[asterisk-bugs] [JIRA] Created: (ASTERISK-20485) ssl connection failing with tls enabled using asterisk-11.0.0-beta1

Rick Long (JIRA) noreply at issues.asterisk.org
Fri Sep 28 10:39:27 CDT 2012 

ssl connection failing with tls enabled using asterisk-11.0.0-beta1
-------------------------------------------------------------------

                 Key: ASTERISK-20485
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20485
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Channels/chan_sip/TCP-TLS
         Environment: centos5_7, centos6_3, Phone (D40 and D50), asterisk11.0.0.beta1
            Reporter: Rick Long
            Severity: Minor


Steps to reproduce:

Step1 Generate Keys (Note: please enter appropriate IP for your server/phones)
On your asterisk server, first, 
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -C 10.10.8.192 -O "Digium TLS PBX1" -d /etc/asterisk/keys

Now generate keys for the phone(s),
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.135 -O "D40 Phone" -d /etc/asterisk/keys -o Phone1

#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.224 -O "D50 Phone" -d /etc/asterisk/keys -o Phone2

Step2 copy ca.crt and appropriate certs to the phone(s)
ex: scp ca.crt root at 10.10.9.135:/etc/pki/tls/certs
ex: scp Phone1.pem root at 10.10.9.135:/etc/pki/tls/certs
ex: scp ca.crt root at 10.10.9.224:/etc/pki/tls/certs
ex: scp Phone2.pem root at 10.10.9.224:/etc/pki/tls/certs

Step 3 Enable TLS for asterisk 
inside sip.conf, 
1)set tlsenable to yes
2)set transport to tls, this can either be the global or under the extension itself, don't think it matters
3) point tlscertfile, tlscafile to where you made your certificates, in this case it's /etc/asterisk/keys directory
4) set your cipher, try tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5, or try tlscipher=ALL
5) set your client method, try tlsclientmethod=tlsv1:sslv3     ; values include tlsv1, sslv3, sslv2.
inside extension.conf
1)set your call rule to use secure TLS signaling, I did this under the default section
ex: exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
    same => n,Dial(SIP/100)
    exten => 150,1,Set(CHANNEL(secure_bridge_signaling)=1)
    same => n,Dial(SIP/150)


Step 4 Modify nvdata on the phone to register with tls instead of udp
On the phone inside /nvdata, make a file called hack.xml with the following:
<config>
    <setting id="transport_tls_enabled" value="1" />
    <setting id="transport_tls_port" value="5061" />

    <setting id="config_server_url" value="sips:150 at 10.10.8.192:5062" />

    <accounts>
        <account index="0" status="1" register="1" conflict="replace" account_id="1102" username="150" authname="150" password="1
            <host_primary server="10.10.8.192" port="5061" transport="tls" reregister="120" retry="25" num_retries="5" network="1
        </account>
    </accounts>

</config>

Now reboot the phone, this will overwrite what's in config.xml so you can register with the asterisk server using tls as transport, port 5061, sips instead of sip, etc...

This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1, you should see the error
"ssl connection: error:00000000 tcptls.c:244 handle_tcptls_connection: FILE * open failed!"

Using gdb and settin breakpoints at handle_tcptls_connection and break __ssl_setup.
To keep things simple I have extension 150 on a D50 phone and to simplify which call leg and which certificate it is failing on, I am merely calling myself, extension 150 dialing extension 150. 

handle_tcptls_connection gets called, which in turn calls __ssl_setup and we get a 'SSL certificate ok', but then handle_tcptls_connection gets called again which calls __ssl_setup, yet this time it fails, it's also failing in the same thread id:
[Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
[Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
[Sep 21 09:08:07] VERBOSE[5762] tcptls.c:   == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!


At first I thought it may be due to an old version of openssl, but I can connect via openssl by entering this command on the phone:
# openssl s_client -connect 10.10.8.192:5061 -CAfile /etc/pki/tls/certs/ca.crt -cert /etc/pki/tls/certs/Phone1.pem -msg 






--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list