[asterisk-bugs] [JIRA] Updated: (ASTERISK-20485) ssl connection failing with tls enabled using asterisk-11.0.0-beta1

Rusty Newton (JIRA) noreply at issues.asterisk.org
Mon Oct 1 09:41:27 CDT 2012


     [ https://issues.asterisk.org/jira/browse/ASTERISK-20485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rusty Newton updated ASTERISK-20485:
------------------------------------

    Reference Notes: [Edit by Rusty Newton - moved references notes to an attachment]  (was: *CLI> [New Thread 0xb69ffb90 (LWP 5759)]
[Switching to Thread 0xb69ffb90 (LWP 5759)]

Breakpoint 1, handle_tcptls_connection (data=0x8a365dc) at tcptls.c:149
149             int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;

Sep 21 09:07:50] DEBUG[5761][C-00000000]: channel.c:6446 ast_channel_inherit_variables: Not copying variable DIALEDPEERNUMBER.
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: channel.c:6446 ast_channel_inherit_variables: Not copying variable DIALSTATUS.
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: channel.c:6446 ast_channel_inherit_variables: Not copying variable SIPCALLID.
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: channel.c:6446 ast_channel_inherit_variables: Not copying variable SIPDOMAIN.
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: channel.c:6446 ast_channel_inherit_variables: Not copying variable SIPURI.
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:5971 sip_call: Outgoing Call for 150
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:6281 update_call_counter: Updating call counter for outgoing call
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:12429 add_sdp: This call needs video offers, but there's no video support enabled!
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:12477 add_sdp: ** Our capability: (gsm|ulaw|alaw|h263|testlaw) Video flag: False Text flag: False
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:12478 add_sdp: ** Our prefcodec: (ulaw)
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:12607 add_sdp: -- Done with adding codecs to SDP
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:12806 add_sdp: Done building SDP. Settling with this capability: (gsm|ulaw|alaw|h263|testlaw)
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:3225 initialize_initreq: Initializing initreq for method INVITE - callid 452818882458c39157feb51222d1fd38 at 10.10.8.192:5061
[Sep 21 09:07:50] DEBUG[5761][C-00000000]: chan_sip.c:3582 __sip_xmit: Trying to put 'INVITE sip:' onto TLS socket destined for 10.10.9.135:5061
[New Thread 0xb6987b90 (LWP 5762)]
[Sep 21 09:07:50] DEBUG[5754]: chan_phone.c:1091 do_monitor: poll returned -1: Interrupted system call
[Sep 21 09:07:50] DEBUG[5759]: chan_sip.c:2748 _sip_tcp_helper_thread: SIP SSL server :: ast_wait_for_input returned -1
[Sep 21 09:07:50] DEBUG[5754]: chan_phone.c:1091 do_monitor: poll returned -1: Interrupted system call
[Thread 0xb69ffb90 (LWP 5759) exited]
    -- Called SIP/150
[Switching to Thread 0xb6987b90 (LWP 5762)]

Breakpoint 2, __ssl_setup (cfg=0x8afd390, client=1) at tcptls.c:319
319                     return 0;
(gdb) c
Continuing.
[Sep 21 09:07:58] DEBUG[5754]: chan_phone.c:1091 do_monitor: poll returned -1: Interrupted system call
SSL certificate ok

Breakpoint 1, handle_tcptls_connection (data=0x8aedc3c) at tcptls.c:149
149             int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;

(gdb) c
Continuing.
[Sep 21 09:08:07] DEBUG[5754]: chan_phone.c:1091 do_monitor: poll returned -1: Interrupted system call
  == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Sep 21 09:08:07] WARNING[5762]: tcptls.c:244 handle_tcptls_connection: FILE * open failed!
[Sep 21 09:08:07] DEBUG[5754]: chan_phone.c:1091 do_monitor: poll returned -1: Interrupted system call
[Thread 0xb6987b90 (LWP 5762) exited]
-----------------------------------------------------------------------------------------------------------

and inside the message log, we have:

[Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
[Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
[Sep 21 09:08:07] VERBOSE[5762] tcptls.c:   == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!)

