[asterisk-bugs] [Asterisk 0014770]: Need ability to select TLS version in outgoing messages
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Mar 26 15:57:15 CDT 2009
The following issue has been SUBMITTED.
======================================================================
http://bugs.digium.com/view.php?id=14770
======================================================================
Reported By: TheOldSaint
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 14770
Category: Channels/chan_sip/TLS
Reproducibility: always
Severity: feature
Priority: normal
Status: new
Asterisk Version: 1.6.1-rc1
Regression: No
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-03-26 15:57 CDT
Last Modified: 2009-03-26 15:57 CDT
======================================================================
Summary: Need ability to select TLS version in outgoing
messages
Description:
This issue is found with Asterisk 1.6.1rc1 build. The network consists of a
3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and
Asterisk on the other. I have enabled TLS on each of the servers. The call
scenario is as below -
Avaya 9620 SIP phone is an Avaya CM end point
Snom 300 SIP phone is an Asterisk end point
Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom
300
When calling from asterisk end-point to Avaya end-point, Asterisk sends a
Client Hello to establish a TLS connection with Avaya. This Client Hello is
sent as a 'SSLv2 Record layer' in the TCP packet as opposed to 'TLS Record
Layer'. The ideal packet should have contained a 'TLS Record Layer' header
with a 'Version' header of TLS 1.0. It would be nice to make this
configurable within sip.conf, because many industry standard SIP
servers/Gateways reject the TLS handshake since it is not a TLS header but
a SSL header and the call cannot complete.
There is such a parameter in OpenSIPS called "tls_method = TLSv1". Other
values for this parameter are SSLv1 and SSLv23. Some such configurable
setting will be highly helpful in cases where the server that Asterisk is
trying to talk to (over TLS) supports only TLS 1.0 and not SSLv2 or SSLv3.
Such a parameter will help forcing Asterisk to initiate a TLS transaction
rather than a SSL transaction. I have attached two screenshots of traces,
one for the SSL transaction and the other for the TLS transaction.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2009-03-26 15:57 TheOldSaint New Issue
2009-03-26 15:57 TheOldSaint Asterisk Version => 1.6.1-rc1
2009-03-26 15:57 TheOldSaint Regression => No
2009-03-26 15:57 TheOldSaint SVN Branch (only for SVN checkouts, not tarball
releases) => N/A
======================================================================
More information about the asterisk-bugs
mailing list