[asterisk-bugs] [JIRA] (ASTERISK-27347) [patch] pjproject_bundled: Disable TCP/TLS keep-alives.

Tue Oct 17 02:38:21 CDT 2017

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=239399#comment-239399 ] 

Ian Gilmour commented on ASTERISK-27347:
----------------------------------------

Alexander suggested I try adding his patch to see if it improved the TLS problems I reported in ASTERISK-27001 (I still see very occassional TLS port closures and reopens even with my ASTERISK-27001 patch applied).

With Alexander's patch (and my own) I still see TLS errors being reported, and the TLS connection being closed by Asterisk and reopened on another port. Test conditions were similar to those described in ASTERISK-27001. I ran 40 concurrent SIPp generated calls of varying duration, ~40,000 SIPp calls in total. During the test I saw 1 x TLS port change (with an "ssl3_read_bytes-sslv3 alert bad record mac" error being reported). This is similar to what I see without Alexander's patch applied, so I don't think this issue is related to my own.

Note: in my tests I have pjsip.conf keep_alive_interval set to 20secs.

> [patch] pjproject_bundled: Disable TCP/TLS keep-alives.
> -------------------------------------------------------
>
>                 Key: ASTERISK-27347
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27347
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_keepalive
>    Affects Versions: 13.17.2, 14.6.2, 15.0.0
>            Reporter: Alexander Traud
>         Attachments: pjsip_keep_not_alive.patch
>
>
> PJSIP tries to keep TCP (and TLS) based SIP connections open. For this, a double-CRLF is send every 90 seconds, even if PJSIP is the User-Agent Server (UAS). This is not supported by many User-Agent Clients (UAC), especially when this comes in-between a transaction, although mandated by [RFC 3261 Section 7.5|https://tools.ietf.org/html/rfc5626#section-3.5.1].
> For example, my Gigaset DE900 IP Pro does a re-register every 90 seconds. The Gigaset sents a REGISTER, gets a Proxy-Authentication-Required, and then got the keep-alive message. That halted the SIP stack of the Gigaset, the Gigaset closed the underlying TCP connection, and the whole Gigaset had to be restarted to be usable again.
> In PJProject, this keep-alive mechanism can be disabled (only) at compile time, like {{CFLAGS="-DNDEBUG=1 -DPJ_HAS_IPV6=1 -DPJSIP_TCP_KEEP_ALIVE_INTERVAL=0 -DPJSIP_TLS_KEEP_ALIVE_INTERVAL=0" ./configure --enable-shared}}
> Since version 13.2.0 (ASTERISK-24644, Commit [915bb88|http://github.com/asterisk/asterisk/commit/915bb88d3e973f647eb9d9e560688d6a02af2c2a]), Asterisk replaced this compile-time feature with the runtime setting {{keep_alive_interval}} which can be changed via the configuration file {{pjsip.conf}}. On default, this feature is zero = off. However, to make this work, PJProject must be compiled without its own keep-alive mechanism. This was never mentioned in the [Asterisk Wiki|http://wiki.asterisk.org/wiki/display/AST/PJSIP-pjproject#PJSIP-pjproject-externalBuildingandInstallingpjprojectfromSource].
> Since version 13.8.0 (Commit [b59956a|http://github.com/asterisk/asterisk/commit/b59956a875817367834431e7f1fa02486b5aed7f]), Asterisk allows {{./configure --with-pjproject-bundled}} which extracted all the required DEFINEs and flags from the Wiki and sets those automatically. Again, the keep-alive mechanism of the PJProject is not disabled.
> The attached patch rectifies these omissions for the bundled PJProject. Hopefully somebody with write-access adds those DEFINEs to the Asterisk Wiki as well.

--
This message was sent by Atlassian JIRA
(v6.2#6252)