Bug 988488 - Linphone cannot register with sip proxy (cannot read cert -> tls error)
Linphone cannot register with sip proxy (cannot read cert -> tls error)
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: linphone (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: nucleo
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-25 13:06 EDT by colin
Modified: 2013-08-04 19:04 EDT (History)
3 users (show)

See Also:
Fixed In Version: linphone-3.6.1-2.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 16:04:59 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
linphonecc log file (8.10 KB, text/plain)
2013-07-25 13:09 EDT, colin
no flags Details
strace capture (286.30 KB, text/plain)
2013-07-25 13:11 EDT, colin
no flags Details

  None (edit)
Description colin 2013-07-25 13:06:26 EDT
Description of problem:
Linphone fails to register the given userId with the sip proxy.
After some wait the GUI times out and displays the message:
"registration on sip:sip.linphne.org failed: no response timeout"

Version-Release number of selected component (if applicable):
version: 3.5.2

How reproducible:
Every time, with multiple sip accounts/proxies
(I tried accounts on sip.linphone.org and ekiga.net)

Steps to Reproduce:
1.Enter your user details
2.Watch it fail to get a reply from the sip proxy.
3.

Actual results:
Linphone Not useable

Expected results:
User account should register with the remote sip proxy server.

Additional info:
I conducted some CLI runs without the GUI to test configuration options.
Log files generated and captured show that DNS resolves the 2 sip servers I was testing with, but a tls attempt fails to return any data. :-(
 
Possible clue from log: linphonec3_log.out
from line 124: 

ortp-error-Cannot load certificates from Microsoft Certificate Store
ortp-message-SSL_is_init_finished not already done
ortp-message-SSL_connect retry
ortp-message-SSL_connect (timeout not data to read) (0 ms)
ortp-message-socket node:sip.linphone.org, socket 13 [pos=0], connected (ssl in progress)
ortp-message-eXosip: timer sec:4 usec:10000!
ortp-message-SSL_is_init_finished not already done
ortp-message-SSL_connect retry
ortp-message-SSL_connect (timeout not data to read) (0 ms)
ortp-message-eXosip: timer sec:3 usec:936297!
ortp-message-SSL_is_init_finished not already done
ortp-error-verify error:num=20:unable to get local issuer certificate:depth=1:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
ortp-error-SSL ERROR
ortp-error-SSL_connect error


So I straced with:
strace -o /home/colin/scripts/linphonec3_strace_.out linphonec -d 1 -l /home/colin/scripts/linphonec3_log.out

This cert/tls failure can be seen around line 2698 of linphonec3_strace_.out

Previous runs showed that the same failure repeats on a timer, so I typed quit at the linphonec command prompt to stop from bloating the captured files.
Comment 1 colin 2013-07-25 13:09:06 EDT
Created attachment 778395 [details]
linphonecc log file

Log file generated with:
 'strace -o /home/colin/scripts/linphonec3_strace_.out linphonec -d 1 -l /home/colin/scripts/linphonec3_log.out'
Comment 2 colin 2013-07-25 13:11:24 EDT
Created attachment 778396 [details]
strace capture

strace capture generated with:

 'strace -o /home/colin/scripts/linphonec3_strace_.out linphonec -d 1 -l /home/colin/scripts/linphonec3_log.out'

The cert error / tls failure seems to start around line 2698
Comment 3 nucleo 2013-07-25 13:41:34 EDT
Is this error appeared after recent updates?
Can you please setup Linphone with clean configs and try to connect again?
Comment 4 colin 2013-07-25 13:43:24 EDT
Upon going to get a look at the source, I see that there exists a much more recent stable version: 3.6.1

http://www.linphone.org/eng/download/packages/linphone.html

And furthermore that 'nucleo' has a koji build for fc20

Changelog 	* Sun Jul 07 2013 Alexey Kurov <nucleo@fedoraproject.org> - 3.6.1-1 - linphone-3.6.1 

http://koji.fedoraproject.org/koji/buildinfo?buildID=432018

Perhaps it would be simplest to wait until the package with build version 3.6.1  becomes available on F19?

