, reason=b'SSL certificate
verification error (PJSIP_TLS_ECERTVERIF)')

What should I be looking for to fix this or which information should I
provide to get assistance?  I can turn on more logging, but can't
interpret the logs.

/Lars

[1]
$ apt-cache policy blink
blink:
  Installed: 5.1.7focal
  Candidate: 5.1.7focal
  Version table:
 *** 5.1.7focal 500
500 http://ag-projects.com/ubuntu focal/main amd64 Packages
100 /var/lib/dpkg/status

[2]
$ lsb_release -rd
Description:Linux Mint 20.1
Release:20.1
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

[Blink] Expired certificate for Ubuntu Focal Repository?

2021-10-02 Thread Lars Noodén 
Hello,

I am noticing some difficulty in updating Blink on Linux Mint.  Linux
Mint follows the Ubuntu Focal repository, but there seems to be an
expired certificate:

$ sudo apt update
...
Err:8 https://ag-projects.com/ubuntu focal Release

  Certificate verification failed: The certificate is NOT trusted. The
certificate chain uses expired certificate.  Could not handshake: Error
in the certificate verification. [IP: 81.23.228.137 443]
...

$ lsb_release -rd
Description:Linux Mint 20.1
Release:20.1

Who should be notified or is there anything I should do on my end?

Thanks.

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] Expired certificate for Ubuntu Focal Repository?

2021-10-28 Thread Lars Noodén 

On 10/6/21 02:12, Adrian Georgescu wrote:> Sorry for these problems
still persist, we have a forst of servers
> and we still could not replace all certs, I am discovering strange
> combinations of certs /OS incompatibilities still myself.
>
> Thank you for reporting Lars, and thank you for clarifications Jeff!
>
> Adrian

Hi,

I've checked the client I have here and it seems like that might be ok.
 So the expired certificate must be elsewhere and hard to find?

$ openssl verify -CAfile /usr/share/blink/tls/ca.crt \
/usr/share/blink/tls/default.crt
/usr/share/blink/tls/default.crt: OK

That's with Blink 5.1.7focal

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] Expired certificate for Ubuntu Focal Repository?

2021-10-28 Thread Lars Noodén 

On 10/28/21 19:18, Adrian Georgescu wrote:

If you enable pjsip trace you can find more info about the TLS negotiation...


Thanks.  Would that be Blink -> Preferences -> Logging -> Trace
Notifications?  That has a lot of entries about "SSL certificate
verification error (PJSIP_TLS_ECERTVERIF)"

I'll send the short log separately, offlist.

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] Expired certificate for Ubuntu Focal Repository?

2021-10-28 Thread Lars Noodén 

On 10/28/21 19:56, Adrian Georgescu wrote:

Try this command in a Terminal:

