cwernstedt

No change to the timestamps of pbxctrl and pbxctrl.dat . (They still have dates prior to the attempt to update.) I know I'm looking in the correct directory because log2023-09-04.txt is present and recently updated. ./pbxctrl --version reveals: Version: 63.0.1 Debian64 Date: Apr 26 2019 So no luck…

I'm trying to update from v63.0.1 to a later version (v68 or v69) using the web admin interface, but after reboot, the server version is the same and nothing has changed in the directory of the pbx ( /usr/local/pbx ) . Web interface reports "The software update was successful. Please restart the system to complete the update." Disk space usage is at: 53% How can I further troubleshoot why the update isn't happening?

Does Vodia v63.0.1 support RFC 5746? If not, it's not a surprise that Bria has problems now.

Thanks @Scott1234 . At least now we have some hope of resolving the problem.

User devices are set to auto-update (iOS users don't normally select updates a la-carte), so the date of the onset of the problem dosen't correlate with when Bria release notes claims that RFC 5746 begun to be mandatory. In any case, I'm really pissed of by Bria who pretends to offer an enterprise/teams solution when they don't communicate compatibility-breaking changes well in advance. All normal companies do this. Usually we're given a heads up of multiple months if not years, if there's a new requirement. Thanks for the info on 68.0.28 / 68.0.32 . When you say RFC 5746 was enabled by default, does this imply that in earlier versions, RFC 5746 could be manually enabled by setting some parameter? We have 63.0.1 . I'm not a fan of having to panic-upgrade as past upgrades have tended to break things.

Yesterday the Bria client for iOS stopped working for all our users. The reason according to Counterpath: The PBX must support RFC 5746 (aka Transport Layer Security (TLS) Renegotiation). Is this supported in any of the later versions of the Vodia PBX?

It is arguably a different world today when few have local PSTN gateways and most traffic happening over the Internet. Eavesdropping on the Internet or public WiFi (if using soft phone) is a much bigger threat than local packet sniffing. So today, if admins don't think they need the servers' assistance with ensuring encrypted links at all times, they are insane. There's an interesting discussion here about detection of encrypted vs non encrypted RTP: https://www.twilio.com/blog/srtp-deep-dive Twilio for their SIP trunks has an option to enforce SRTP and TLS for SIP, so since we use them for trunks at least we are covered in that regard. You mean a general parameter on the phones, such as setting "RTP Encryption" to ON on a snom phone? Is there a way to check that phone settings are working correctly, except by sniffing packets and looking for, for example, "digital silence" as described in the link above?

Thank you for these suggestions. "As for SRTP, there are various settings for the devices that you use to enforce SRTP. E.g. you can use the snom General parameter to enforce SRTP. The apps all use SRTP and TLS anyway, there is not even an option to do it insecure." It seems SRTP is the biggest "hole" right now with regard to enforcement of encryption at the server. (A user knowing their SIP credentials could connect a misconfigured or malfunctioning device and use unencrypted RTP = nightmare in a corporate IT security context). It would be an essential security feature if the server could detect such connections and not accept them.

Hi, I have a requirement such that no calls can take place unless all involved protocols and traffic are encrypted using up-to-date protocols (e.g., TLS 1.2) Old devices/endpoints with configs that don't adhere should stop working. What would be appropriate settings to make sure that this is the case? (In 2023 it is no longer acceptable to have no guarantees on the PBX with regard to secured links, just like most web pages now prevent the use of non TLS requests.) Best, Christian

Update: Twilio will never install wildcard certs on their localized endpoints. Their stated reason and workaround: "Twilio does not present wildcard certificates for SIP as most standards-compliant devices don’t accept them. So you may not see a certificate that matches their personalized domain name exactly. If you can configure an “outbound proxy” or route on their SIP device, you can set this to “pstn.frankfurt.twilio.com” which will match the certificate our edge presents." This solution seems to work.

@Roozbeh I'm running into this issue too, and Twilio support is clueless. Did you receive any responses from them regarding fixing the issue?

Where does this setting (c2d_root) reside in recent versions of of the pbx? Can it be changed from web interface or is it inside a file?

I upgraded to version 68.0.1 . Certificates are still not successfully updated. I see "Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directory " in the log.

OK. This is what I see in the log (the real domain name and IP address I've censored out) after renaming the System Management DNS address and then renaming it back. The line with "Could not retrieve directory" looks suspicious. Any idea? LYNC: Creating pbx-admin.xyz.com [6] 13:28:32.009 LYNC: Using IP address 20.203.51.134 for creating DNS A record for pbx-admin.xyz.com [8] 13:28:34.526 LYNC: Create new account [3] 13:28:34.921 LYNC: Could not retrieve directory from directory https://acme-v02.api.letsencrypt.org/directory [8] 13:28:34.921 LYNC: New order pbx-admin.xyz.com [8] 13:28:34.921 LYNC: Done creating pbx-admin.xyz.com

In this case it's Let's Encrypt which sends me expiration warning emails, so it's the PBX which failed to renew the certs for some reason, and they do expire within a week or so, indicating failure to renew quite a long ago. Version is 63.0.1 . I haven't dared to update for fear of breaking something. Some way I can troubleshoot further?