-the reason that I discovered this bug in the first place was that I was trialling a new installation of F19 in preparation for migrating from F17, but F19 has exactly the same old version, and failure. :-(
Comment 5 colin 2013-07-25 13:44:28 EDT
nucleo - our comments passed in flight.

This was a 2 completely new insstalls, fresh as of today.
Comment 6 nucleo 2013-07-25 13:50:17 EDT
3.6.1 have compatibility problems with other kdenetwork which fails to build against new mediastreamer/ortp, so 3.6.1 will be in F20+ for now.

3.5.2 works for me at least with servers I use, but I can't test now git.linphone.org because don't have account there.
Comment 7 colin 2013-07-25 13:54:55 EDT
Thanks nucleo.

Both ekiga.net and sip.linphone.org are free accounts from the FOSS developers.
:-)

Ideal to register for free and test with really. ;-)

If there is anything more that I can do - feel free to leave me instructions here and i will be happy to (try to) follow them.

Thanks again
Colin.
Comment 8 nucleo 2013-07-25 15:06:50 EDT
What in your "Network protocol and ports" settings?
Try SIP(UDP) if SIP(TLS) there.
Comment 9 colin 2013-07-25 15:40:10 EDT
Aha!
I didn't realise that account used unencrypted UDP for authentication -time to delete it methinks.
Thank you once again!

Note to self and world: 
Always back up your working linphone config from  ~/.linphonerc
 so that you have a working setup after upgrade/reinstall.
Comment 10 nucleo 2013-07-25 15:44:19 EDT
Maybe SIP(UDP) should be set by default.
Leaving this bug open, so people can found it.
If I found way to change defaults then I will fix this.
Comment 11 nucleo 2013-07-25 18:12:33 EDT
Looks like at first Linphone start network protocol set by default to SIP(UDP) but after using account assistant it becomes set to SIP(TLS), so SIP(UDP) should be set by default if manually setup account without using account assistant or after using assistant should be set back to SIP(UDP).
Comment 12 nucleo 2013-07-25 19:40:39 EDT
Switching to SIP(UDP) is only workaround real problem in coreapi/linphonecore.c

#define ROOT_CA_FILE PACKAGE_DATA_DIR "/linphone/rootca.pem"

#ifdef __linux
        sal_set_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", "/etc/ssl/certs"));
#else
        sal_set_root_ca(lc->sal, lp_config_get_string(lc->config,"sip","root_ca", ROOT_CA_FILE));
#endif


So ROOT_CA_FILE should be file /etc/ssl/certs/ca-bundle.crt or /etc/ssl/certs/ca-bundle.trust.crt but set to path /etc/ssl/certs.

I will try to build fixed linphone.
Comment 13 Fedora Update System 2013-07-28 16:23:36 EDT
linphone-3.6.1-2.fc19,ortp-0.22.0-1.fc19,kdenetwork-4.10.5-3.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/linphone-3.6.1-2.fc19,ortp-0.22.0-1.fc19,kdenetwork-4.10.5-3.fc19
Comment 14 Fedora Update System 2013-07-30 13:29:47 EDT
Package linphone-3.6.1-2.fc19, ortp-0.22.0-1.fc19, kdenetwork-4.10.5-3.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing linphone-3.6.1-2.fc19 ortp-0.22.0-1.fc19 kdenetwork-4.10.5-3.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-13833/linphone-3.6.1-2.fc19,ortp-0.22.0-1.fc19,kdenetwork-4.10.5-3.fc19
then log in and leave karma (feedback).
Comment 15 colin 2013-07-30 16:52:20 EDT
Thanks nucleo.
That is fantastic!

Your new build 'updates-testing linphone-3.6.1-2.fc19' solved the problem with  sip proxy registration and tls that prompted me to file this bug report.

:-) :-) :-)

Positive feedback left on bodhi as requested.
Comment 16 Fedora End Of Life 2013-08-01 16:05:05 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 17 Fedora Update System 2013-08-04 19:04:29 EDT
linphone-3.6.1-2.fc19, ortp-0.22.0-1.fc19, kdenetwork-4.10.5-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.