openssl s_client -connect proxy.sipthor.net:5061 



It returned the following:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = sip2sip.info
verify return:1
CONNECTED(0003)
---
Certificate chain
 0 s:CN = sip2sip.info
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-BEGIN CERTIFICATE-
MIIFQjCCBCqgAwIBAgISBJ4BuE1hGOUGZ2rQVugrE9dkMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMTkyMjAxMDFaFw0yMjAxMTcyMjAxMDBaMBcxFTATBgNVBAMT
DHNpcDJzaXAuaW5mbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKjS
td1Vm9gjozuux97+tzjgBdx+wS5h4XVnTvLn+ZbMS4f83ws1uPpl9m6mZtRja1Pz
DruIrzExHVXyWI1miae3LZUF45AxlaW3yIL09QsfMbKO0kKsK6K9LfoT8NbhzMWG
HDVrsZtXHeLhX3hHR1uGdEnvTa/AbezO+E7RfGaOtd+KC/zbHuxnodHd/IlFMH7v
q8+51ZOHcYV0wBF+AiQ7jPpHGZXJz/XuS9LvpheRzpsAlKaNvvqB9ULbztirtxo5
8Gh6j310vaQmP8h4OEkjPIpI/954keg0SBdBm7Xpwz1wpquzHuLjWn+aSzTZq1iA
aKsnHdef4x9NQa/OnE8CAwEAAaOCAmswggJnMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUibj6bp60DbsM0d7XTAjsOMVABNQwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
PAYDVR0RBDUwM4IRcHJveHkuc2lwdGhvci5uZXSCDHNpcDJzaXAuaW5mb4IQd3d3
LnNpcDJzaXAuaW5mbzBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEB
ATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMG
CisGAQQB1nkCBAIEgfQEgfEA7wB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do
8JBilgb2AAABfJrJYKQDAEcwRQIhAJttKmhLEaYmTH0jc2xEzKWzwmmJzpUO
NcfNRU0iN1a1AiA9tAf6DwP3U8jaQTAN7LN3LGAx7hOO9UbyxcXXm95X4gB1ACl5
vvCeOTkh8FZzn2Old+W+V32cYAr4+U1dJlwlXceEAAABfJrJYHYAAAQDAEYwRAIg
IyJdN94OVm97wQZWu5GxywEDAzN+6MsK4IhdP+qDpFkCIBW4maL+qCQs3P3TsCdt
UwdQ7Ic1fnVUN2pJua3ncoZCMA0GCSqGSIb3DQEBCwUAA4IBAQBbmNZfHbjzvhux
THLOF08Ox3adk6Jl0azlWEsSDUY/xCYeo9cnqNJJzzA3Fg7w9PCUbRrOINi+ICNe
yprxADbHUHplmsX9oUx+s56q1+GA9yshKqoIdAk/GhzepR3VNwVr78lKE34/i0bC
8HTK12QMoR2CJZKOkafiP3ioz3U4P5AXzeeOZqCQdBqXHslCt0217yZFNCKcSla8
sn1qHZQ0RZf1iR74tcvpbgp/2IHQNp0A6KN7EVYYIQzV/KQDWUQdQJP5ZhvzDoOD
IuXxY0SyLfV+kKt5Xb1/QYQky5+gFVb0cyLlLRVre+EVGf/MmpyDaxau2Pa8odlf
M60CyzB1
-END CERTIFICATE-
subject=CN = sip2sip.info

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms:
ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4673 bytes and written 419 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol  : TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Session-ID:
48507559565B481EDF60F8822F39CD3AC13071778D475BDEA427BE9089A60AB3
Session-ID-ctx:
Resumption PSK:
25DA4631F5DB9835B57642FE18C8264AAEE46761638972226F50395AC6FCD1E53050648DA2822DE0A670A098E7D44026
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
 - 7b c4 d5 6f 43 be 7a 88-fe 2c 16 f2 4a 25 b8 74
{..oC.z..,..J%.t
0010 - 8e 36 0a 6c 7e df c5 34-c6 65 cb b4 a9 f4 2d a2
.6.l~..4.e-.
0020 - 56 86 94 77 f4 14 80 f7-8f 12 2f b9 3d 4a 32 6d
V..w../.=J2m
0030 - 47 7b 26 8b f4 bc 34 71-72 4b 79 9c 54 ad 80 7c
G{&...4qrKy.T..|
0040 - c5 3f 85 18 1a 79 ae e6-3d 22 6f 45 13 af a5 1b
.?...y..="oE
0050 - 64 b6 44 24 5c cc 8d e0-b4 0e 54 bf 72 3a 30 56
d.D$\.T.r:0V
0060 - a8 cb 27 9d cc 15 cf 09-f5 cf 9e 53 7d f8 c5 55
..'S}..U
0070 - d8 12 9b d3 ce 64 a5 0a-ab d6 ea 7b 87 97 d8 61
.d.{...a
0080 - 4c 45 10 75 13 5c c6 eb-98 97 03 bf 79 13 f3 fd
LE.u.\..y...
0090 - 4a df 2d 5f 7a 4c 8a 61-06 44 fb f4 3a 8e 5f d0
J.-_zL.a.D..:._.
00a0 - 9b 08 e7 e7 fe e3 5e cd-e4 ba 8c d0 7f ba 40 cb
..^...@.
00b0 - 3b 44 ba 05 f8 1b 22 b8-c3 e7 89 47 8b f4 80 7f
;D"G
00c0 - 65

Re: [Blink] Expired certificate for Ubuntu Focal Repository?

