[asterisk-dev] [Code Review] 2783: Fix SIP/TLS reading - random connection drop

David Lee reviewboard at asterisk.org
Thu Aug 29 15:25:58 CDT 2013 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2783/#review9562
-----------------------------------------------------------


If you can get your hands on a copy of "Network Security with
OpenSSL"[1], check out the section on non-blocking I/O (somewhere in the
depths of Chapter 5 in my edition).

 [1]: http://shop.oreilly.com/product/9780596002701.do


/trunk/main/tcptls.c
<https://reviewboard.asterisk.org/r/2783/#comment18678>

    Maybe it happens less often, but ssl_write would have the same problem.



/trunk/main/tcptls.c
<https://reviewboard.asterisk.org/r/2783/#comment18676>

    An SSL_read() may, ironically, fail with an SSL_ERROR_WANT_WRITE. A
    read may require a renegotiation, which can happen at any time.



/trunk/main/tcptls.c
<https://reviewboard.asterisk.org/r/2783/#comment18677>

    This has the possibility of turning what's normally a non-blocking
    read into a blocking read. I have no idea what the broader
    implications of that might be, if any.


- David Lee


On Aug. 21, 2013, 3:24 p.m., Tzafrir Cohen wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2783/
> -----------------------------------------------------------
> 
> (Updated Aug. 21, 2013, 3:24 p.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Bugs: ASTERISK-18345
>     https://issues.asterisk.org/jira/browse/ASTERISK-18345
> 
> 
> Repository: Asterisk
> 
> 
> Description
> -------
> 
> Symptom: Asterisk drops a SIP/TLS connection: debugging reports that it has failed to read it.
> 
> I can reproduce this on my system when the TLS client is Asterisk 11.5 (installed from the Debian package) set with 'allow=all' to get a long list of codecs.
> 
> Calling ast_wait_for_input before every fgets is not sufficient.
> Function fgets internally calls read (=> SSL_read) until either "\n" or
> eof is found. And because the socket is polled only before the first
> SSL_read call, consequent calls can fail and return <=0 even though the
> data are on the way.
>     
> This is fixed by adding a read() loop inside the ssl_read() hook.
> 
> I came accross this patch today and it looks like it fixes my problem (see my comment at the end). The patch I used is by Filip Jenicek. See the bug report for the full log.
> 
> 
> Diffs
> -----
> 
>   /trunk/main/tcptls.c 397346 
> 
> Diff: https://reviewboard.asterisk.org/r/2783/diff/
> 
> 
> Testing
> -------
> 
> Work on trunk.
> 
> 
> Thanks,
> 
> Tzafrir Cohen
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20130829/63508a69/attachment-0001.htm>

More information about the asterisk-dev mailing list