[asterisk-bugs] [JIRA] (ASTERISK-23498) Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported

Alexander Traud (JIRA) noreply at issues.asterisk.org
Sun Apr 27 10:32:18 CDT 2014 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-23498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alexander Traud updated ASTERISK-23498:
---------------------------------------

    Attachment: pjsip_tls_cipher_string.patch

Because selecting the cipher-suites is required in my project, I had to get this feature working and looked into pjlib/src/pj/ssl_sock_ossl.c:create_ssl(). There, I do not see an easy way to add support for cipher-string lists like we were used to in chan_sip, because the PJ Project does not use cipher strings but IDs internally. Therefore, no solution from me but there are at least three workarounds:

1. do not specify cipher at all, and chan_pjsip uses the DEFAULT list of your OpenSSL, see # openssl ciphers -v

2. if you have to restrict the cipher-suites, do so via their ID (see RFC 5246), for example to use just AES128-SHA plus 3DES (see RFC 3261 chapter 26.2.1):
[transport-tls]
type=transport
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key ; not optional anymore
cipher = 0x002f
cipher = 0x000a
method=sslv23 ; when unspecified, was the default of chan_sip
protocol=tls
bind=:

3. if you need a meta-value within the cipher-string list (for example HIGH or SUITEB128) apply the attached patch (hack) to pjsip, and build it: https://wiki.asterisk.org/wiki/display/AST/Building+and+Installing+pjproject

Hope this helps anyone. I went for workaround 2.

> Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported
> -----------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-23498
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-23498
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip
>    Affects Versions: SVN, 12.1.1
>         Environment: Fedora 20 x86_64
>            Reporter: Anthony Messina
>         Attachments: pjsip_tls_cipher_string.patch
>
>
> When using Asterisk 12.1.1 and PJSIP 2.2 (compiled as described in the Asterisk Wiki), I am unable to use the 'ciphers' parameter to set the OpenSSL ciphers for TLS connections.  Regardless of what is entered for ciphers
> {code}
> cipher=<whatever>
> {code}
> I always get the error
> {code}
> ERROR[2579]: res_pjsip/config_transport.c:404 transport_tls_cipher_handler: Cipher '<whatever>' is unsupported
> {code}
> This issue is the same as reported here: http://forums.asterisk.org/viewtopic.php?f=1&t=89309 but I can confirm that I have compiled PJSIP with OpenSSL libs
> {code}
> checking for OpenSSL installations..
> checking openssl/ssl.h usability... yes
> checking openssl/ssl.h presence... yes
> checking for openssl/ssl.h... yes
> checking for ERR_load_BIO_strings in -lcrypto... yes
> checking for SSL_library_init in -lssl... yes
> OpenSSL library found, SSL support enabled
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list