[asterisk-bugs] [JIRA] Updated: (ASTERISK-20485) ssl connection failing with tls enabled using asterisk-11.0.0-beta1
Rick Long (JIRA)
noreply at issues.asterisk.org
Fri Sep 28 11:48:27 CDT 2012
[ https://issues.asterisk.org/jira/browse/ASTERISK-20485?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rick Long updated ASTERISK-20485:
---------------------------------
Description:
Steps to reproduce:
Step1 Generate Keys (Note: please enter appropriate IP for your server/phones)
On your asterisk server, first,
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -C 10.10.8.192 -O "Digium TLS PBX1" -d /etc/asterisk/keys
Now generate keys for the phone(s),
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.135 -O "D40 Phone" -d /etc/asterisk/keys -o Phone1
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.224 -O "D50 Phone" -d /etc/asterisk/keys -o Phone2
Step2 copy ca.crt and appropriate certs to the phone(s)
ex: scp ca.crt root at 10.10.9.135:/etc/pki/tls/certs
ex: scp Phone1.pem root at 10.10.9.135:/etc/pki/tls/certs
ex: scp ca.crt root at 10.10.9.224:/etc/pki/tls/certs
ex: scp Phone2.pem root at 10.10.9.224:/etc/pki/tls/certs
Step 3 Enable TLS for asterisk
inside sip.conf,
1)set tlsenable to yes
2)set transport to tls, this can either be the global or under the extension itself, don't think it matters
3) point tlscertfile, tlscafile to where you made your certificates, in this case it's /etc/asterisk/keys directory
4) set your cipher, try tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5, or try tlscipher=ALL
5) set your client method, try tlsclientmethod=tlsv1:sslv3 ; values include tlsv1, sslv3, sslv2.
inside extension.conf
1)set your call rule to use secure TLS signaling, I did this under the default section
ex: exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
same => n,Dial(SIP/100)
exten => 150,1,Set(CHANNEL(secure_bridge_signaling)=1)
same => n,Dial(SIP/150)
Step 4 Modify nvdata on the phone to register with tls instead of udp
On the phone inside /nvdata, make a file called hack.xml with the following:
<config>
<setting id="transport_tls_enabled" value="1" />
<setting id="transport_tls_port" value="5061" />
<setting id="config_server_url" value="sips:150 at 10.10.8.192:5062" />
<accounts>
<account index="0" status="1" register="1" conflict="replace" account_id="1102" username="150" authname="150" password="1
<host_primary server="10.10.8.192" port="5061" transport="tls" reregister="120" retry="25" num_retries="5" network="1
</account>
</accounts>
</config>
Now reboot the phone, this will overwrite what's in config.xml so you can register with the asterisk server using tls as transport, port 5061, sips instead of sip, etc...
This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1, you should see the error
"ssl connection: error:00000000 tcptls.c:244 handle_tcptls_connection: FILE * open failed!"
Using gdb and settin breakpoints at handle_tcptls_connection and break __ssl_setup.
To keep things simple I have extension 150 on a D50 phone and to simplify which call leg and which certificate it is failing on, I am merely calling myself, extension 150 dialing extension 150.
handle_tcptls_connection gets called, which in turn calls __ssl_setup and we get a 'SSL certificate ok', but then handle_tcptls_connection gets called again which calls __ssl_setup, yet this time it fails, it's also failing in the same thread id:
[Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
[Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
[Sep 21 09:08:07] VERBOSE[5762] tcptls.c: == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!
