| Summary: | ASTERISK-13847: Need ability to select TLS version in outgoing messages | ||
| Reporter: | TheOldSaint (theoldsaint) | Labels: | |
| Date Opened: | 2009-03-26 15:57:15 | Date Closed: | 2009-04-29 16:14:29 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) SSLv2_Transaction.bmp ( 1) TLS_Transaction.bmp | |
| Description: | This issue is found with Asterisk 1.6.1rc1 build. The network consists of a 3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and Asterisk on the other. I have enabled TLS on each of the servers. The call scenario is as below - Avaya 9620 SIP phone is an Avaya CM end point Snom 300 SIP phone is an Asterisk end point Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom 300 When calling from asterisk end-point to Avaya end-point, Asterisk sends a Client Hello to establish a TLS connection with Avaya. This Client Hello is sent as a 'SSLv2 Record layer' in the TCP packet as opposed to 'TLS Record Layer'. The ideal packet should have contained a 'TLS Record Layer' header with a 'Version' header of TLS 1.0. It would be nice to make this configurable within sip.conf, because many industry standard SIP servers/Gateways reject the TLS handshake since it is not a TLS header but a SSL header and the call cannot complete. There is such a parameter in OpenSIPS called "tls_method = TLSv1". Other values for this parameter are SSLv1 and SSLv23. Some such configurable setting will be highly helpful in cases where the server that Asterisk is trying to talk to (over TLS) supports only TLS 1.0 and not SSLv2 or SSLv3. Such a parameter will help forcing Asterisk to initiate a TLS transaction rather than a SSL transaction. I have attached two screenshots of traces, one for the SSL transaction and the other for the TLS transaction. | ||
| Comments: | By: Digium Subversion (svnbot) 2009-04-29 16:13:44 Repository: asterisk Revision: 191177 U trunk/CHANGES U trunk/configs/sip.conf.sample U trunk/include/asterisk/tcptls.h U trunk/main/tcptls.c ------------------------------------------------------------------------ r191177 | dvossel | 2009-04-29 16:13:44 -0500 (Wed, 29 Apr 2009) | 13 lines SIP option to specify outbound TLS/SSL client protocol. chan_sip allows for outbound TLS connections, but does not allow the user to specify what protocol to use (default was SSLv2, and still is if this new option is not specified). This patch lets the user pick the SSL/TLS client method for outbound connections in sip. (closes issue ASTERISK-13847) Reported by: TheOldSaint (closes issue ASTERISK-13845) Reported by: TheOldSaint Review: http://reviewboard.digium.com/r/240/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=191177 By: Digium Subversion (svnbot) 2009-04-29 16:14:29 Repository: asterisk Revision: 191178 _U branches/1.6.2/ ------------------------------------------------------------------------ r191178 | dvossel | 2009-04-29 16:14:29 -0500 (Wed, 29 Apr 2009) | 18 lines Blocked revisions 191177 via svnmerge ........ r191177 | dvossel | 2009-04-29 16:13:43 -0500 (Wed, 29 Apr 2009) | 13 lines SIP option to specify outbound TLS/SSL client protocol. chan_sip allows for outbound TLS connections, but does not allow the user to specify what protocol to use (default was SSLv2, and still is if this new option is not specified). This patch lets the user pick the SSL/TLS client method for outbound connections in sip. (closes issue ASTERISK-13847) Reported by: TheOldSaint (closes issue ASTERISK-13845) Reported by: TheOldSaint Review: http://reviewboard.digium.com/r/240/ ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=191178 | ||
