Upgrade Debian from 9 to 11

[kidjake28]

Hey everyone, I migrated my fusionpbx server from debian 9 to 11 without any problems except for this.

My fanvil phones won't SIP connect via TLS.

I'm definitely not an expert when it comes to certs but I believe debian is trying to negotiate TLS1.3. I've changed freeswitch variables to 'TLS1,TLS1.1,TLS1.2'
I changed openssl.cnf for MaxProtocol=TLS1.2, CipherString = DEFAULT@SECLEVEL=2
I've removed any reference in fusionpbx nginx conf file even though I know that has nothing to do with it.

I've done a packet capture on the phone and get the following:

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Internal Error)
Level: Fatal (2)
Description: Internal Error (80)

Not sure where else to look/try?

Any help greatly appreciated.

 

[kidjake28]

Really? No one has ran into this issue?

Any suggestion as to where to look?

 

[hfoster]

It's either going to be FreeSwitch itself, mod_sofia or the openssl libraries those two are built against. As FreeSwitch isn't really a 'Debian' piece of software, it could just be breaking ABI changes or something.

Found this, with no answer...: https://www.reddit.com/r/freeswitch/comments/duzzt2
Anything in the journal or freeswitch logs?

 

[whut]

It sounds like you may have updated deb 9 to 11 instead of migrating to a new server. My method of upgrading from deb 9 to 11 was to create a new installation and to import the fusion database onto the new server. The process was not difficult to complete and traffic was pointed through the new server on a Friday night so the weekend was available in case issues surfaced.

Although this error points might be pointing more to the OS my initial thoughts on TLS are make sure you remove all possible obstacles.

1. get newest lets encrypt & install cert. there are important changes to handle newer tls, certificates order, include new certs and includ old certs for older device allowance.

cd /usr/src/fusionpbx-install.sh
git pull

2. run the nginx.sh and the lets encrypt.sh in /usr/src/fusionpbx-install.sh/debian/resources/ directory

3. restart nginx

4. update phone firmware

5. on device edit page set transport to tls and port 5061

6. make sure all of your sip profiles are running

7. make sure port 5061 is allowed to pass through your firewall

8. auto-provision phones

There may be some settings on the fanvil you need to set for tls. And, of course, lets encrypt is assuming you have a domain name . tld associated with your server.

 

[kidjake28]

Thanks very much for all your suggestions. I also thought it had something to do with openssl.

I was able to resolve the issue and this is what was done.

Firstly I was migrating to a new server and not upgrading. It was a clean install of Debian 11 with latest Fusion.

I had downloaded and modified the restore script which is available on fusionpbx.com for my particular case. This worked well no issues.

However once the migration completed and I saved the new external sip address on the variables page, That's when TLS only offered TLS1.3.

After hours of troubleshooting I found the issue:

The sip_tls_version value on the old Debian 9 instance was TLS1, TLS1.1, TLS1.2.
This value should be: TLSv1,TLSv1.1, TLSv1.2

The secondary issues is that I created a variable called public_ip_v4 in the IP ADDRESS secion of Variables and ext_rtp_ip and ext_sip_ip have a value of $$(public_ip_v4) both are assigned this varaible.

When it got imported I didn't specify the order for these variables so ext-rtp-ip and ext_rtp_ip were prior to public_ip_v4 assignment. I consequently changed the order making the public_ip_v4 set first.

All worked greate after. So I hope this helps someone else that might run into this problem.