Am 23.09.19 um 14:19 schrieb Anton Ivanov: Dear Anton,
> Package: asterisk > Version: 1:16.2.1~dfsg-1+deb10u1 > Severity: minor > > Dear Maintainer, > > After an upgrade from stretch to buster, my asterisk installation lost tls > support. > > Debug provided minimal information - it was failing to load the certificate > in tcptls.c > > Root cause was openssl deciding that the old certificates were too weak. > > There is no debug info. There is no easy fix because the openssl error api > can print the error queue only to a file/bio. It is not possible to feed into > another logging framework (f.e. asterisk) and dump it at that level. I was > able to stick a couple of statements dumping openssl errors to stderr, but > this approach is not fit for a proper fix. > > IMHO the only thing that can be done here is to add a note to the changes > file and relevant warnings apt-changes. Are you using chan_sip or chan_pjsip? Since these affect everything in Buster using SSL certificates (with both OpenSSL and GnuTLS) I don't think this is Asterisk specific and should not be handled as such. I had to replace quite a lot of internal/self signed certificates because they refused to load, including unbound's local control certificate. However, I feel your pain. I had an issue with a remote certificate, and it drove me nuts to identify the failing peer, because it is not logged. That has been fixed fortunately. https://issues.asterisk.org/jira/browse/ASTERISK-26006 https://issues.asterisk.org/jira/browse/ASTERISK-28444 I'd suggest filing an issue upstream. Bernhard
