[asterisk-bugs] [JIRA] (ASTERISK-28798) [patch] chan_sip: TCP/TLS client without server.

David A. (JIRA) noreply at issues.asterisk.org
Thu Jun 25 06:20:25 CDT 2020 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-28798?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=251236#comment-251236 ] 

David A. commented on ASTERISK-28798:
-------------------------------------

{quote}1) With Asterisk 13.32 and earlier, did you see (null) in the Contact header from your client (in the SIP message or when going for debug level 3)?{quote}
No

{quote}2) Does the port in Contact match the port of your TCP/TLS client?{quote}
Yes

{quote}Third question:
3. Do you get that error message
A) on both server and client or
B) just at the client?{quote}
B) The error message is only on the client


{quote}Fourth Question:
You mention that the console is not usable right now. Please, elaborate more on that because a level of NOTICE would be written all the time as well, even at debug level 0 and verbose level 0 like the level of ERROR.{quote}

I'm hoping I could find a way to supress the notices, perhaps by changing the console setting in logger.conf, but I haven't tried it.  I usually keep the console running so I can check for connectivity or other issues, but it's not very useful with the errors being repeated constantly.  My current solution is to continue running 13.32.0.

Here are the TLS relevant options in sip.conf.  I do specify the TLS port in tlsbindaddr.  If I remove that port setting, I see the null port in the headers you've mentioned in 13.32.0 (though everything still works, even then).

{code}tlsenable=yes
tlsbindaddr=[::]:5778
tlscapath=/etc/ssl/certs
tlsdisablev1=yes
tlsdisablev11=yes
tlscipher={cipher list}
tlsservercipherorder=yes{code}

Even with a self-signed certificate on the client and "tlscertfile" set to point to it, it doesn't help.  The error messages are still repeated.


> [patch] chan_sip: TCP/TLS client without server.
> ------------------------------------------------
>
>                 Key: ASTERISK-28798
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28798
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Channels/chan_sip/TCP-TLS
>    Affects Versions: 13.32.0, 16.9.0, 17.3.0
>            Reporter: Alexander Traud
>            Assignee: Alexander Traud
>            Severity: Minor
>              Labels: patch
>      Target Release: 13.33.0, 16.10.0, 17.4.0
>
>         Attachments: client_without_server.patch
>
>
> The channel driver {{chan_sip}} can be configured for various SIP transports like UDP, TCP, and TLS. Because it is a back-to-back user agent (B2BUA), it can be configured as client and/or server. For example, when you add just
> {code}register => tcp://user:secret@host{code}
> to the {{\[general\]}} context in the configuration file {{sip.conf}} (just that, nothing else; the file is empty), a client connection to a remote VoIP/SIP server like a PSTN service is established. However in the SIP-REGISTER message, the headers Via and Contact do not contain the local IP address but the value {{(null)}}. Such a value is rejected by a remote party normally.
> Currently, the source code expects that the local server also has TCP enabled. Consequently, for a client connect you have to write at least:
> {code}tcpenable=yes
> register => tcp://user:secret@host{code}
> In case of TLS, something like
> {code}
> tlscapath=/etc/ssl/certs/
> register => tls://user:secret@host
> {code}should be sufficient. However, that gives the same, the value {{(null)}} in the SIP-REGISTER for the Via and Contact headers. Again, the TLS server must be enabled locally which requires a public certificate with private key:
> {code}
> tlsenable=yes
> tlscertfile=asterisk.pem
> tlscapath=/etc/ssl/certs/
> register => tls://user:secret@host
> {code}Consequently, I have to create a (server) certificate locally, do create a remote TLS client connection successfully. This is counter-intuitive. The situation is even worse because there is no log message and the SIP-REGISTER is sent with wrong information. Only at debug level 3, one can see that the local bind address is null.
> The cause for this is the function {{ast_sip_ouraddrfor(.)}} which does not check whether the {{local_address}} is null. See the attached patch.
> However, there are two more places in code which do not check for null:
> 1. function {{get_address_family_filter(.)}}
> 2. {{p->socket.port}} in function {{transmit_register(.)}}
> I have no idea what to do with those.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list