At first I thought it may be due to an old version of openssl, but I can connect via openssl by entering this command on the phone:
# openssl s_client -connect 10.10.8.192:5061 -CAfile /etc/pki/tls/certs/ca.crt -cert /etc/pki/tls/certs/Phone1.pem -msg
Also, if you are having trouble registering the phones with the hack.xml and they aren't showing up in 'sip show peers' as registered, please try registering them using dbus commands as follows:
#dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"150" <sips:150 at 10.10.8.192:5061;transport=TLS>' string:username string:150 string:password string:150 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25 string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true
#dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"100" <sips:100 at 10.10.8.192:5061;transport=TLS>' string:username string:100 string:password string:100 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25 string:0 string:503 string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true
was:
Steps to reproduce:
Step1 Generate Keys (Note: please enter appropriate IP for your server/phones)
On your asterisk server, first,
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -C 10.10.8.192 -O "Digium TLS PBX1" -d /etc/asterisk/keys
Now generate keys for the phone(s),
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.135 -O "D40 Phone" -d /etc/asterisk/keys -o Phone1
#/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.224 -O "D50 Phone" -d /etc/asterisk/keys -o Phone2
Step2 copy ca.crt and appropriate certs to the phone(s)
ex: scp ca.crt root at 10.10.9.135:/etc/pki/tls/certs
ex: scp Phone1.pem root at 10.10.9.135:/etc/pki/tls/certs
ex: scp ca.crt root at 10.10.9.224:/etc/pki/tls/certs
ex: scp Phone2.pem root at 10.10.9.224:/etc/pki/tls/certs
Step 3 Enable TLS for asterisk
inside sip.conf,
1)set tlsenable to yes
2)set transport to tls, this can either be the global or under the extension itself, don't think it matters
3) point tlscertfile, tlscafile to where you made your certificates, in this case it's /etc/asterisk/keys directory
4) set your cipher, try tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5, or try tlscipher=ALL
5) set your client method, try tlsclientmethod=tlsv1:sslv3 ; values include tlsv1, sslv3, sslv2.
inside extension.conf
1)set your call rule to use secure TLS signaling, I did this under the default section
ex: exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
same => n,Dial(SIP/100)
exten => 150,1,Set(CHANNEL(secure_bridge_signaling)=1)
same => n,Dial(SIP/150)
Step 4 Modify nvdata on the phone to register with tls instead of udp
On the phone inside /nvdata, make a file called hack.xml with the following:
<config>
<setting id="transport_tls_enabled" value="1" />
<setting id="transport_tls_port" value="5061" />
<setting id="config_server_url" value="sips:150 at 10.10.8.192:5062" />
<accounts>
<account index="0" status="1" register="1" conflict="replace" account_id="1102" username="150" authname="150" password="1
<host_primary server="10.10.8.192" port="5061" transport="tls" reregister="120" retry="25" num_retries="5" network="1
</account>
</accounts>
</config>
Now reboot the phone, this will overwrite what's in config.xml so you can register with the asterisk server using tls as transport, port 5061, sips instead of sip, etc...
This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1, you should see the error
"ssl connection: error:00000000 tcptls.c:244 handle_tcptls_connection: FILE * open failed!"
Using gdb and settin breakpoints at handle_tcptls_connection and break __ssl_setup.
To keep things simple I have extension 150 on a D50 phone and to simplify which call leg and which certificate it is failing on, I am merely calling myself, extension 150 dialing extension 150.
handle_tcptls_connection gets called, which in turn calls __ssl_setup and we get a 'SSL certificate ok', but then handle_tcptls_connection gets called again which calls __ssl_setup, yet this time it fails, it's also failing in the same thread id:
[Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
[Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
[Sep 21 09:08:07] VERBOSE[5762] tcptls.c: == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
[Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!
At first I thought it may be due to an old version of openssl, but I can connect via openssl by entering this command on the phone:
# openssl s_client -connect 10.10.8.192:5061 -CAfile /etc/pki/tls/certs/ca.crt -cert /etc/pki/tls/certs/Phone1.pem -msg
> ssl connection failing with tls enabled using asterisk-11.0.0-beta1
> -------------------------------------------------------------------
>
> Key: ASTERISK-20485
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-20485
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Channels/chan_sip/TCP-TLS
> Environment: centos5_7, centos6_3, Phone (D40 and D50), asterisk11.0.0.beta1
> Reporter: Rick Long
> Severity: Minor
> Attachments: extensions.conf, hack.xml, sip.conf
>
>
> Steps to reproduce:
> Step1 Generate Keys (Note: please enter appropriate IP for your server/phones)
> On your asterisk server, first,
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -C 10.10.8.192 -O "Digium TLS PBX1" -d /etc/asterisk/keys
> Now generate keys for the phone(s),
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.135 -O "D40 Phone" -d /etc/asterisk/keys -o Phone1
> #/home/asterisk-11.0.0-beta1/contrib/scripts/ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C 10.10.9.224 -O "D50 Phone" -d /etc/asterisk/keys -o Phone2
> Step2 copy ca.crt and appropriate certs to the phone(s)
> ex: scp ca.crt root at 10.10.9.135:/etc/pki/tls/certs
> ex: scp Phone1.pem root at 10.10.9.135:/etc/pki/tls/certs
> ex: scp ca.crt root at 10.10.9.224:/etc/pki/tls/certs
> ex: scp Phone2.pem root at 10.10.9.224:/etc/pki/tls/certs
> Step 3 Enable TLS for asterisk
> inside sip.conf,
> 1)set tlsenable to yes
> 2)set transport to tls, this can either be the global or under the extension itself, don't think it matters
> 3) point tlscertfile, tlscafile to where you made your certificates, in this case it's /etc/asterisk/keys directory
> 4) set your cipher, try tlscipher=AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5, or try tlscipher=ALL
> 5) set your client method, try tlsclientmethod=tlsv1:sslv3 ; values include tlsv1, sslv3, sslv2.
