[asterisk-dev] SIP TLS handshake needs a timeout

Olle E. Johansson oej at edvina.net
Tue Sep 29 15:32:03 CDT 2009 

29 sep 2009 kl. 09.50 skrev Klaus Darilion:

>
>
> David Vossel schrieb:
>> Hello!
>>
>> Here's the problem.  Right now, if Asterisk attempts to initiate a
>> SIP TLS client connection with another Asterisk box, but the
>> receiving box only has TCP bound to the incoming connection's port, a
>> TCP connection will be established between the two boxes, but the box
>> initiating the connection will forever be stuck waiting for the
>> receiving box to complete the TLS handshake.  This is a huge problem
>> because TLS connection setup is done while the monitor lock is held.
>> This patch aims at fixing that issue,
>> https://reviewboard.asterisk.org/r/380/, but does not resolve the
>> fact that a TLS connection will never go away if the TLS handshake
>> does not complete.
>>
>> I've looked over the openssl toolkit and have not been able to find a
>> successful method of doing this.  I've even attempted some rather
>> unorthodox methods of scheduling the file descriptor's closure during
>> the handshake after a period of time, and that did not work either.
>> Note that this is not a timeout involving the setup of TCP socket, it
>> occurs after that once the the TLS client initiates the TLS handshake
>> and gets no response.
>>
>> Perhaps I am overlooking some obvious solution here.  Does anyone
>> have any ideas?
>
> sip-router tls module has several timeout values:
>
> send_timeout (int)
> Sets the maximum interval of time after which sip-router will give up
> trying to send a message over tls (time after a tls send will be  
> aborted
> and the corresponding tls connection closed). The value is in seconds.
>
> handshake_timeout (int)
> Sets the maximum interval of time after which sip-router will give up
> trying to accept a tls connection or connect to a tls peer. The  
> value is
> in seconds.
>
> connection_timeout (int)
> Sets the amount of time after which an idle tls connection will be
> closed. This is similar to tcp_connection_lifetime. The value is
> expressed in seconds.
>
>
> So, it should be doable. Maybe you get some ideas of his code:
> http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=tree;f=modules/tls;h=163532152dcbf9618212230a38d1f934d2bd2125;hb=HEAD

Due to licensing issues we can't copy source code from sip-router.org.

Thanks for the information though!

Any BSD licensed code that we can look at?

/O

More information about the asterisk-dev mailing list