Polycom TLS broken in Asterisk 1.8.3.3

[jbh]

After an update-source from Purple with Asterisk 1.8.3.2 to 1.8.3.3 my Polycom phones can no longer register using TLS. Guess what: It appears this is down to a regression in Asterisk and nothing to do with update-source. TLS worked fine with 1.8.3.2

Would there be any chance of the PIAF development team finding time to provide an option to install 1.8.3.2 again (a la 1.8.3.3 for those with non-registering-Ciscos) until Digium have this fixed?
thanks
jbh

 

[Linetux]

Wow. This is getting bad.

Not sure if it's setup to work this way - I'm sure Ward and/or Tom will chime in soon enough, but this might work with 1.8.3.2:

http://pbxinaflash.com/community/threads/piaf-purple-backrev-to-1-8-3-3.10428/?t=10428

 

[jbh]

I saw that thanks. Just remembered I have an Incredible backup so should be able to roll back using that to fix the immediate problem. Should have remembered that in the first place - it's late over here. I will download the new ISO in the morning to see if 1.8.3.2 is an option.

 

[Linetux]

I don't think you need the new ISO...

If you already have installed PIAF-Purple with Asterisk 1.8.4, here's how to backrev to 1.8.3.3:
Log into your server as root and edit /etc/pbx/digiumsource.conf
Change PASTERISK="asterisk-1.8.4" to PASTERISK="asterisk-1.8.3.3"
Save your changes and then run: update-source

So just set PASTERISK="asterisk-1.8.3.2"

Or, you could wait for 1.8.5, which looks like they fixed the issue. You could also apply patches from ssl-poll-fix1.diff and 0019192 - which is certainly not ideal, but might get you back up and running.

 

[darmock]

Nope that wont work I am afraid currently the new "Digium Lack of Regression Testing" model for PIAF only supports 1.8.3.3 and 1.8.4 To go backwards farther than that you will have to use update-source as follows

1. Log into the CLI
2. cd /etc/pbx
3. joe digiumsource.conf
4. Edit the Asterisk line to 1.8.3.2
5. Ctrl KX to save it
6. update-source
7. There is a spot that asks if you want to download the latest digiumsource.conf DO NOT DOWNLOAD THIS!
8. run thru the screens of update-source and at the end you should have 1.8.3.2

Course update-source only works on a previously installed PIAF version.

I suspect the future updates to the asterisk source will be propagated thru this mechanism. Once we find a stable release of the 1.8 tree we will freeze it until a new release has proven it's stability. Thus say 1.8.5 beta is released by Digium. A payload will be added to the archive folder and a user can manually choose to use this version by typing piafdl -p 185 and you will get a fresh install of asterisk 1.8.5 BETA instead of the stable 1.8.3.3 (or so we thought) For the non developer non pioneer types they will get whatever the most stable version of the moment is just by doing a normal install.

If a version of asterisk 1.8.x finally proves stable then the base install of PIAF may be updated to it.


Tom

 

[jbh]

This is fantastic. Thanks so much for this. I will do this now and report back.

 

[jbh]

Works perfectly. Thank you again.
jbh

 

[malcolmd]

Howdy,

We've got a tag (unreleased) for a future 1.8.4.1 that includes fixes that are in testing for issues 18951, 19192 and 19182.

That's the Via header response issue for Cisco phones, the unreachable TCP/TLS peer segfault, and the TLS message dropping issue.

We found a Cisco phone, model 7960, with firmware 7.2 on it, and it *seems* to be behaving as normally as a Cisco phone can/does.

We've also run TLS and TCP tests using Blink.

If you'd like to test the tag over the weekend, to see if everything's fine for you, you can check it out of subversion, e.g.:

svn co http://svn.digium.com/svn/asterisk/tags/1.8.4.1 asterisk-1.8.4.1

Cheers.

 

[jbh]

Hi,
I'm not sure what I'm doing wrong but I have not been successful so far in getting 1.8.4.1 to start. I began with a standard installation of Purple (Asterisk 1.8.3.3). Then I did:

amportal stop
cd /usr/src
mv asterisk asterisk-old
svn co [URL]http://svn.digium.com/svn/asterisk/tags/1.8.4.1[/URL] asterisk-1.8.4.1  
mv asterisk-1.8.4.1 asterisk
cd asterisk
make clean
./configure
make
make install
amportal start

Instead of Asterisk starting, I got the following:

SETTING FILE PERMISSIONS
 Permissions OK
 

 STARTING ASTERISK
 /usr/sbin/safe_asterisk: line 145: 10189 Segmentation fault      (core dumped) nice -n $PRIORITY ${ASTSBINDIR}/asterisk -f ${CLIARGS} ${ASTARGS} > /dev/${TTY} 2>&1 < /dev/${TTY}
 Asterisk ended with exit status 139
 Asterisk exited on signal 11.
 Automatically restarting Asterisk.
 mpg123: no process killed
 

 -----------------------------------------------------
 Asterisk could not start!
  Use 'tail /var/log/asterisk/full' to find out why.