> inside extension.conf
> 1)set your call rule to use secure TLS signaling, I did this under the default section
> ex: exten => 100,1,Set(CHANNEL(secure_bridge_signaling)=1)
> same => n,Dial(SIP/100)
> exten => 150,1,Set(CHANNEL(secure_bridge_signaling)=1)
> same => n,Dial(SIP/150)
> Step 4 Modify nvdata on the phone to register with tls instead of udp
> On the phone inside /nvdata, make a file called hack.xml with the following:
> <config>
> <setting id="transport_tls_enabled" value="1" />
> <setting id="transport_tls_port" value="5061" />
> <setting id="config_server_url" value="sips:150 at 10.10.8.192:5062" />
> <accounts>
> <account index="0" status="1" register="1" conflict="replace" account_id="1102" username="150" authname="150" password="1
> <host_primary server="10.10.8.192" port="5061" transport="tls" reregister="120" retry="25" num_retries="5" network="1
> </account>
> </accounts>
> </config>
> Now reboot the phone, this will overwrite what's in config.xml so you can register with the asterisk server using tls as transport, port 5061, sips instead of sip, etc...
> This is only failing with asterisk-11.0.0-beta1, but it works with Asterisk 1.8.15.1, you should see the error
> "ssl connection: error:00000000 tcptls.c:244 handle_tcptls_connection: FILE * open failed!"
> Using gdb and settin breakpoints at handle_tcptls_connection and break __ssl_setup.
> To keep things simple I have extension 150 on a D50 phone and to simplify which call leg and which certificate it is failing on, I am merely calling myself, extension 150 dialing extension 150.
> handle_tcptls_connection gets called, which in turn calls __ssl_setup and we get a 'SSL certificate ok', but then handle_tcptls_connection gets called again which calls __ssl_setup, yet this time it fails, it's also failing in the same thread id:
> [Sep 21 09:07:58] VERBOSE[5762] tcptls.c: SSL certificate ok
> [Sep 21 09:08:07] DEBUG[5754] chan_phone.c: poll returned -1: Interrupted system call
> [Sep 21 09:08:07] VERBOSE[5762] tcptls.c: == Problem setting up ssl connection: error:00000000:lib(0):func(0):reason(0)
> [Sep 21 09:08:07] WARNING[5762] tcptls.c: FILE * open failed!
> At first I thought it may be due to an old version of openssl, but I can connect via openssl by entering this command on the phone:
> # openssl s_client -connect 10.10.8.192:5061 -CAfile /etc/pki/tls/certs/ca.crt -cert /etc/pki/tls/certs/Phone1.pem -msg
> Also, if you are having trouble registering the phones with the hack.xml and they aren't showing up in 'sip show peers' as registered, please try registering them using dbus commands as follows:
> #dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"150" <sips:150 at 10.10.8.192:5061;transport=TLS>' string:username string:150 string:password string:150 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25 string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true
> #dbus-send --system --type=signal / com.digium.cbridge.req.reg_account string:account_slot string:1 string:account_subslot string:0 string:id string:'"100" <sips:100 at 10.10.8.192:5061;transport=TLS>' string:username string:100 string:password string:100 string:reg_uri string:"sips:10.10.8.192:5061;transport=TLS" string:reg_timeout string:300 string:reg_retry_interval string:25 string:0 string:503 string:expires string:-1 string:status_text string:"Service Unavailable" string:is_primary string:true
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list