Enabling TLS Crashes Asterisk

Bullhead · May 13, 2017, 6:37am

When I enable TLS on the PJSIP SIP settings and then apply config. It causes Asterisk to crash. This is the same setup as I have on another Asterisk server I built 6 months ago so I’m not entirely sure why. The logs don’t show anything either than it repeated being restarted.

Here’s the TLS section in my pjsip.transports.conf as freepbx generated…

[0.0.0.0-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
external_media_address=[My Public IP]
external_signaling_address=[My Public IP]
cert_file=/etc/asterisk/keys/bullhead.crt
priv_key_file=/etc/asterisk/keys/bullhead.key
method=tlsv1
verify_client=no
verify_server=no
allow_reload=yes
local_net=[My Internal Subnet]

I’ve redacted my IPs for security reasons here.

Any thoughts on why enabling TLS would do this? Again I didn’t notice anything in the logs.

Something I missed? I built this server as per this guide…
wiki.freepbx.org/display/FOP/Installing+FreePBX+13+on+CentOS+7

Welcome any insights here of what I should check on.

Bullhead · May 24, 2017, 11:17pm

So I managed to fix my issue finally…

In case anyone else runs into this it was the compiler flags that the guide… (wiki.freepbx.org/display/FOP/Installing+FreePBX+13+on+CentOS+7 )
provided for pjproject. In the guide it states to use the following…

CFLAGS=’-DPJ_HAS_IPV6=1’ ./configure --prefix=/usr --enable-shared --disable-sound
–disable-resample --disable-video --disable-opencore-amr --libdir=/usr/lib64

I’m not sure if it’s the \ at the end of the first line or if one of the flags themselves had issue. But I just copied and pasted all of that into my command line when I originally was going through the guide.

Instead I used the following compiler flags…

CFLAGS="-DNDEBUG -DPJ_HAS_IPV6=1" --prefix=/usr --libdir=/usr/lib64 --enable-shared --disable-video --disable-sound --disable-opencore-amr

That’s all on one line so make sure to remove any CR or LF if you copy and paste (it should just copy over fine). I believe the only thing different is the \ and the --disable-resample are both not in this new line. Anyway I used those and recompiled pjproject and installed and it all worked. TLS finally works now.

Hope this helps someone else in future. FreePBX may want to update your guide to make it more idiot (me) proof.

jlechuga2000 · May 26, 2017, 7:34pm

Hi, can you post the exact versions and (if possible) the links to files you use to build your system?

Im building also Asterisk 13 from scratch using this:
-CentOS Linux release 7.3.1611 (Core)
-Asterisk v13.15.1 (last)
-Freepbx 13.0.192.2 (last)
-pjproject-2.4
-srtp-1.4.4
-jansson-2.7

I follow your recomendation and changed the ./configure flags (copy paste from your post), all installs well, but still having the same problem when uncomment the following lines in pjsip.conf and restart asterisk it starts a crash loop every 5 seconds.

;[transport-tls]
;type=transport
;protocol=tls
;bind=0.0.0.0:5061
;cert_file=/etc/asterisk/keys/asterisk.crt
;priv_key_file=/etc/asterisk/keys/asterisk.key
;local_net=10.0.0.0/8
;method=tlsv1

Im traying to build a new system to replace the one on production thah doesn’t have encryption enabled, we need to offer a more secure enviroment to the calls over our network (all calls are over intranet no external extensions) this system is a satellite from a main Avaya Aura platform.

Thanks in advance, all help is apreciated.

the log on /var/log/asterisk/messages only shows the following lines avery 5 seconds:

[May 26 13:26:11] Asterisk 13.15.1 built by root @ ast13-fpbx13-cent7-TLS-SRTP.telecom18 on a x86_64 running Linux on 2017-05-26 18:55:27 UTC
[May 26 13:26:11] ERROR[3835] config_options.c: Could not find option suitable for category ‘general’ named ‘loggingsafeshutdown’ at line 3 of
[May 26 13:26:11] ERROR[3835] config_options.c: In cdr.conf: Processing options for general failed
[May 26 13:26:11] NOTICE[3835] cdr.c: Failed to process CDR configuration; using defaults
[May 26 13:26:11] NOTICE[3835] cdr.c: CDR simple logging enabled.
[May 26 13:26:11] NOTICE[3835] loader.c: 311 modules will be loaded.
[May 26 13:26:11] WARNING[3835] loader.c: Error loading module ‘res_calendar_exchange.so’: libiksemel.so.3: cannot open shared object file: No such file or directory
[May 26 13:26:11] WARNING[3835] loader.c: Error loading module ‘res_xmpp.so’: libiksemel.so.3: cannot open shared object file: No such file or directory
[May 26 13:26:11] WARNING[3835] loader.c: Error loading module ‘chan_motif.so’: libiksemel.so.3: cannot open shared object file: No such file or directory
[May 26 13:26:11] NOTICE[3835] res_odbc.c: res_odbc loaded.

NOTE: At this point im not installing FreePBX, to isolate the problem, at this point im installing Asterisk alone and using CLI to monitor operation.

Bullhead · May 28, 2017, 9:36pm

Joel,

First, apologies for the slow reply. I know how frustrating this issue can be.

The versions you are using all look good. I just used slightly older ones as they were the latest when I did the build.

CentOS : 7.3.1611.el7.centos.x86_64
Asterisk : 13.15.0
FreePBX : 13.0.192.1
pjproject : 2.4
srtp : ??
jansson : 2.7

The only thing I don’t know is the srtp version. There was no specific download for it during that guide I used. At least not that I can find.

The thing that fixed it for me was just to go back to my /usr/src/pjproject-2.4 directory and re-compile.

Actually I just noticed an error in my post above. Don’t use ./configure. Just put in the CFLAGs. I’m not sure why I added configure there. Must’ve been distracted. So what you need to do is the following…

cd /usr/src/pjproject-2.4
CFLAGS="-DNDEBUG -DPJ_HAS_IPV6=1" --prefix=/usr --libdir=/usr/lib64 --enable-shared --disable-video --disable-sound --disable-opencore-amr
make dep
make
make install

Then perhaps a reboot of your server for good measure. Give that a shot and again, sorry about the mis-information. I’m going to go correct it now.

Also, you may have success with the following which is the CFLAGS from the guide without the \ in there potentially messing up the copy and paste…

CFLAGS=’-DPJ_HAS_IPV6=1’ ./configure --prefix=/usr --enable-shared --disable-sound --disable-resample --disable-video --disable-opencore-amr --libdir=/usr/lib64

Give those a shot if the CFLAGS above don’t work.

Hope it works out for you.

tm1000 · May 28, 2017, 9:44pm

In the end you should be using bundled pjproject instead of building pjsip yourself.

Bullhead · May 28, 2017, 10:05pm

Andrew,

Ah! Are you referring to the tarball install?

I didn’t notice that on the FreePBX download’s page until just now. I didn’t scroll down far enough. Agreed, that would’ve been much easier as I wasn’t able to do it with the iso.

tm1000 · May 28, 2017, 10:51pm

It’s an option in the asterisk compiler called “BUNDLE_PJSIP”

Bullhead · May 29, 2017, 5:50am

So replace the ./configure --libdir=/usr/lib64 that’s in the guide with ./configure --libdir=/usr/lib64 --with-pjproject-bundled ?

I just tried that and I see it downloaded v2.6 of pjproject. Any idea what would happen if I re-ran through the build of Asterisk on my server using this now? Or because I built pjproject separately it’s going to screw everything up? ie. I should rebuild my server from scratch?

Only reason why I would do this is perhaps it may fix my other issue where I’m not getting audio between my extensions?