[asterisk-bugs] [JIRA] (ASTERISK-27001) res_pjsip: TLS connection not stable

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Mon Oct 23 16:49:21 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-27001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=239563#comment-239563 ] 

Kevin Harwell commented on ASTERISK-27001:
------------------------------------------

[~tuxian], due to you commenting this issue got re-opened. If you feel this issue needs more work we'll need some more information before it can be moved forward. For instance specific scenarios duplicating the failures (if possible) you see with the patch in place, debug logs and pcaps as well.

Otherwise it can be closed for now, and at such time you are able to narrow the problem down further you can reopen this issue or create a new one.


> res_pjsip: TLS connection not stable
> ------------------------------------
>
>                 Key: ASTERISK-27001
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-27001
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: pjproject/pjsip
>    Affects Versions: 13.15.0
>         Environment: centos 6.8(64-bit)
>            Reporter: Ian Gilmour
>      Target Release: 13.18.0, 14.7.0, 15.1.0
>
>         Attachments: output.tgz, pjproject-2.6.patch
>
>
> Hi,
> I have a development Asterisk 13.15.0 test setup (uses the bundled pjsip-2.6).
> On startup Asterisk registers 1 Asterisk users with a remote OpenSIPS server, over TLS, using the PJSIP stack. As part of the test this Asterisk PJSIP user is reregistered with OpenSIPS Server every couple of mins.
> All outgoing/incoming pjsip call media is encrypted using SRTP and via an external RTPPROXY running alongside the external OpenSIPS Server.
> Asterisk is additionally configured to use PJSIP on 127.0.0.1:5060 to allow calls from a locally run SIPp process. All SIPp calls are TCP+RTP.
> I use SIPp to run multiple concurrent loopback calls (calls vary in duration) through Asterisk to the OpenSIPS server and back to an echo() service running on the same Asterisk).
> i.e.
> {noformat}
>   SIPp <-TCP/RTP-> Asterisk <-TLS/SRTP-> OpenSIPS server (+ rtpproxy) <-TLS/SRTP-> Asterisk (echo service).
> {noformat}
> With no calls running the PJSIP TLS connection stays up and I see it reregistering the user every ~2mins.
> When I start to run the SIPp test I start seeing the PJSIP stack having TLS issues - closing the current port as a result, in this state outgoing SIPp calls obviously start failing.  A few seconds later Asterisk (PJSIP) opens a new port, reregistering with the OpenSIPS server, and the calls continue. With SIPp running the connection is being reestablished every ~10-20 minutes due to TLS issues.
> If I switch Asterisk to use the chan_sip stack rather than the PJSIP stack for the TLS connection to the OpenSIPS server the connection stays up with no call failures.
> I patched a couple of PJSIP files to help me see what's going on and I have played with the PJSIP TLS code. I can improve the reliability of the connection by ignoring a specific OpenSSL error condition (see the code within #if EXPERIMENTAL...#endif in the attached patch). In the original code this error causes of >90% of the connection failures I see. With this mod in place the TLS connection stays up for hours rather than minutes at a time, on the same outgoing port, and calls work fine. I doubt this mod is the proper fix though.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list