Summary: | ASTERISK-17720: Certificate errors don't result in immediate termination of an outbound call | ||
Reporter: | Terry Wilson (twilson) | Labels: | |
Date Opened: | 2011-04-19 13:39:30 | Date Closed: | |
Priority: | Minor | Regression? | No |
Status: | Open/New | Components: | Channels/chan_sip/TCP-TLS |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ||
Description: | When Asterisk generates an INVITE to a peer via TLS, if the certificate verification fails the call is left up until it times out instead of immediately failing. ****** STEPS TO REPRODUCE ****** Generate a certificate for a second Asterisk box with a hostname as the Common Name, then on the first Asterisk box, define a peer with host=<ip address of second Asterisk box> and transport=tls. Then: *CLI> sip set debug on *CLI> channel originate SIP/tlstest/info application Playback tt-monkeys ****** ADDITIONAL INFORMATION ****** *CLI> sip set debug on SIP Debugging enabled *CLI> channel originate SIP/tlstest/info application Playback tt-monkeys == Using SIP RTP CoS mark 5 Audio is at 5061 Adding codec 0x2 (gsm) to SDP Adding codec 0x4 (ulaw) to SDP Adding codec 0x8 (alaw) to SDP Adding codec 0x800000000000 (testlaw) to SDP Adding non-codec 0x1 (telephone-event) to SDP Reliably Transmitting (no NAT) to 192.168.173.1:5061: INVITE sip:info@192.168.173.1 SIP/2.0 Via: SIP/2.0/TLS 192.168.173.136:5061;branch=z9hG4bK78885a94 Max-Forwards: 70 From: "Anonymous" <sip:Anonymous@anonymous.invalid>;tag=as4832d166 To: <sip:info@192.168.173.1> Contact: <sip:Anonymous@192.168.173.136:5061;transport=TLS> Call-ID: 10d2b74a39ef08405989cf0419202bbc@192.168.173.136:5061 CSeq: 102 INVITE User-Agent: Asterisk PBX SVN-branch-1.8-r314251 Date: Tue, 19 Apr 2011 18:32:53 GMT Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH Supported: replaces, timer Content-Type: application/sdp Content-Length: 329 v=0 o=root 621830377 621830377 IN IP4 192.168.173.136 s=Asterisk PBX SVN-branch-1.8-r314251 c=IN IP4 192.168.173.136 t=0 0 m=audio 10548 RTP/AVP 3 0 8 101 a=rtpmap:3 GSM/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=silenceSupp:off - - - - a=ptime:20 a=sendrecv --- SSL certificate ok [Apr 19 11:32:53] ERROR[31726]: channel.c:3697 __ast_read: ast_read() on chan 'SIP/tlstest-00000000' called with no recorded file descriptor. [Apr 19 11:32:53] ERROR[31772]: tcptls.c:202 handle_tcptls_connection: Certificate common name did not match (192.168.173.1) [ channel originate pauses for a long time before returning to a *CLI> prompt ] | ||
Comments: |