[asterisk-bugs] [Asterisk 0014768]: TLS Client Hello handshake sent within SSLv2 header and not TLS header
Asterisk Bug Tracker
noreply at bugs.digium.com
Wed Apr 29 16:14:29 CDT 2009
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=14768
======================================================================
Reported By: TheOldSaint
Assigned To: dvossel
======================================================================
Project: Asterisk
Issue ID: 14768
Category: Channels/chan_sip/TCP-TLS
Reproducibility: always
Severity: major
Priority: normal
Status: closed
Asterisk Version: 1.6.1-rc1
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2009-03-26 15:10 CDT
Last Modified: 2009-04-29 16:14 CDT
======================================================================
Summary: TLS Client Hello handshake sent within SSLv2 header
and not TLS header
Description:
This issue is found with Asterisk 1.6.1rc1 build. The network consists of a
3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and
Asterisk on the other. I have enabled TLS on each of the servers. The call
scenario is as below -
Avaya 9620 SIP phone is an Avaya CM end point
Snom 300 SIP phone is an Asterisk end point
Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom
300
A call from Avaya to Asterisk goes fine with SIP over TLS end to end.
The problem comes when calling from Asterisk to Avaya. In this case,
Asterisk sends a Client Hello to establish a TLS connection with Avaya.
This Client Hello contains a 'SSLv2 Record layer' in the TCP packet as
opposed to 'TLS Record Layer'. Within the 'SSLv2 Record layer' there is a
'Version' header of TLS 1.0. The ideal packet should have contained a 'TLS
Record Layer' header with a 'Version' header of TLS 1.0. Because on this
incompatibility, many industry standard SIP servers/Gateways reject the TLS
handshake and the call cannot complete.
Attached is a screenshot of SSL header from Avaya and that from Asterisk
for the Client Hello.
======================================================================
----------------------------------------------------------------------
(0103968) svnbot (reporter) - 2009-04-29 16:14
http://bugs.digium.com/view.php?id=14768#c103968
----------------------------------------------------------------------
Repository: asterisk
Revision: 191178
_U branches/1.6.2/
------------------------------------------------------------------------
r191178 | dvossel | 2009-04-29 16:14:29 -0500 (Wed, 29 Apr 2009) | 18
lines
Blocked revisions 191177 via svnmerge
........
r191177 | dvossel | 2009-04-29 16:13:43 -0500 (Wed, 29 Apr 2009) | 13
lines
SIP option to specify outbound TLS/SSL client protocol.
chan_sip allows for outbound TLS connections, but does not allow the
user to specify what protocol to use (default was SSLv2, and still is if
this new option is not specified). This patch lets the user pick the
SSL/TLS client method for outbound connections in sip.
(closes issue http://bugs.digium.com/view.php?id=14770)
Reported by: TheOldSaint
(closes issue http://bugs.digium.com/view.php?id=14768)
Reported by: TheOldSaint
Review: http://reviewboard.digium.com/r/240/
........
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=191178
Issue History
Date Modified Username Field Change
======================================================================
2009-04-29 16:14 svnbot Checkin
2009-04-29 16:14 svnbot Note Added: 0103968
======================================================================
More information about the asterisk-bugs
mailing list