The end of my /var/log/asterisk/full looks like this:

[2011-05-21 23:29:08] WARNING[10189] loader.c: Error loading module 'res_pktccops': /usr/lib/asterisk/modules/res_pktccops.so: cannot open shared object file: No such file or directory
[2011-05-21 23:29:08] WARNING[10189] loader.c: Error loading module 'chan_mgcp.so': /usr/lib/asterisk/modules/chan_mgcp.so: undefined symbol: ast_pktccops_gate_alloc
[2011-05-21 23:29:08] WARNING[10189] loader.c: Module 'chan_mgcp.so' could not be loaded.
[2011-05-21 23:29:08] WARNING[10189] loader.c: Error loading module 'chan_jingle.so': /usr/lib/asterisk/modules/chan_jingle.so: undefined symbol: ast_aji_get_client
[2011-05-21 23:29:08] WARNING[10189] loader.c: Module 'chan_jingle.so' could not be loaded.
[2011-05-21 23:29:08] VERBOSE[10189] loader.c:  res_curl.so => (cURL Resource Module)
[2011-05-21 23:29:08] VERBOSE[10189] pbx.c:   == Registered custom function 'CURL'
[2011-05-21 23:29:08] VERBOSE[10189] pbx.c:   == Registered custom function 'CURLOPT'
[2011-05-21 23:29:08] VERBOSE[10189] loader.c:  func_curl.so => (Load external URL)
[2011-05-21 23:29:08] VERBOSE[10189] config.c:   == Parsing '/etc/asterisk/res_config_mysql.conf': [2011-05-21 23:29:08] VERBOSE[10189] config.c:   == Found

In case it is helpful, the status output is:

Date and Time =  201105212337
 PIAF color              =  PURPLE
 Asterisk Status         =  OFFLINE
 Dahdi Status            =  ONLINE
 Zaptel Status           =  OFFLINE
 MySql Status            =  ONLINE
 SSH Status              =  ONLINE
 Apache Status           =  ONLINE
 Iptables Status         =  ONLINE
 Ip6tables Status        =  ONLINE
 Fail2ban Status         =  ONLINE
 IP Connect Status       =  ONLINE
 Bluetooth Status        =  ONLINE
 HIDD Status             =  ONLINE
 NTPD Status             =  ONLINE
 Sendmail Status         =  ONLINE
 Samba Status            =  OFFLINE
 Webmin Status           =  ONLINE
 Ethernet 0 Status       =  ONLINE
 Ethernet 1 Status       =  N/A
 Wlan Status             =  N/A
 PIAF Version            =  1.7.5.5
 Freepbx Version         =  2.8.1.4
 Running Asterisk        =  UNAVAILABLE
 Asterisk Source Version =  1.8.4.1
 Dahdi Source            =  2.4.1.2+2.4.1
 Zaptel Source           =  UNAVAILABLE
 Libpri Source           =  1.4.11.5
 Addons Source           =  UNAVAILABLE
 pbx.local on 192.168.1.50 - eth0
 CentOS release 5.6 (Final) :32 Bit Kernel: 2.6.18-194.26.1.el5

 

[darmock]

Interesting. I know you want a solution but what do you expect installing an alpha version of Asterisk from svn? Remember the pioneers! This is one of the reasons that you won't see a svn based version of PIAF anytime soon.

You need to report this problem to Digium perhaps you will have better luck as PIAF seems to be in the doghouse for telling the world about the problems with asterisk.

For the moment I believe that 1.8.3.2 will work with TLS. I have just backported the 1.8.3.2 version to our archive folder and you can simply install asterisk 1.8.3.2 from the archive if you so wish. This is a working version FYI just tested it out on our proxmox server.

1. reinstall the 17562 ISO (this is the only PIAF iso that will work)

2. Once you have installed this and get to the usual menu with Purple as the first choice choose to exit to the CLI

3. Type piafdl -p 1832
<notice the space between the -p and the numbers!>

4. This will download the older <proven> version of asterisk and be able to use TLS.

Please report back if it works for you as we are looking for a stable version of asterisk where both polycoms and Cisco 79XX phones both work.

Tom

 

[wardmundy]

Of course, we're now back revving to the never-never-land where Google Voice had quirks galore so... YMMV!

 

[Linetux]

http://www.youtube.com/watch?v=jYyBZE0kBtE

[youtube]jYyBZE0kBtE[/youtube]

 

[jbh]

Hi Tom,

Sorry if I gave the impression I still had a problem here. I don't. The solution you have built into update-source to allow Asterisk 1.8.3.2 to be selected for install worked perfectly. You have made this fantastically easy. Thank you again for this.

I was just trying to test 1.8.4.1 to (hopefully) be helpful and give some feedback to Malcolm to assist them in issuing a patched release.

jbh

 

[Linetux]

Back to trying to be helpful: I'm not certain because I haven't tried this myself, but I believe your problem is due to a lack of applying patch 19192 ( https://issues.asterisk.org/view.php?id=19192 ). From what I've read, applying one of the two patches for this TLS issue results in segfaults.

However I would have thought this would have been sorted out already due to the comments in the discussion threads. So this really isn't worth more than the inconvenience I just placed on a few million electrons to deliver this post.

 

[darmock]

Actually the -p 1832 just got uploaded into PIAF space like 4 minutes ago! You must have used update-source which is a good alternative for existing systems. However in my opinion it is always simpler to scrub and reinstall.

The dev team just finished a teleconference and decided that when new releases of asterisk come out in the 1.8 tree that they will have the beta moniker from now on until some brave souls have debugged it sufficiently. For example if the next release is called 1.8.4.1 then you would do

piafdl -p beta1841

for a new install

or use update-source on an existing install.

That being said update-source is being modified somewhat to inform people that any version other that the one the PIAF dev team considers stable, also known as the frozen version of 1.8, will be a beta version with all of the inherent risks and lack of support that may be available.

We will release a document shortly that will outline all the steps for either mechanism of using anything other than the current version we consider stable.... fun time in crazy land....

glad it is working for you.


Tom

Like the video pity no john belushi.....

 

[jbh]

Just to feed back that as well as previously using update-source to revert to Asterisk 1.8.3.2 I have tested a new install with

piafdl -p 1832

and this works perfectly too. Thanks too to Linetux for the info on patches.
jbh