[asterisk-bugs] [JIRA] (ASTERISK-27001) res_pjsip: TLS connection not stable
Ian Gilmour (JIRA)
noreply at issues.asterisk.org
Thu Jul 20 10:27:01 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-27001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=237753#comment-237753 ]
Ian Gilmour commented on ASTERISK-27001:
----------------------------------------
Hi George, in my normal setup Asterisk is behind NAT. Asterisk is configured to listen (for TLS) on port 5062, but this port is never used (it's actually blocked in Asterisk host iptables). OpenSIPS has no direct access to Asterisk listening port. So all SIP traffic (loopback call requests, reregistrations, etc.) are via TCP connection Asterisk establishes during initial registration.
> res_pjsip: TLS connection not stable
> ------------------------------------
>
> Key: ASTERISK-27001
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27001
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 13.15.0
> Environment: centos 6.8(64-bit)
> Reporter: Ian Gilmour
> Assignee: Ian Gilmour
> Attachments: output.tgz, pjproject-2.6.patch
>
>
> Hi,
> I have a development Asterisk 13.15.0 test setup (uses the bundled pjsip-2.6).
> On startup Asterisk registers 1 Asterisk users with a remote OpenSIPS server, over TLS, using the PJSIP stack. As part of the test this Asterisk PJSIP user is reregistered with OpenSIPS Server every couple of mins.
> All outgoing/incoming pjsip call media is encrypted using SRTP and via an external RTPPROXY running alongside the external OpenSIPS Server.
> Asterisk is additionally configured to use PJSIP on 127.0.0.1:5060 to allow calls from a locally run SIPp process. All SIPp calls are TCP+RTP.
> I use SIPp to run multiple concurrent loopback calls (calls vary in duration) through Asterisk to the OpenSIPS server and back to an echo() service running on the same Asterisk).
> i.e.
> {noformat}
> SIPp <-TCP/RTP-> Asterisk <-TLS/SRTP-> OpenSIPS server (+ rtpproxy) <-TLS/SRTP-> Asterisk (echo service).
> {noformat}
> With no calls running the PJSIP TLS connection stays up and I see it reregistering the user every ~2mins.
> When I start to run the SIPp test I start seeing the PJSIP stack having TLS issues - closing the current port as a result, in this state outgoing SIPp calls obviously start failing. A few seconds later Asterisk (PJSIP) opens a new port, reregistering with the OpenSIPS server, and the calls continue. With SIPp running the connection is being reestablished every ~10-20 minutes due to TLS issues.
> If I switch Asterisk to use the chan_sip stack rather than the PJSIP stack for the TLS connection to the OpenSIPS server the connection stays up with no call failures.
> I patched a couple of PJSIP files to help me see what's going on and I have played with the PJSIP TLS code. I can improve the reliability of the connection by ignoring a specific OpenSSL error condition (see the code within #if EXPERIMENTAL...#endif in the attached patch). In the original code this error causes of >90% of the connection failures I see. With this mod in place the TLS connection stays up for hours rather than minutes at a time, on the same outgoing port, and calls work fine. I doubt this mod is the proper fix though.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list