[asterisk-bugs] [JIRA] (ASTERISK-27001) res_pjsip: TLS connection not stable
Ian Gilmour (JIRA)
noreply at issues.asterisk.org
Mon Jul 31 06:54:58 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-27001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=237883#comment-237883 ]
Ian Gilmour commented on ASTERISK-27001:
----------------------------------------
Hi George,
Further to our email discussion...
Whilst I have no problem with the patch going in as is (it definitely improved things in my testing) I still have concerns about the PJSIP TLS stack code (even with the patch applied).
My patch fixed >90% of my TLS disconnection errors, but it did not eliminate them altogether. As reported earlier, I still see the TLS connection being torn down (for other reasons) and a reconnection taking place shortly afterwards. I'd like to eliminate these too, if possible.
Nor am I 100% sure that it is valid to simply ignore the OpenSSL TLS error condition that resulted in >90% of the connection errors I saw - as my patch does. I simply tried ignoring it and found that it seemed to work, and that it seemed to have no adverse side-effects (at least not in my testing).
I still feel there is more investigation required in this area. Possibly the additional error reporting in the patch will help with this.
> res_pjsip: TLS connection not stable
> ------------------------------------
>
> Key: ASTERISK-27001
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-27001
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: pjproject/pjsip
> Affects Versions: 13.15.0
> Environment: centos 6.8(64-bit)
> Reporter: Ian Gilmour
> Assignee: George Joseph
> Attachments: output.tgz, pjproject-2.6.patch
>
>
> Hi,
> I have a development Asterisk 13.15.0 test setup (uses the bundled pjsip-2.6).
> On startup Asterisk registers 1 Asterisk users with a remote OpenSIPS server, over TLS, using the PJSIP stack. As part of the test this Asterisk PJSIP user is reregistered with OpenSIPS Server every couple of mins.
> All outgoing/incoming pjsip call media is encrypted using SRTP and via an external RTPPROXY running alongside the external OpenSIPS Server.
> Asterisk is additionally configured to use PJSIP on 127.0.0.1:5060 to allow calls from a locally run SIPp process. All SIPp calls are TCP+RTP.
> I use SIPp to run multiple concurrent loopback calls (calls vary in duration) through Asterisk to the OpenSIPS server and back to an echo() service running on the same Asterisk).
> i.e.
> {noformat}
> SIPp <-TCP/RTP-> Asterisk <-TLS/SRTP-> OpenSIPS server (+ rtpproxy) <-TLS/SRTP-> Asterisk (echo service).
> {noformat}
> With no calls running the PJSIP TLS connection stays up and I see it reregistering the user every ~2mins.
> When I start to run the SIPp test I start seeing the PJSIP stack having TLS issues - closing the current port as a result, in this state outgoing SIPp calls obviously start failing. A few seconds later Asterisk (PJSIP) opens a new port, reregistering with the OpenSIPS server, and the calls continue. With SIPp running the connection is being reestablished every ~10-20 minutes due to TLS issues.
> If I switch Asterisk to use the chan_sip stack rather than the PJSIP stack for the TLS connection to the OpenSIPS server the connection stays up with no call failures.
> I patched a couple of PJSIP files to help me see what's going on and I have played with the PJSIP TLS code. I can improve the reliability of the connection by ignoring a specific OpenSSL error condition (see the code within #if EXPERIMENTAL...#endif in the attached patch). In the original code this error causes of >90% of the connection failures I see. With this mod in place the TLS connection stays up for hours rather than minutes at a time, on the same outgoing port, and calls work fine. I doubt this mod is the proper fix though.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list