2021-11-04 Thread Lars Noodén 

On 11/4/21 20:22, g4-l...@tonarchiv.ch wrote:

On 04.11.21 19:08, g4-l...@tonarchiv.ch wrote:

On 04.11.21 17:33, Lars Noodén wrote:

 # update-ca-certificates
 Updating certificates in /etc/ssl/certs...
 1 added, 0 removed; done.
 Running hooks in /etc/ca-certificates/update.d...

 Adding debian:trustid-x3-root.pem

but I still get the SSL certificate verification error.

I see a pair of certificates mentioned in the log file, pjsip_trace.txt,
but they are good through 2029-1-24 and 2022-0-17 respectively.  The
error in the log looks like this:


Ah sorry we are talking about two different things. I still had problems
with reading from the Blink repository and my steps solved that...


... but you could try this:

   ~$ env SSL_CERT_DIR=/etc/ssl/certs/ blink


Thanks.  The error still persists even with that method.


(start blink from command line using default debian CA cert directory
for openssl)

What would the path for that likely be?

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

[Blink] [solved] Re: Expired certificate for Ubuntu Focal Repository?

2021-11-04 Thread Lars Noodén 

On 11/4/21 20:51, g4-l...@tonarchiv.ch wrote:

On 04.11.21 19:29, Lars Noodén wrote:

On 11/4/21 20:22, g4-l...@tonarchiv.ch wrote:

... but you could try this:

    ~$ env SSL_CERT_DIR=/etc/ssl/certs/ blink


Thanks.  The error still persists even with that method.


(start blink from command line using default debian CA cert directory
for openssl)

What would the path for that likely be?


/etc/ssl/certs/ is the default CA directory on Debian...

It seems that Blink does not use external CA directories.

But I found this file: /usr/share/blink/tls/ca.crt

Maybe you can just add the content of
/usr/local/share/ca-certificates/lets-encrypt-r3.crt to the end of this
file...

Not sure if you also need some header before the -BEGIN
CERTIFICATE- line...

This would be something like:

# Lets' Encrypt
# Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
# Subject: C = US, O = Let's Encrypt, CN = R3

The X3 cert of Let's Encrypt in my /usr/share/blink/tls/ca.crt is
definitely outdated.

You should probably delete the last smaller block of the two, starting with

-BEGIN CERTIFICATE-
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/

But make a backup of /usr/share/blink/tls/ca.crt first!


Thanks!  I made a back up of ca.crt, removed the last certificate, and
then appended lets-encrypt-r3.crt to the file.  That has gotten rid of
the error.   I can now dial out.

I had previously tried reinstalling Blink so maybe the new certificate
needs to be packaged?

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] [solved] Re: Expired certificate for Ubuntu Focal Repository?

2021-11-05 Thread Lars Noodén 

On 11/5/21 02:45, Adrian Georgescu wrote:

I can bundle the new cert and make a new blink package.


Thanks.


Just double checking, where is the authoritative source for the replaced CA 
file?


I'm just cargo culting in this situation: I can dial out, so it works in
that regard, but I know so little about certificates that I cannot say
if it is the /right/ certificate or the most appropriate method.

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] Expired certificate for Ubuntu Focal Repository?

2021-11-04 Thread Lars Noodén 

> These certificates shouldn't be connected to the Let's encrypt issue in
> any way...
>
> When running update-ca-certificate, did you get the reply "added 1"?
>
> Make sure that this link is available:
> /etc/ssl/certs/lets-encrypt-r3.pem ->
> /usr/local/share/ca-certificates/lets-encrypt-r3.crt
>
> Maybe try after running `update-ca-certificate -f` ("Fresh updates").
>
> Ahhh wait, I also installed the Trustid X3 from here:
> https://letsencrypt.org/certs/trustid-x3-root.pem.txt - Maybe this
> together with the R3 did do the trick?
>
> According to Let's Encrypt this is the actual DST Root CA X3 certificate.
I tried adding that one too,

# update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:trustid-x3-root.pem

but I still get the SSL certificate verification error.

