[asterisk-dev] "Security denial" error in calls from H323 trunk (ooh323.c)

Gabriele Odone gabriele.odone at gmail.com
Tue Oct 22 03:21:24 CDT 2013 

Hi Alexander,

I have raised bug "ASTERISK-22738" on Jira. If there are more info needed,
please let me know.

Thanks
Kind Regards

Gabriele



>Gabriele,

>It would be better if you create the issue on issues.asterisk.org tracker.
>Unfotrunately i don't known what is "Polycom CMA" but i guess it's some
>h.323 gateway or gatekeeper not a just endpoint.
>To solve issue there will need some additional info and logs that you
>could attach to issue on the tracker.

>Comparing socket and signalling ip do additional security checking for
>ulgly signalling, but looks like signalling and connection ip addresses
>can be differ in some cases for normal connection.


> Dears,
>
> Environment: Asterisk 11.4
> Objective: attempting H.323 trunk integration with "Polycom CMA" using
> ooh323 module.
>
> When placing H323 calls from the Polycom CMA, the call goes through the
> trunk (as shown by tcpdump) but is rejected by Asterisk with the
> following error in /var/log/asterisk/h323_log
>
> ==================
> 10:40:28:564 ERROR: Security denial remote sig IP isn't a socket ip,
> 10.44.1.156 not 10.71.0.55 (incoming, ooh323c_1)
> 10:40:28:565 ERROR:Failed ooH2250Receive - Clearing call (incoming,
> ooh323c_1)
> ==================
>
> (In the log, 10.44.1.156 being IP address of H323 client registered to
> Polycom CMA, 10.71.0.55 being the address of Polycom CMA).
>
> tcpdump shows "disengageRequest" H.225 sent by Asterisk to Polycom CMA.
>
> I solved this problem by commenting these lines in ooh323.c and
recompiling:
>
> =======================
> if (strncmp(remoteIP, call->remoteIP, strlen(remoteIP))) {
> OOTRACEERR5("ERROR: Security denial remote sig IP isn't a socket ip, %s
> not %s "
> "(%s, %s)\n", remoteIP, call->remoteIP, call->callType,
> call->callToken);
> return OO_FAILED;
> }
> =======================
>
> I am not sure if the above code is correct at all, how can the trunk
> work with it? I suppose there might be a way to disable the check, in a
> more clean way, but I found no option like that.
>
> Thanks
>
> Kind Regards
>
> Gabriele Odone
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20131022/b48421cf/attachment-0001.html>

More information about the asterisk-dev mailing list