[asterisk-bugs] [Asterisk 0014768]: TLS Client Hello handshake sent within SSLv2 header and not TLS header

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Apr 29 16:13:45 CDT 2009


A NOTE has been added to this issue. 
====================================================================== 
http://bugs.digium.com/view.php?id=14768 
====================================================================== 
Reported By:                TheOldSaint
Assigned To:                dvossel
====================================================================== 
Project:                    Asterisk
Issue ID:                   14768
Category:                   Channels/chan_sip/TCP-TLS
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
Asterisk Version:           1.6.1-rc1 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-03-26 15:10 CDT
Last Modified:              2009-04-29 16:13 CDT
====================================================================== 
Summary:                    TLS Client Hello handshake sent within SSLv2 header
and not TLS header
Description: 
This issue is found with Asterisk 1.6.1rc1 build. The network consists of a
3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and
Asterisk on the other. I have enabled TLS on each of the servers. The call
scenario is as below -

Avaya 9620 SIP phone is an Avaya CM end point
Snom 300 SIP phone is an Asterisk end point

Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom
300

A call from Avaya to Asterisk goes fine with SIP over TLS end to end.
The problem comes when calling from Asterisk to Avaya. In this case,
Asterisk sends a Client Hello to establish a TLS connection with Avaya.
This Client Hello contains a 'SSLv2 Record layer' in the TCP packet as
opposed to 'TLS Record Layer'. Within the 'SSLv2 Record layer' there is a
'Version' header of TLS 1.0. The ideal packet should have contained a 'TLS
Record Layer' header with a 'Version' header of TLS 1.0. Because on this
incompatibility, many industry standard SIP servers/Gateways reject the TLS
handshake and the call cannot complete.

  Attached is a screenshot of SSL header from Avaya and that from Asterisk
for the Client Hello.
====================================================================== 

---------------------------------------------------------------------- 
 (0103966) svnbot (reporter) - 2009-04-29 16:13
 http://bugs.digium.com/view.php?id=14768#c103966 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 191177

U   trunk/CHANGES
U   trunk/configs/sip.conf.sample
U   trunk/include/asterisk/tcptls.h
U   trunk/main/tcptls.c

------------------------------------------------------------------------
r191177 | dvossel | 2009-04-29 16:13:44 -0500 (Wed, 29 Apr 2009) | 13
lines

SIP option to specify outbound TLS/SSL client protocol.

chan_sip allows for outbound TLS connections, but does not allow the user
to specify what protocol to use (default was SSLv2, and still is if this
new option is not specified).  This patch lets the user pick the SSL/TLS
client method for outbound connections in sip.

(closes issue http://bugs.digium.com/view.php?id=14770)
Reported by: TheOldSaint

(closes issue http://bugs.digium.com/view.php?id=14768)
Reported by: TheOldSaint

Review: http://reviewboard.digium.com/r/240/


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=191177 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-04-29 16:13 svnbot         Checkin                                      
2009-04-29 16:13 svnbot         Note Added: 0103966                          
======================================================================




More information about the asterisk-bugs mailing list