[asterisk-bugs] [JIRA] (ASTERISK-24646) PJSIP changeset 4899 breaks TLS

Stephan Eisvogel (JIRA) noreply at issues.asterisk.org
Mon Jan 12 14:39:35 CST 2015 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-24646?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=224406#comment-224406 ] 

Stephan Eisvogel commented on ASTERISK-24646:
---------------------------------------------

For reference

In addition to ​responses http://tools.ietf.org/html/rfc3261#section-12.1.1
- If the request that initiated the dialog contained a SIPS URI in the Request-URI or in the top Record-Route header field value, if there was any, or the Contact header field if there was no Record-Route header field, the Contact header field in the response MUST be a SIPS URI.

also relevant is requests http://tools.ietf.org/html/rfc5630#section-5.1.1
- As mandated by RFC3261, Section 8.1.1.8, in a request, "if the Request-URI or top Route header field value contains a SIPS URI, the Contact header field MUST contain a SIPS URI as well".

and target refreshes as well ​http://tools.ietf.org/html/rfc5630#section-5.1.1.2
- When a target refresh occurs within a dialog (e.g., re-INVITE request, UPDATE request), the UAC MUST include a Contact header field with a SIPS URI if the original request used a SIPS Request-URI.


> PJSIP changeset 4899 breaks TLS
> -------------------------------
>
>                 Key: ASTERISK-24646
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24646
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Interoperability
>    Affects Versions: 11.15.0
>         Environment: Linux; hostile
>            Reporter: Stephan Eisvogel
>            Assignee: Mark Michelson
>         Attachments: ASTERISK-24646.patch, sip-trace.txt
>
>
> PJSIP as of changeset 4899 (https://trac.pjsip.org/repos/changeset/4899) has started verifying the Contact-header sent by the server to be of the SIPS scheme if transport is TLS. It will not check the Contact-header for ";transport=TLS" as sent by Asterisk.
> As a result, registration by a client using this well-known stack will succeed, but any call attempt will terminate. A SIP trace will show the message "Warning: 381 localhost SIPS Required" going from the client to the server.
> This was found using CSipSimple-trunk, other clients e.g. MicroSIP will likely follow, once this change has crept into their code bases.
> The issue has previously been discussed last year here http://lists.digium.com/pipermail/asterisk-dev/2013-September/062567.html Asterisk developers were of the opinion that using SIPS in Contact-header will break proxying up a chain. PJSIP developers seem to be of the opinion they are following RFCs. And I am puzzled, looking for a resolution.
> Workarounds/fixes I could identify:
> 1. Set disable_secure_dlg_check = PJ_TRUE on clients using PJSIP
> 2. Modify PJSIP's pjsip_inv_verify_request3 to check for ;transport=TLS not only in Record-Route-header but also in Contact-header.
> 3. Patch Asterisk to emit SIPS scheme when transport is TLS
> I suggest identifying first, if this should be an Asterisk issue at all, or be brought up with PJSIP developers to change the default behaviour.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list