[asterisk-bugs] [JIRA] (ASTERISK-23498) Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported
Alexander Traud (JIRA)
noreply at issues.asterisk.org
Sun Apr 27 10:32:18 CDT 2014
[ https://issues.asterisk.org/jira/browse/ASTERISK-23498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alexander Traud updated ASTERISK-23498:
---------------------------------------
Attachment: pjsip_tls_cipher_string.patch
Because selecting the cipher-suites is required in my project, I had to get this feature working and looked into pjlib/src/pj/ssl_sock_ossl.c:create_ssl(). There, I do not see an easy way to add support for cipher-string lists like we were used to in chan_sip, because the PJ Project does not use cipher strings but IDs internally. Therefore, no solution from me but there are at least three workarounds:
1. do not specify cipher at all, and chan_pjsip uses the DEFAULT list of your OpenSSL, see # openssl ciphers -v
2. if you have to restrict the cipher-suites, do so via their ID (see RFC 5246), for example to use just AES128-SHA plus 3DES (see RFC 3261 chapter 26.2.1):
[transport-tls]
type=transport
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key ; not optional anymore
cipher = 0x002f
cipher = 0x000a
method=sslv23 ; when unspecified, was the default of chan_sip
protocol=tls
bind=:
3. if you need a meta-value within the cipher-string list (for example HIGH or SUITEB128) apply the attached patch (hack) to pjsip, and build it: https://wiki.asterisk.org/wiki/display/AST/Building+and+Installing+pjproject
Hope this helps anyone. I went for workaround 2.
> Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: ASTERISK-23498
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-23498
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Resources/res_pjsip
> Affects Versions: SVN, 12.1.1
> Environment: Fedora 20 x86_64
> Reporter: Anthony Messina
> Attachments: pjsip_tls_cipher_string.patch
>
>
> When using Asterisk 12.1.1 and PJSIP 2.2 (compiled as described in the Asterisk Wiki), I am unable to use the 'ciphers' parameter to set the OpenSSL ciphers for TLS connections. Regardless of what is entered for ciphers
> {code}
> cipher=<whatever>
> {code}
> I always get the error
> {code}
> ERROR[2579]: res_pjsip/config_transport.c:404 transport_tls_cipher_handler: Cipher '<whatever>' is unsupported
> {code}
> This issue is the same as reported here: http://forums.asterisk.org/viewtopic.php?f=1&t=89309 but I can confirm that I have compiled PJSIP with OpenSSL libs
> {code}
> checking for OpenSSL installations..
> checking openssl/ssl.h usability... yes
> checking openssl/ssl.h presence... yes
> checking for openssl/ssl.h... yes
> checking for ERR_load_BIO_strings in -lcrypto... yes
> checking for SSL_library_init in -lssl... yes
> OpenSSL library found, SSL support enabled
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list