[asterisk-bugs] [Asterisk 0014770]: Need ability to select TLS version in outgoing messages
Asterisk Bug Tracker
noreply at bugs.digium.com
Wed Apr 29 16:13:45 CDT 2009
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=14770
======================================================================
Reported By: TheOldSaint
Assigned To: dvossel
======================================================================
Project: Asterisk
Issue ID: 14770
Category: Channels/chan_sip/TCP-TLS
Reproducibility: always
Severity: feature
Priority: normal
Status: assigned
Asterisk Version: 1.6.1-rc1
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-03-26 15:57 CDT
Last Modified: 2009-04-29 16:13 CDT
======================================================================
Summary: Need ability to select TLS version in outgoing
messages
Description:
This issue is found with Asterisk 1.6.1rc1 build. The network consists of a
3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and
Asterisk on the other. I have enabled TLS on each of the servers. The call
scenario is as below -
Avaya 9620 SIP phone is an Avaya CM end point
Snom 300 SIP phone is an Asterisk end point
Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom
300
When calling from asterisk end-point to Avaya end-point, Asterisk sends a
Client Hello to establish a TLS connection with Avaya. This Client Hello is
sent as a 'SSLv2 Record layer' in the TCP packet as opposed to 'TLS Record
Layer'. The ideal packet should have contained a 'TLS Record Layer' header
with a 'Version' header of TLS 1.0. It would be nice to make this
configurable within sip.conf, because many industry standard SIP
servers/Gateways reject the TLS handshake since it is not a TLS header but
a SSL header and the call cannot complete.
There is such a parameter in OpenSIPS called "tls_method = TLSv1". Other
values for this parameter are SSLv1 and SSLv23. Some such configurable
setting will be highly helpful in cases where the server that Asterisk is
trying to talk to (over TLS) supports only TLS 1.0 and not SSLv2 or SSLv3.
Such a parameter will help forcing Asterisk to initiate a TLS transaction
rather than a SSL transaction. I have attached two screenshots of traces,
one for the SSL transaction and the other for the TLS transaction.
======================================================================
----------------------------------------------------------------------
(0103965) svnbot (reporter) - 2009-04-29 16:13
http://bugs.digium.com/view.php?id=14770#c103965
----------------------------------------------------------------------
Repository: asterisk
Revision: 191177
U trunk/CHANGES
U trunk/configs/sip.conf.sample
U trunk/include/asterisk/tcptls.h
U trunk/main/tcptls.c
------------------------------------------------------------------------
r191177 | dvossel | 2009-04-29 16:13:44 -0500 (Wed, 29 Apr 2009) | 13
lines
SIP option to specify outbound TLS/SSL client protocol.
chan_sip allows for outbound TLS connections, but does not allow the user
to specify what protocol to use (default was SSLv2, and still is if this
new option is not specified). This patch lets the user pick the SSL/TLS
client method for outbound connections in sip.
(closes issue http://bugs.digium.com/view.php?id=14770)
Reported by: TheOldSaint
(closes issue http://bugs.digium.com/view.php?id=14768)
Reported by: TheOldSaint
Review: http://reviewboard.digium.com/r/240/
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=191177
Issue History
Date Modified Username Field Change
======================================================================
2009-04-29 16:13 svnbot Checkin
2009-04-29 16:13 svnbot Note Added: 0103965
======================================================================
More information about the asterisk-bugs
mailing list