[asterisk-bugs] [JIRA] (ASTERISK-24646) PJSIP changeset 4899 breaks TLS

Mark Michelson (JIRA) noreply at issues.asterisk.org
Mon Jan 12 13:33:35 CST 2015 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mark Michelson updated ASTERISK-24646:
--------------------------------------

    Attachment: ASTERISK-24646.patch

I have added ASTERISK-24646.patch. This patch follows the guidelines in RFC 3261 section 12.1.1 to determine whether the Contact header we generate should be a sips: URI or not. For the time being, I have also left the ;transport parameter on our Contact header, since I feel like there are clients that rely on that and removing it could cause problems.

Please try this with CSipSimple and let me know if the issue you reported is fixed or if this causes any further issues.

> PJSIP changeset 4899 breaks TLS
> -------------------------------
>
>                 Key: ASTERISK-24646
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24646
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Interoperability
>    Affects Versions: 11.15.0
>         Environment: Linux; hostile
>            Reporter: Stephan Eisvogel
>            Assignee: Mark Michelson
>         Attachments: ASTERISK-24646.patch, sip-trace.txt
>
>
> PJSIP as of changeset 4899 (https://trac.pjsip.org/repos/changeset/4899) has started verifying the Contact-header sent by the server to be of the SIPS scheme if transport is TLS. It will not check the Contact-header for ";transport=TLS" as sent by Asterisk.
> As a result, registration by a client using this well-known stack will succeed, but any call attempt will terminate. A SIP trace will show the message "Warning: 381 localhost SIPS Required" going from the client to the server.
> This was found using CSipSimple-trunk, other clients e.g. MicroSIP will likely follow, once this change has crept into their code bases.
> The issue has previously been discussed last year here http://lists.digium.com/pipermail/asterisk-dev/2013-September/062567.html Asterisk developers were of the opinion that using SIPS in Contact-header will break proxying up a chain. PJSIP developers seem to be of the opinion they are following RFCs. And I am puzzled, looking for a resolution.
> Workarounds/fixes I could identify:
> 1. Set disable_secure_dlg_check = PJ_TRUE on clients using PJSIP
> 2. Modify PJSIP's pjsip_inv_verify_request3 to check for ;transport=TLS not only in Record-Route-header but also in Contact-header.
> 3. Patch Asterisk to emit SIPS scheme when transport is TLS
> I suggest identifying first, if this should be an Asterisk issue at all, or be brought up with PJSIP developers to change the default behaviour.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list