[asterisk-dev] SIP TLS handshake needs a timeout

Klaus Darilion klaus.mailinglists at pernau.at
Tue Sep 29 16:27:34 CDT 2009


Olle E. Johansson wrote:
> 29 sep 2009 kl. 09.50 skrev Klaus Darilion:
> 
>>
>> David Vossel schrieb:
>>> Hello!
>>>
>>> Here's the problem.  Right now, if Asterisk attempts to initiate a
>>> SIP TLS client connection with another Asterisk box, but the
>>> receiving box only has TCP bound to the incoming connection's port, a
>>> TCP connection will be established between the two boxes, but the box
>>> initiating the connection will forever be stuck waiting for the
>>> receiving box to complete the TLS handshake.  This is a huge problem
>>> because TLS connection setup is done while the monitor lock is held.
>>> This patch aims at fixing that issue,
>>> https://reviewboard.asterisk.org/r/380/, but does not resolve the
>>> fact that a TLS connection will never go away if the TLS handshake
>>> does not complete.
>>>
>>> I've looked over the openssl toolkit and have not been able to find a
>>> successful method of doing this.  I've even attempted some rather
>>> unorthodox methods of scheduling the file descriptor's closure during
>>> the handshake after a period of time, and that did not work either.
>>> Note that this is not a timeout involving the setup of TCP socket, it
>>> occurs after that once the the TLS client initiates the TLS handshake
>>> and gets no response.
>>>
>>> Perhaps I am overlooking some obvious solution here.  Does anyone
>>> have any ideas?
>> sip-router tls module has several timeout values:
>>
>> send_timeout (int)
>> Sets the maximum interval of time after which sip-router will give up
>> trying to send a message over tls (time after a tls send will be  
>> aborted
>> and the corresponding tls connection closed). The value is in seconds.
>>
>> handshake_timeout (int)
>> Sets the maximum interval of time after which sip-router will give up
>> trying to accept a tls connection or connect to a tls peer. The  
>> value is
>> in seconds.
>>
>> connection_timeout (int)
>> Sets the amount of time after which an idle tls connection will be
>> closed. This is similar to tcp_connection_lifetime. The value is
>> expressed in seconds.
>>
>>
>> So, it should be doable. Maybe you get some ideas of his code:
>> http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=tree;f=modules/tls;h=163532152dcbf9618212230a38d1f934d2bd2125;hb=HEAD
> 
> Due to licensing issues we can't copy source code from sip-router.org.
> 
> Thanks for the information though!
> 
> Any BSD licensed code that we can look at?

apache?



More information about the asterisk-dev mailing list