SNG7 OpenSSL Error

Hello,
i tested the new SNG7 Distro and i have some problems with openssl.

I have installed the Nginx from repository and tried to connect a phone with a valid SSL Client cert with the server.

Nginx has an error and the phone cannot get the config files:
ignoring stale global SSL error (SSL: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm) while waiting for request,

Config:
ssl on;
ssl_certificate /etc/httpd/pki/webserver.pem;
ssl_certificate_key /etc/httpd/pki/webserver.key;
ssl_client_certificate /etc/httpd/pki/yealink/ca.crt;
ssl_ciphers ALL:-RC4+SSLv2;
ssl_verify_client on;
ssl_verify_depth 2;

I use the same configs on a PBXACT UC60 Appliance and everything works.
I just copied the Nginx config files and certs from PKI folder to the new SNG7 Server.

Does anyone know how to solve this?
I tried updating curl, nginx and openssl but had no luck. The errors are still there.

1 Like

The distro uses Apache. We don’t support nginx. Sorry.

I know, but maybe someone can help in the community. We just use it to provision snom, panasonic and yealink on their rps server.
I did not find much but it seems like a problem with openssl and nginx but i did not solve it. Nginx is missing something. It worked on 10.13.66 before.

Surely

https://forum.nginx.org

Would be a better place to start, no?

Why are you using a PBX distro to do something that a webserver and/or TFTP server will do? That makes no sense at all.

We developed a module that syncs epm with the rps servers from the manufacturers. We offer zero touch provisioning for snom yealink panasonic polycom mitel. Nginx secures the rps configs with client certs and a lot of request filters based on the requesting phone cert, so that only the phone with his own cert can only get his own config. A yealink phone with a valid client cert has his mac address in the cn. Nginx only allows requests to the config file containing the cn mac adress. There are some more filters and fail2ban rules securing it more.

This is why we use nginx. Apache cannot do this.

We solved it now on a other way. We host nginx on a clustered webserver. So we just pick up the configs from the customers pbx and sync it. If the customer is adding a phone in epm. It gets automatic synced to rps for s few days to let the customer install his phones.

Btw. We talk about cloud hosted pbxact uc systems. No customers from us get local installed systems at the moment.

This error has nothing to do with Nginx. It is your Apache config sending bad data.

Something in the FreePBX 14 openssl config is different than it was in FreePBX 13.
Even without Nginx in the middle, Yealink T42G and T46G (basically all the G series models) cannot get provisioning over HTTPS.

Thanks but all I said was we don’t support NGNIX on our distro. Which is true. This thread was about ngnix not apache as detailed by the OP.