[asterisk-bugs] [Asterisk 0014768]: TLS Client Hello handshake sent within SSLv2 header and not TLS header

Asterisk Bug Tracker noreply at bugs.digium.com
Thu Mar 26 15:10:03 CDT 2009 

The following issue has been SUBMITTED. 
====================================================================== 
http://bugs.digium.com/view.php?id=14768 
====================================================================== 
Reported By:                TheOldSaint
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   14768
Category:                   Channels/chan_sip/TLS
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     new
Asterisk Version:           1.6.1-rc1 
Regression:                 No 
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-03-26 15:10 CDT
Last Modified:              2009-03-26 15:10 CDT
====================================================================== 
Summary:                    TLS Client Hello handshake sent within SSLv2 header
and not TLS header
Description: 
This issue is found with Asterisk 1.6.1rc1 build. The network consists of a
3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and
Asterisk on the other. I have enabled TLS on each of the servers. The call
scenario is as below -

Avaya 9620 SIP phone is an Avaya CM end point
Snom 300 SIP phone is an Asterisk end point

Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom
300

A call from Avaya to Asterisk goes fine with SIP over TLS end to end.
The problem comes when calling from Asterisk to Avaya. In this case,
Asterisk sends a Client Hello to establish a TLS connection with Avaya.
This Client Hello contains a 'SSLv2 Record layer' in the TCP packet as
opposed to 'TLS Record Layer'. Within the 'SSLv2 Record layer' there is a
'Version' header of TLS 1.0. The ideal packet should have contained a 'TLS
Record Layer' header with a 'Version' header of TLS 1.0. Because on this
incompatibility, many industry standard SIP servers/Gateways reject the TLS
handshake and the call cannot complete.

  Attached is a screenshot of SSL header from Avaya and that from Asterisk
for the Client Hello.
====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-03-26 15:10 TheOldSaint    New Issue                                    
2009-03-26 15:10 TheOldSaint    Asterisk Version          => 1.6.1-rc1       
2009-03-26 15:10 TheOldSaint    Regression                => No              
2009-03-26 15:10 TheOldSaint    SVN Branch (only for SVN checkouts, not tarball
releases) => N/A             
======================================================================

More information about the asterisk-bugs mailing list