[asterisk-bugs] [JIRA] (ASTERISK-27001) res_pjsip: TLS connection not stable

Mon Jul 31 06:54:58 CDT 2017

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=237883#comment-237883 ] 

Ian Gilmour commented on ASTERISK-27001:
----------------------------------------

Hi George,

Further to our email discussion...

Whilst I have no problem with the patch going in as is (it definitely improved things in my testing) I still have concerns about the PJSIP TLS stack code (even with the patch applied).

My patch fixed >90% of my TLS disconnection errors, but it did not eliminate them altogether. As reported earlier, I still see the TLS connection being torn down (for other reasons) and a reconnection taking place shortly afterwards. I'd like to eliminate these too, if possible.

Nor am I 100% sure that it is valid to simply ignore the OpenSSL TLS error condition that resulted in >90% of the connection errors I saw - as my patch does. I simply tried ignoring it and found that it seemed to work, and that it seemed to have no adverse side-effects (at least not in my testing).

I still feel there is more investigation required in this area. Possibly the additional error reporting in the patch will help with this.

> res_pjsip: TLS connection not stable
> ------------------------------------
>
>                 Key: ASTERISK-27001
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27001
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 13.15.0
>         Environment: centos 6.8(64-bit)
>            Reporter: Ian Gilmour
>            Assignee: George Joseph
>         Attachments: output.tgz, pjproject-2.6.patch
>
>
> Hi,
> I have a development Asterisk 13.15.0 test setup (uses the bundled pjsip-2.6).
> On startup Asterisk registers 1 Asterisk users with a remote OpenSIPS server, over TLS, using the PJSIP stack. As part of the test this Asterisk PJSIP user is reregistered with OpenSIPS Server every couple of mins.
> All outgoing/incoming pjsip call media is encrypted using SRTP and via an external RTPPROXY running alongside the external OpenSIPS Server.
> Asterisk is additionally configured to use PJSIP on 127.0.0.1:5060 to allow calls from a locally run SIPp process. All SIPp calls are TCP+RTP.
> I use SIPp to run multiple concurrent loopback calls (calls vary in duration) through Asterisk to the OpenSIPS server and back to an echo() service running on the same Asterisk).
> i.e.
> {noformat}
>   SIPp <-TCP/RTP-> Asterisk <-TLS/SRTP-> OpenSIPS server (+ rtpproxy) <-TLS/SRTP-> Asterisk (echo service).
> {noformat}
> With no calls running the PJSIP TLS connection stays up and I see it reregistering the user every ~2mins.
> When I start to run the SIPp test I start seeing the PJSIP stack having TLS issues - closing the current port as a result, in this state outgoing SIPp calls obviously start failing.  A few seconds later Asterisk (PJSIP) opens a new port, reregistering with the OpenSIPS server, and the calls continue. With SIPp running the connection is being reestablished every ~10-20 minutes due to TLS issues.
> If I switch Asterisk to use the chan_sip stack rather than the PJSIP stack for the TLS connection to the OpenSIPS server the connection stays up with no call failures.
> I patched a couple of PJSIP files to help me see what's going on and I have played with the PJSIP TLS code. I can improve the reliability of the connection by ignoring a specific OpenSSL error condition (see the code within #if EXPERIMENTAL...#endif in the attached patch). In the original code this error causes of >90% of the connection failures I see. With this mod in place the TLS connection stays up for hours rather than minutes at a time, on the same outgoing port, and calls work fine. I doubt this mod is the proper fix though.

--
This message was sent by Atlassian JIRA
(v6.2#6252)