[asterisk-bugs] [JIRA] Updated: (ASTERISK-20485) SSL connection failing with TLS enabled - "tcptls.c:244 handle_tcptls_connection: FILE * open failed!"

Rusty Newton (JIRA) noreply at issues.asterisk.org
Mon Oct 1 09:45:27 CDT 2012 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-20485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rusty Newton updated ASTERISK-20485:
------------------------------------

    Regression: Yes
       Summary: SSL connection failing with TLS enabled - "tcptls.c:244 handle_tcptls_connection: FILE * open failed!"  (was: ssl connection failing with tls enabled using asterisk-11.0.0-beta1)

Marked this as regression, since it's possible "This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1"

> SSL connection failing with TLS enabled - "tcptls.c:244 handle_tcptls_connection: FILE * open failed!"
> ------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20485
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20485
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>         Environment: centos5_7, centos6_3, Phone (D40 and D50), asterisk11.0.0.beta1
>            Reporter: Rick Long
>            Severity: Minor
>         Attachments: extensions.conf, hack.xml, reference_notes.txt, sip.conf
>
>
> Steps to reproduce:
> Step1 Generate Keys (Note: please enter appropriate IP for your server/phones)
> On your asterisk server, first, 
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -C 10.10.8.192 -O "Digium TLS PBX1" -d /etc/asterisk/keys
> Now generate keys for the phone(s),
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.135 -O "D40 Phone" -d /etc/asterisk/keys -o Phone1
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.224 -O "D50 Phone" -d /etc/asterisk/keys -o Phone2
> Step2 copy ca.crt and appropriate certs to the phone(s)
> ex: scp ca.crt root at 10.10.9.135:/etc/pki/tls/certs
> ex: scp Phone1.pem root at 10.10.9.135:/etc/pki/tls/certs
> ex: scp ca.crt root at 10.10.9.224:/etc/pki/tls/certs
> ex: scp Phone2.pem root at 10.10.9.224:/etc/pki/tls/certs
> Step 3 Enable TLS for asterisk 
> inside sip.conf, 
> 1)set tlsenable to yes
> 2)set transport to tls, this can either be the global or under the extension itself, don't think it matters
> 3) point tlscertfile, tlscafile to where you made your certificates, in this case it's /etc/asterisk/keys directory
> 4) set your cipher, try tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5, or try tlscipher=ALL
> 5) set your client method, try tlsclientmethod=tlsv1:sslv3     ; values include tlsv1, sslv3, sslv2.
> inside extension.conf
> 1)set your call rule to use secure TLS signaling, I did this under the default section
> ex: exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
>     same => n,Dial(SIP/100)
>     exten => 150,1,Set(CHANNEL(secure_bridge_signaling)=1)
>     same => n,Dial(SIP/150)
> Step 4 Modify nvdata on the phone to register with tls instead of udp
> On the phone inside /nvdata, make a file called hack.xml with the following:
> <config>
>     <setting id="transport_tls_enabled" value="1" />
>     <setting id="transport_tls_port" value="5061" />
>     <setting id="config_server_url" value="sips:150 at 10.10.8.192:5062" />
>     <accounts>
>         <account index="0" status="1" register="1" conflict="replace" account_id="1102" username="150" authname="150" password="1
>             <host_primary server="10.10.8.192" port="5061" transport="tls" reregister="120" retry="25" num_retries="5" network="1
>         </account>
>     </accounts>
> </config>
> Now reboot the phone, this will overwrite what's in config.xml so you can register with the asterisk server using tls as transport, port 5061, sips instead of sip, etc...
> This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1, you should see the error
> "ssl connection: error:00000000 tcptls.c:244 handle_tcptls_connection: FILE * open failed!"
> Using gdb and settin breakpoints at handle_tcptls_connection and break __ssl_setup.
> To keep things simple I have extension 150 on a D50 phone and to simplify which call leg and which certificate it is failing on, I am merely calling myself, extension 150 dialing extension 150. 
> handle_tcptls_connection gets called, which in turn calls __ssl_setup and we get a 'SSL certificate ok', but then handle_tcptls_connection gets called again which calls __ssl_setup, yet this time it fails, it's also failing in the same thread id:
> [Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
> [Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
> [Sep 21 09:08:07] VERBOSE[5762] tcptls.c:   == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
> [Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!
> At first I thought it may be due to an old version of openssl, but I can connect via openssl by entering this command on the phone:
> # openssl s_client -connect 10.10.8.192:5061 -CAfile /etc/pki/tls/certs/ca.crt -cert /etc/pki/tls/certs/Phone1.pem -msg 
> Also, if you are having trouble registering the phones with the hack.xml and they aren't showing up in 'sip show peers' as registered, please try registering them using dbus commands as follows:
> #dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"150" <sips:150 at 10.10.8.192:5061;transport=TLS>' string:username string:150 string:password string:150 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25  string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true
> #dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"100" <sips:100 at 10.10.8.192:5061;transport=TLS>' string:username string:100 string:password string:100 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25 string:0 string:503 string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list