I 10000% believe you and believe there is an issue. Just not sure where or what. I’d have to go look through and track down the code paths.
Thanks Andrew.
I’ve updated my open but unresolved issue (https://issues.freepbx.org/browse/FREEPBX-20559) with the latest details and a pointer to this topic. Hopefully it will get some attention and be resolved at some point.
Framework 15.0.16.38 does not correct this issue for me. @miken32’s original changes did (ignoring the 6.5 second vs 3.25 second mystery).
Unless the list of well-known keyservers is changed to the following, GUI reloads still take forever with Framework 15.0.16.38 unless module signature checking is disabled:
// List of well-known keyservers.
private $keyservers = array(
“hkps://keys.openpgp.org”, // Unpoisoned keyserver
“hkps://keyserver.ubuntu.com:443”, // This is in case port 11371 is blocked outbound
“pool.sks-keyservers.net” // Last resort
);
Further Updates - please read first:
I have applied miken32’s pull request again and restarted my raspbx.
I note now that it takes approximately 10 seconds for the Apply Config to complete which is a massive improvement and will suffice for the moment.
I have done this with the module signature checking enabled.
I note, however, that the FreePBX dashboard has presented a security alert in relation to the changes that I made to GPG.class.php and states that it needs urgent attention.
I have read that I can run the command:
fwconsole ma refreshsignatures
to fix this problem, which I have done previously and it did fix the problem but it seems to also have undone all the changes I made to GPG.class.php, which defeats the purpose of running this command in this instance.
So, is there a way for miken32’s pull request changes to persist without having this security alert on the dashboard?
Thanks again everyone.
Hi Everyone,
I am very new to FreePBX and I am experiencing this exact same issue.
I have attempted to modify my local GPG.class.php file as per miken32’s pull request (request submitted 6 days ago), which I assume is what will realise the whitelisting that is referred to in this thread, but sadly the problem persists.
I used the subkeys exactly as listed in the pull request and I am wondering if this is the correct thing to do or do I need to customise the subkeys for my installation of FreePBX (running as latest distro of Raspbx on a Raspberry Pi 4)?
I have disabled the module signature checking in the mean time so that I can continue to configure my system. Waiting minutes for the Apply Config to complete is soul destroying.
Would appreciate help on how to implement miken32’s suggested fix, especially with respect to the suspicion I have that I need to populate GPG.class.php with subkeys that are unique to my system.
Thank you all for being so smart and helpful.
Update: I just checked my what I thought was modified version of GPG.class.php and discovered that all edits I have made have been restored to the original version. I presume that this is the result of me running:
fwconsole ma refreshsignatures
Which I thought I needed to do to overcome the security alert in the FreePBX dashboard that was noticed following my modifications to the GPG.class.php file.
Some further thoughts and comments in relation to this would also be appreciated.
Use the script below to upgrade modules instead of using Module Admin until the problem(s) in framework 15.0.16.38 are resolved. This script can be run at any time to repatch GPG.class.php if necessary:
#!/bin/bash
fwconsole ma downloadinstall framework
sed -i "s/'1013D73FECAC918A0A25823986CE877469D2EAD9'$/'1013D73FECAC918A0A25823986CE877469D2EAD9',\n\t\t'593E5D6A7107C285E698CB563C355822CCEBF9CB',\n\t\t'C5C26167A09555DB29DA4ECF06C57CED5C2FE148',\n\t\t'EB312FC936875A7BC236DE6A36992456A6869B39'/" /var/www/html/admin/libraries/BMO/GPG.class.php
sed -i '0,/pool\.sks-keyservers\.net/{//d;}' /var/www/html/admin/libraries/BMO/GPG.class.php
sed -i '/hkp:\/\/keyserver\.ubuntu\.com:80/d' /var/www/html/admin/libraries/BMO/GPG.class.php
sed -i '/pgp\.mit\.edu/d' /var/www/html/admin/libraries/BMO/GPG.class.php
sed -i '/keyserver\.pgp\.com/d' /var/www/html/admin/libraries/BMO/GPG.class.php
sed -i 's/"pool\.sks-keyservers\.net"/"hkps:\/\/keys.openpgp.org"/' /var/www/html/admin/libraries/BMO/GPG.class.php
sed -i 's/\t); \/\/ Yes\. sks is there twice\./\t);/' /var/www/html/admin/libraries/BMO/GPG.class.php
fwconsole ma upgradeall
fwconsole setting SIGNATURECHECK 0
fwconsole reloadThe script I provided above will suppress the security alert:
fwconsole setting SIGNATURECHECK 0
1 Like
Thank you so much reraikes!
