[asterisk-dev] SIP TLS handshake needs a timeout
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Sep 29 02:50:04 CDT 2009
David Vossel schrieb:
> Hello!
>
> Here's the problem. Right now, if Asterisk attempts to initiate a
> SIP TLS client connection with another Asterisk box, but the
> receiving box only has TCP bound to the incoming connection's port, a
> TCP connection will be established between the two boxes, but the box
> initiating the connection will forever be stuck waiting for the
> receiving box to complete the TLS handshake. This is a huge problem
> because TLS connection setup is done while the monitor lock is held.
> This patch aims at fixing that issue,
> https://reviewboard.asterisk.org/r/380/, but does not resolve the
> fact that a TLS connection will never go away if the TLS handshake
> does not complete.
>
> I've looked over the openssl toolkit and have not been able to find a
> successful method of doing this. I've even attempted some rather
> unorthodox methods of scheduling the file descriptor's closure during
> the handshake after a period of time, and that did not work either.
> Note that this is not a timeout involving the setup of TCP socket, it
> occurs after that once the the TLS client initiates the TLS handshake
> and gets no response.
>
> Perhaps I am overlooking some obvious solution here. Does anyone
> have any ideas?
sip-router tls module has several timeout values:
send_timeout (int)
Sets the maximum interval of time after which sip-router will give up
trying to send a message over tls (time after a tls send will be aborted
and the corresponding tls connection closed). The value is in seconds.
handshake_timeout (int)
Sets the maximum interval of time after which sip-router will give up
trying to accept a tls connection or connect to a tls peer. The value is
in seconds.
connection_timeout (int)
Sets the amount of time after which an idle tls connection will be
closed. This is similar to tcp_connection_lifetime. The value is
expressed in seconds.
So, it should be doable. Maybe you get some ideas of his code:
http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=tree;f=modules/tls;h=163532152dcbf9618212230a38d1f934d2bd2125;hb=HEAD
regards
klaus
More information about the asterisk-dev
mailing list