[asterisk-bugs] [JIRA] (ASTERISK-24646) PJSIP changeset 4899 breaks TLS

Mark Michelson (JIRA) noreply at issues.asterisk.org
Mon Jan 12 15:45:35 CST 2015 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-24646?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mark Michelson updated ASTERISK-24646:
--------------------------------------

    Attachment: ASTERISK-24646-chan_sip.patch

I'm attaching ASTERISK-24646-chan_sip.patch. This addresses the issue you were having and also generates SIPS Contact URIs when Asterisk is the UAC as well. As far as target refreshes are concerned, Asterisk does not send target refreshes with different request URIs from what was originally sent, so they should be properly covered by the chan_sip patch here.

> PJSIP changeset 4899 breaks TLS
> -------------------------------
>
>                 Key: ASTERISK-24646
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-24646
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/Interoperability
>    Affects Versions: 11.15.0
>         Environment: Linux; hostile
>            Reporter: Stephan Eisvogel
>            Assignee: Mark Michelson
>         Attachments: ASTERISK-24646-chan_sip.patch, ASTERISK-24646.patch, sip-trace.txt
>
>
> PJSIP as of changeset 4899 (https://trac.pjsip.org/repos/changeset/4899) has started verifying the Contact-header sent by the server to be of the SIPS scheme if transport is TLS. It will not check the Contact-header for ";transport=TLS" as sent by Asterisk.
> As a result, registration by a client using this well-known stack will succeed, but any call attempt will terminate. A SIP trace will show the message "Warning: 381 localhost SIPS Required" going from the client to the server.
> This was found using CSipSimple-trunk, other clients e.g. MicroSIP will likely follow, once this change has crept into their code bases.
> The issue has previously been discussed last year here http://lists.digium.com/pipermail/asterisk-dev/2013-September/062567.html Asterisk developers were of the opinion that using SIPS in Contact-header will break proxying up a chain. PJSIP developers seem to be of the opinion they are following RFCs. And I am puzzled, looking for a resolution.
> Workarounds/fixes I could identify:
> 1. Set disable_secure_dlg_check = PJ_TRUE on clients using PJSIP
> 2. Modify PJSIP's pjsip_inv_verify_request3 to check for ;transport=TLS not only in Record-Route-header but also in Contact-header.
> 3. Patch Asterisk to emit SIPS scheme when transport is TLS
> I suggest identifying first, if this should be an Asterisk issue at all, or be brought up with PJSIP developers to change the default behaviour.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list