> ssl connection failing with tls enabled using asterisk-11.0.0-beta1
> -------------------------------------------------------------------
>
>                 Key: ASTERISK-20485
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20485
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>         Environment: centos5_7, centos6_3, Phone (D40 and D50), asterisk11.0.0.beta1
>            Reporter: Rick Long
>            Severity: Minor
>         Attachments: extensions.conf, hack.xml, reference_notes.txt, sip.conf
>
>
> Steps to reproduce:
> Step1 Generate Keys (Note: please enter appropriate IP for your server/phones)
> On your asterisk server, first, 
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -C 10.10.8.192 -O "Digium TLS PBX1" -d /etc/asterisk/keys
> Now generate keys for the phone(s),
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.135 -O "D40 Phone" -d /etc/asterisk/keys -o Phone1
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.224 -O "D50 Phone" -d /etc/asterisk/keys -o Phone2
> Step2 copy ca.crt and appropriate certs to the phone(s)
> ex: scp ca.crt root at 10.10.9.135:/etc/pki/tls/certs
> ex: scp Phone1.pem root at 10.10.9.135:/etc/pki/tls/certs
> ex: scp ca.crt root at 10.10.9.224:/etc/pki/tls/certs
> ex: scp Phone2.pem root at 10.10.9.224:/etc/pki/tls/certs
> Step 3 Enable TLS for asterisk 
> inside sip.conf, 
> 1)set tlsenable to yes
> 2)set transport to tls, this can either be the global or under the extension itself, don't think it matters
> 3) point tlscertfile, tlscafile to where you made your certificates, in this case it's /etc/asterisk/keys directory
> 4) set your cipher, try tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5, or try tlscipher=ALL
> 5) set your client method, try tlsclientmethod=tlsv1:sslv3     ; values include tlsv1, sslv3, sslv2.
> inside extension.conf
> 1)set your call rule to use secure TLS signaling, I did this under the default section
> ex: exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
>     same => n,Dial(SIP/100)
>     exten => 150,1,Set(CHANNEL(secure_bridge_signaling)=1)
>     same => n,Dial(SIP/150)
> Step 4 Modify nvdata on the phone to register with tls instead of udp
> On the phone inside /nvdata, make a file called hack.xml with the following:
> <config>
>     <setting id="transport_tls_enabled" value="1" />
>     <setting id="transport_tls_port" value="5061" />
>     <setting id="config_server_url" value="sips:150 at 10.10.8.192:5062" />
>     <accounts>
>         <account index="0" status="1" register="1" conflict="replace" account_id="1102" username="150" authname="150" password="1
>             <host_primary server="10.10.8.192" port="5061" transport="tls" reregister="120" retry="25" num_retries="5" network="1
>         </account>
>     </accounts>
> </config>
> Now reboot the phone, this will overwrite what's in config.xml so you can register with the asterisk server using tls as transport, port 5061, sips instead of sip, etc...
> This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1, you should see the error
> "ssl connection: error:00000000 tcptls.c:244 handle_tcptls_connection: FILE * open failed!"
> Using gdb and settin breakpoints at handle_tcptls_connection and break __ssl_setup.
> To keep things simple I have extension 150 on a D50 phone and to simplify which call leg and which certificate it is failing on, I am merely calling myself, extension 150 dialing extension 150. 
> handle_tcptls_connection gets called, which in turn calls __ssl_setup and we get a 'SSL certificate ok', but then handle_tcptls_connection gets called again which calls __ssl_setup, yet this time it fails, it's also failing in the same thread id:
> [Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
> [Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
> [Sep 21 09:08:07] VERBOSE[5762] tcptls.c:   == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
> [Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!
> At first I thought it may be due to an old version of openssl, but I can connect via openssl by entering this command on the phone:
> # openssl s_client -connect 10.10.8.192:5061 -CAfile /etc/pki/tls/certs/ca.crt -cert /etc/pki/tls/certs/Phone1.pem -msg 
> Also, if you are having trouble registering the phones with the hack.xml and they aren't showing up in 'sip show peers' as registered, please try registering them using dbus commands as follows:
> #dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"150" <sips:150 at 10.10.8.192:5061;transport=TLS>' string:username string:150 string:password string:150 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25  string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true
> #dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"100" <sips:100 at 10.10.8.192:5061;transport=TLS>' string:username string:100 string:password string:100 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25 string:0 string:503 string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira



More information about the asterisk-bugs mailing list