[asterisk-bugs] [JIRA] (ASTERISK-28798) [patch] chan_sip: TCP/TLS client without server.

Alexander Traud (JIRA) noreply at issues.asterisk.org
Thu Jun 25 04:35:27 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251234#comment-251234 ] 

Alexander Traud commented on ASTERISK-28798:
--------------------------------------------

You should report as soon as possible, do not wait for anyone else. Your case is not that easy because there is (at least) one severe bug: Asterisk as TCP client is using the wrong port in the header Contact. This is ignored (normally) because SIP registrars are re-using the current TCP connection. Therefore, they do not look into the Contact and use the correct port. I fixed just those null issues.

First question:
1) With Asterisk 13.32 and earlier, did you see {{(null)}} in the Contact header from your client (in the SIP message or when going for debug level 3)?
Second question:
2) Does the port in Contact match the port of your TCP/TLS client?

This wrong Contact is still an issue which cannot be fixed that easily because the header Contact is created before the TCP clients gets its port assigned. In other words, in Digium Asterisk chan_sip, a TCP client is always sending the wrong port. To catch those who do not come via the network port but via the Contact port, you need a TCP/TLS server locally.

Third question:
3. Do you get that error message
A) on both server and client or
B) just at the client?

Question 1: Yes; Question 2: No, Question 3: B
In that case, go for {{tlscertfile}} in {{sip.conf}} on your client. You can even use the dummy certificate which is created by the script which came with your Digium Asterisk. In all other cases, please, post the TLS relevant options from your {{sip.conf}}.

Fourth Question:
You mention that the console is not usable right now. Please, elaborate more on that because a level of NOTICE would be written all the time as well, even at debug level 0 and verbose level 0 like the level of ERROR.

> [patch] chan_sip: TCP/TLS client without server.
> ------------------------------------------------
>
>                 Key: ASTERISK-28798
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28798
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 13.32.0, 16.9.0, 17.3.0
>            Reporter: Alexander Traud
>            Assignee: Alexander Traud
>            Severity: Minor
>              Labels: patch
>      Target Release: 13.33.0, 16.10.0, 17.4.0
>
>         Attachments: client_without_server.patch
>
>
> The channel driver {{chan_sip}} can be configured for various SIP transports like UDP, TCP, and TLS. Because it is a back-to-back user agent (B2BUA), it can be configured as client and/or server. For example, when you add just
> {code}register => tcp://user:secret@host{code}
> to the {{\[general\]}} context in the configuration file {{sip.conf}} (just that, nothing else; the file is empty), a client connection to a remote VoIP/SIP server like a PSTN service is established. However in the SIP-REGISTER message, the headers Via and Contact do not contain the local IP address but the value {{(null)}}. Such a value is rejected by a remote party normally.
> Currently, the source code expects that the local server also has TCP enabled. Consequently, for a client connect you have to write at least:
> {code}tcpenable=yes
> register => tcp://user:secret@host{code}
> In case of TLS, something like
> {code}
> tlscapath=/etc/ssl/certs/
> register => tls://user:secret@host
> {code}should be sufficient. However, that gives the same, the value {{(null)}} in the SIP-REGISTER for the Via and Contact headers. Again, the TLS server must be enabled locally which requires a public certificate with private key:
> {code}
> tlsenable=yes
> tlscertfile=asterisk.pem
> tlscapath=/etc/ssl/certs/
> register => tls://user:secret@host
> {code}Consequently, I have to create a (server) certificate locally, do create a remote TLS client connection successfully. This is counter-intuitive. The situation is even worse because there is no log message and the SIP-REGISTER is sent with wrong information. Only at debug level 3, one can see that the local bind address is null.
> The cause for this is the function {{ast_sip_ouraddrfor(.)}} which does not check whether the {{local_address}} is null. See the attached patch.
> However, there are two more places in code which do not check for null:
> 1. function {{get_address_family_filter(.)}}
> 2. {{p->socket.port}} in function {{transmit_register(.)}}
> I have no idea what to do with those.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list