[asterisk-bugs] [JIRA] (ASTERISK-24428) Can't disconnect Asterisk server using non-standard TLS port (other than 5061)

sstream (JIRA) noreply at issues.asterisk.org
Mon Nov 17 17:01:29 CST 2014


     [ https://issues.asterisk.org/jira/browse/ASTERISK-24428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

sstream updated ASTERISK-24428:
-------------------------------

    Description: 
Using Asterisk 11.12 server behind NAT (router) and Android SIP client (Acrobits or CSipSimple) with the following condition.
- Router local IP: 192.168.0.1
- Router domain: sip.example.net (using DNS like DynDNS)
- Asterisk server local IP: 192.168.0.2
- SIP protocol: TLS, port=10000 (not default due to security reason)
- RTP: port=10001 to 10008
- Android phone has a global IP.

In router's setting, I opened ports 10000-10008 (TLS and RTP) and forwarded them to Asterisk server IP (192.168.0.2).

<sip.conf>
externhost=sip.example.net
localnet=192.168.0.0/255.255.255.0

tlsenable=yes
tlsbindaddr=0.0.0.0:10000
tlscertfile=…
---
<rtp.conf>
rtpstart=10001
rtpend=10008
---

Under above condition, there is no problem for registration, connection, calling and talking.
However, Asterisk cannot detect disconnection. (can't disconnect).

I traced a log and found;
---
SIP/2.0 100 Trying
Via: SIP/2.0/TLS xxx.xxx.xx.0:xxxxx;branch=;received=;rport=
From: <sips:xxx@ sip.example.net:10000>;tag=xxx
To: <sips:yyy@ sip.example.net:10000>
Call-ID: xxxxx
CSeq: 1 INVITE
Server: Asterisk PBX 11.12.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: <sip:yyy at x.xx.xx.xx:5061;transport=TLS>
Content-Length: 0
---

In "Contact:" line (2nd line from the bottom), port “5061” suddenly appears, which I never used.

This problem only occurs under TLS with non-default port (not 5061).
There is no problem under UDP, even though  non-standard port is set (ex. bindaddr=10000).

For testing, in “sip.h”, I changed
#define STANDARD_TLS_PORT	5061
to
#define STANDARD_TLS_PORT	10000
and compiled.
As a result, I confirmed that Asterisk works properly (detect disconnection).

In conclusion, it is better to make an option like “tlsbindport” in sip.conf and make it work like UDP.

Thank you.


  was:
Using Asterisk 11.12 server behind NAT (router) and Android SIP client (Acrobits or CSipSimple) with the following condition.
- Router local IP: 192.168.0.1
- Router domain: sip.example.net (using DNS like DynDNS)
- Asterisk server local IP: 192.168.0.2
- SIP protocol: TLS, port=10000 (not default due to security reason)
- RTP: port=10001 to 10008
- Android phone has a global IP.

In router's setting, I opened ports 10000-10008 (TLS and RTP) and forwarded them to Asterisk server IP (192.168.0.2).

<sip.conf>
externhost=sip.example.net
localnet=192.168.0.0/255.255.255.0

tlsenable=yes
tlsbindaddr=0.0.0.0:10000
tlscertfile=…
---
<rtp.conf>
rtpstart=10001
rtpend=10008
---

Under above condition, there is no problem for registration, connection, calling, talking.
However, Asterisk cannot detect disconnection. (can't disconnect).

I traced a log and found;
---
SIP/2.0 100 Trying
Via: SIP/2.0/TLS xxx.xxx.xx.0:xxxxx;branch=;received=;rport=
From: <sips:xxx@ sip.example.net:10000>;tag=xxx
To: <sips:yyy@ sip.example.net:10000>
Call-ID: xxxxx
CSeq: 1 INVITE
Server: Asterisk PBX 11.12.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Contact: <sip:yyy at x.xx.xx.xx:5061;transport=TLS>
Content-Length: 0
---

In "Contact:" line (2nd line from the bottom), port “5061” suddenly appears, which I never use.

This problem only occurs under TLS with non-default port (not 5061).
There is no problem under UDP, even though  non-standard port is set (ex. bindaddr=10000).

For testing, in “sip.h”, I changed
#define STANDARD_TLS_PORT	5061
to
#define STANDARD_TLS_PORT	10000
and compiled.
As a result, I confirmed that Asterisk works properly (detect disconnection).

In conclusion, it is better to make an option like “tlsbindport” in sip.conf and make it work like UDP.

Thank you.



> Can't disconnect Asterisk server using non-standard TLS port (other than 5061)
> ------------------------------------------------------------------------------
>
>                 Key: ASTERISK-24428
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24428
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 11.12.0
>         Environment: Ubuntu 14.04, OpenWrt 14.07
>            Reporter: sstream
>            Assignee: sstream
>
> Using Asterisk 11.12 server behind NAT (router) and Android SIP client (Acrobits or CSipSimple) with the following condition.
> - Router local IP: 192.168.0.1
> - Router domain: sip.example.net (using DNS like DynDNS)
> - Asterisk server local IP: 192.168.0.2
> - SIP protocol: TLS, port=10000 (not default due to security reason)
> - RTP: port=10001 to 10008
> - Android phone has a global IP.
> In router's setting, I opened ports 10000-10008 (TLS and RTP) and forwarded them to Asterisk server IP (192.168.0.2).
> <sip.conf>
> externhost=sip.example.net
> localnet=192.168.0.0/255.255.255.0
> tlsenable=yes
> tlsbindaddr=0.0.0.0:10000
> tlscertfile=…
> ---
> <rtp.conf>
> rtpstart=10001
> rtpend=10008
> ---
> Under above condition, there is no problem for registration, connection, calling and talking.
> However, Asterisk cannot detect disconnection. (can't disconnect).
> I traced a log and found;
> ---
> SIP/2.0 100 Trying
> Via: SIP/2.0/TLS xxx.xxx.xx.0:xxxxx;branch=;received=;rport=
> From: <sips:xxx@ sip.example.net:10000>;tag=xxx
> To: <sips:yyy@ sip.example.net:10000>
> Call-ID: xxxxx
> CSeq: 1 INVITE
> Server: Asterisk PBX 11.12.0
> Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
> Supported: replaces, timer
> Contact: <sip:yyy at x.xx.xx.xx:5061;transport=TLS>
> Content-Length: 0
> ---
> In "Contact:" line (2nd line from the bottom), port “5061” suddenly appears, which I never used.
> This problem only occurs under TLS with non-default port (not 5061).
> There is no problem under UDP, even though  non-standard port is set (ex. bindaddr=10000).
> For testing, in “sip.h”, I changed
> #define STANDARD_TLS_PORT	5061
> to
> #define STANDARD_TLS_PORT	10000
> and compiled.
> As a result, I confirmed that Asterisk works properly (detect disconnection).
> In conclusion, it is better to make an option like “tlsbindport” in sip.conf and make it work like UDP.
> Thank you.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list