Very much appreciated!!
Hi reraikes,
I installed and ran the script.
Sadly the security alert message has not been suppressed.
Output of running the script below.
root@raspbx:/home/asterisk# ./GPG.class.php.patch.sh
No repos specified, using: [standard,extended] from last GUI settings`
Downloading module ‘framework’
Processing framework
Verifying local module download…Verified
Extracting…Done
Download completed in 18 seconds
Updating tables admin, ampusers, cronmanager, featurecodes, freepbx_log, freepbx _settings, globals, module_xml, modules, notifications, cron_jobs…Done
installing files to /var/www/html…done
installing files to /var/lib/asterisk/bin…done
installing files to /var/lib/asterisk/agi-bin…done
Checking for upgrades…
No further upgrades necessary
framework file install done, removing packages from module
file/directory: /var/www/html/admin/modules/framework/amp_conf removed successfu lly
file/directory: /var/www/html/admin/modules/framework/upgrades removed successfu lly
file/directory: /var/www/html/admin/modules/framework/start_asterisk removed suc cessfully
file/directory: /var/www/html/admin/modules/framework/install removed successful ly
file/directory: /var/www/html/admin/modules/framework/installlib removed success fully
Compressing Framework CSS…Done
Setting Framework Version…Done
Running SQL cleanup…Done
Building Packaged Scripts…Done
Refreshing GPG Keys…Done
Generating CSS…Done
Module framework version 15.0.16.38 successfully installed
Updating Hooks…Done
Chowning directories…Done
No repos specified, using: [standard,extended] from last GUI settings
Up to date.
Updating Hooks…Done
Changing “SIGNATURECHECK” from [1] to [0]
Reload Started
Reload Complete
Is there something else that I need to do?
Thanks again for your support and assistance.
ps. The Apply Config is still taking 10 seconds with Module Signature Checks enabled which is a relief.
Per the other thread on this topic, the developers intend to release the rest of the fixes soon. Might want to just wait on that.
Everything looks correct.
You should only be seeing a green warning that signature checking is disabled.
You may have to dismiss any red security alert (just once) in the same list by clicking the ‘-’ or ‘x’ to its right.
Hi reraikes,
I am seeing the green warning, but I am also seeing the red security alert, which I can dismiss by clicking the ‘-’ to its right, which I have done --> this removes the message, but does not dismiss the general larger Security Alert message. In order to remove that Security Alert message, I have to select “Show New”.
And I can bring back the individual and larger Security Alert messages by selecting “Show All”, which I presume is all normal behaviour.
Thank you so much for your help.
I think you’ll find that clicking the refresh ‘circle’ in the upper right corner of the System Overview box will eliminate any of the errors coming back (even with “Show New”). You shouldn’t ever see the individual and larger Security Alert messages again. At least that’s the way it works here.
Hi reraikes,
Thank you for your help.
The refresh circle does not behave that way for my install.
With both alert messages being displayed, if I click on the ‘-’ and the ‘Show New’, both alert messages disappear. If I then click on the refresh circle, nothing changes and no alert messages are displayed. So far, so good.
If I then click on ‘Show All’, both alert messages re-appear.
So I am not sure why my install is behaving differently to yours.
Not a show stopper at all, and in the bigger scheme of things this is not a big deal and I can live with it knowing the cause of the security alert and will wait until the underlying problem is fixed with GPG and keyservers (which I read all the supporting posts that totally bamboozled me from a complexity standpoint and disturbed me that so many systems depend on these keys/certificates from these servers that had such a gaping hole / vulnerability inherent in them).
I think you’re using RasPBX.
I’m using:
Thank you. That could explain the different behaviour.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.