Everybody, For a while now, I've had a small home Asterisk setup to connect to my Zimbra mail server's calendar. Making an entry on the calendar would cause Asterisk to schedule a wakeup call at the time of the calendar entry. The Zimbra mail server uses LetsEncrypt for the SSL Certs and renews every 60 days. On the Asterisk side of things, if I do not restart the Asterisk process, the logs get spammed with the below and the wakeup call never occurs: [Dec 24 07:48:46] WARNING[10679] res_calendar_caldav.c: Unknown response to CalDAV calendar calendar.name.here, request REPORT to /dav/username/Calendar: Server certificate changed: connection intercepted? Would this be considered a bug, or do I have something setup incorrectly? Asterisk version: 13.29.2 OS: Debian GNU/Linux 7.11 (wheezy) Zimbra OSE 8.8.11 P4 Thanks! Doug -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191224/8c2f70c6/attachment.html>
Doug Lytle <support at drdos.info> writes:> For a while now, I've had a small home Asterisk setup to connect to my > Zimbra mail server's calendar. Making an entry on the calendar would > cause Asterisk to schedule a wakeup call at the time of the calendar > entry. > > The Zimbra mail server uses LetsEncrypt for the SSL Certs and renews > every 60 days. On the Asterisk side of things, if I do not restart > the Asterisk process, the logs get spammed with the below and the > wakeup call never occurs: > > [Dec 24 07:48:46] WARNING[10679] res_calendar_caldav.c: Unknown > response to CalDAV calendar calendar.name.here, request REPORT to > /dav/username/Calendar: Server certificate changed: connection > intercepted? > > Would this be considered a bug, or do I have something setup incorrectly? > > Asterisk version: 13.29.2 > OS: Debian GNU/Linux 7.11 (wheezy) > Zimbra OSE 8.8.11 P4My guess is bug. Generally, one validates server certificates starting from a list of acceptable configured CA certificates, called trust anchors. Perhaps because people often used to use self-signed certicates (before Let's Encrypt), and perhaps because of general paranoia (not a bad thing), there is a notion of certificate pinning. However, it strikes me that if implemented, the pinning would be persistent. https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning Have you done anything in the asterisk config to control certificate validation? I would suggest reading the res_calendar_caldav sources to see if there is some attempt to store certificates and compare.
On 12/24/2019 9:02 AM, Doug Lytle wrote:> [Dec 24 07:48:46] WARNING[10679] res_calendar_caldav.c: Unknown > response to CalDAV calendar calendar.name.here, request REPORT to > /dav/username/Calendar: Server certificate changed: connection > intercepted? > > Would this be considered a bug, or do I have something setup incorrectly?This error message comes from neon and was removed in r1938 back in 2014[1]: src/ne_openssl.c (ne__negotiate_ssl): Don't fail hard for SSL cert change, invoke verify callback. For better or worse, Asterisk's verify callback allows all certificates, so this doesn't appear to be an Asterisk bug. You should probably try to find a newer version of neon for your distribution. Kind regards, Sean [1] http://lists.manyfish.co.uk/pipermail/neon-commits/2014-September/001001.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191224/f411c0d3/attachment.html>
On 12/24/19 10:34 AM, Sean Bright wrote:> On 12/24/2019 9:02 AM, Doug Lytle wrote: >> [Dec 24 07:48:46] WARNING[10679] res_calendar_caldav.c: Unknown >> response to CalDAV calendar calendar.name.here, request REPORT to >> /dav/username/Calendar: Server certificate changed: connection >> intercepted? >> >> Would this be considered a bug, or do I have something setup incorrectly? > > This error message comes from neon and was removed in r1938 back in > 2014[1]: > > src/ne_openssl.c (ne__negotiate_ssl): Don't fail hard for SSL cert > change, invoke verify callback. > > For better or worse, Asterisk's verify callback allows all > certificates, so this doesn't appear to be an Asterisk bug. You should > probably try to find a newer version of neon for your distribution.Thanks guys for the input! Just another reason to upgrade that to Debian Buster. Doug -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20191224/2bfea792/attachment.html>