| Summary: | ASTERISK-09464: RSA peer auth broken in 1.4? | ||
| Reporter: | kuj (kuj) | Labels: | |
| Date Opened: | 2007-05-17 12:12:37 | Date Closed: | 2007-06-12 10:17:07 |
| Priority: | Minor | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) master.txt ( 1) slave.txt | |
| Description: | RSA (certificate based) authentication doesn't seem to work anymore in 1.4. Server A ("slave") dials an extension on server B ("master"), and both servers have their iax.conf set up for RSA auth. Public keys are distributed to both servers. Server B will then issue an IAX AUTHREQ request, which never seems to make it to the originating server. "Downgrading" server B (receiving server) to 1.2.x will have the call succeed. Version of originating server does not seem to matter. ****** ADDITIONAL INFORMATION ****** On server A (originator) exten => _x.,1,Dial(IAX2/master/${EXTEN},60) iax.conf [master] type=friend username=lxslave auth=rsa outkey=slave host=192.168.99.10 context=home notransfer=yes disallow=all allow=ulaw iax.conf on B (receiving server) [lxslave] type=friend auth=rsa inkeys=slave context=home host=dynamic defaultip=10.1.1.2 notransfer=yes qualify=2000 disallow=all allow=ulaw Attached are some IAX debug traces from both machines. | ||
| Comments: | By: Joshua C. Colp (jcolp) 2007-06-06 10:08:26 I assume you can get other packets between the two machines? This also doesn't seem to be an RSA issue exactly but a networking issue. Packets from master aren't getting to slave. By: kuj (kuj) 2007-06-07 05:26:59 Yes, other traffic does flow, albeit limited to few ports. Both servers are behind different firewalls. Ports on the "master side" firewall are port-forwarded. When I "downgrade" just the asterisk software on the master from 1.4.4 to 1.2.1x, everything works flawlessy. (The rest of the system stays identical, incl. IP addresses, forwarded ports from the firewall, etc.) Only when 1.4.x is running on the master does the authentication not succeed. Again, version of the slave asterisk does not seem to matter. Did anything change in 1.4 as far as call control goes that is not documented in the UPGRADE document? (I may not be very responsive over the next few days. Traveling internationally, on the other side of the world, unable to put significant effort into more testing. Will be back to it next week.) By: Joshua C. Colp (jcolp) 2007-06-07 12:07:39 Not that I can think of... have you tried tcpdump/ethereal/wireshack to see if the packets are actually being transmitted? By: kuj (kuj) 2007-06-12 10:15:59 Please close this report, with a disposition of "pilot error". Went at it with ethereal. Packets were getting back and forth, however, turns out that IAX was binding to the wrong interface, thus using an IP address that was not expected to be used. It would be useful if e.g. "iax show stats" or maybe even a new command "iax show status" would display the interface it binded to. By: Joshua C. Colp (jcolp) 2007-06-12 10:17:07 "Pilot error" ;) | ||