I see a pair of certificates mentioned in the log file, pjsip_trace.txt,
but they are good through 2029-1-24 and 2022-0-17 respectively.  The
error in the log looks like this:


[blink 1001] (1) b'2021-11-04 18:28:27.955  ssl0x7fdb80028320
[SSL_set_tlsext_host_name] server_name:sip2sip.info'
[blink 1001] (1) b'2021-11-04 18:28:28.047ssl_sock_ossl.c [local
TLS certificate] subject:/C=NL/ST=Noord-Holland/L=Haarlem/O=AG
Projects/OU=Blink/CN=Blink/emailAddress=de...@ag-projects.com |
issuer:/C=NL/ST=Noord-Holland/L=Haarlem/O=AG
Projects/OU=Development/CN=AG Projects
Development/emailAddress=de...@ag-projects.com | valid until:2029-1-24'
[blink 1001] (1) b"2021-11-04 18:28:28.047ssl_sock_ossl.c
[remote TLS certificate] subject:/CN=sip2sip.info | issuer:/C=US/O=Let's
Encrypt/CN=R3 | valid until:2022-0-17 | host:85.17.186.23:50451"
[blink 1001] (4) b'2021-11-04 18:28:28.047sip_transport.c
Transport tlsc0x7fdb801289a8 shutting down, force=0'
[blink 1001] (3) b'2021-11-04 18:28:28.047 tlsc0x7fdb801289a8 TLS
connect() error: [code=171173] peer: 85.17.186.23: SSL certificate
verification error (PJSIP_TLS_ECERTVERIF)'
[blink 1001] (3) b'2021-11-04 18:28:28.047  tsx0x7fdb800e7bd8 Failed
to send Request msg INVITE/cseq=20872 (tdta0x7fdb800b8558)! err=171173
(SSL certificate verification error (PJSIP_TLS_ECERTVERIF))'
[blink 1001] (5) b'2021-11-04 18:28:28.047  tsx0x7fdb800e7bd8 State
changed from Calling to Terminated, event=TRANSPORT_ERROR'



/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink

Re: [Blink] Expired certificate for Ubuntu Focal Repository?

2021-11-04 Thread Lars Noodén 

On 11/2/21 22:28, g4-l...@tonarchiv.ch wrote:

Finally solved by installing Let's Encrypt R3 cert manually:

sudo wget --no-check-certificate
https://letsencrypt.org/certs/lets-encrypt-r3.pem -O
/usr/local/share/ca-certificates/lets-encrypt-r3.crt

sudo update-ca-certificates



Thanks.  I've now tried that and still get the certificate error.

Digging, I see only four certificates expiring in 2021, two of which are
still good for a while:

$ find /usr/share/ \
-type f \
-name '*.crt' \
-exec sh -c "openssl x509 -text -noout -in {} ||echo {}>&2" \; \
| awk '{$1=$1}
/Not After/ && $7 == 2021 {s=1;print}
s&&$1~/Subject/ {print $0,"\n"; s=0}'

With slight formatting that results in this list:

Not After : Dec 15 08:00:00 2021 GMT
Subject: OU = GlobalSign Root CA - R2, O = GlobalSign,
CN = GlobalSign

Not After : Mar 17 18:33:33 2021 GMT
Subject: C = BM, O = QuoVadis Limited,
OU = Root Certification Authority,
CN = QuoVadis Root Certification Authority

Not After : Dec 15 08:00:00 2021 GMT
Subject: O = "Cybertrust, Inc", CN = Cybertrust Global Root

Not After : Apr 6 07:29:40 2021 GMT
Subject: C = FI, O = Sonera, CN = Sonera Class2 CA

Should I just remove the expired certificates or do they need to be
replaced?  Or is there a way to tell from Blink's logs which is the
offending certificate?

/Lars
___
Blink mailing list
Blink@lists.ag-projects.com
https://lists.ag-projects.com/mailman/listinfo/blink