Summary:ASTERISK-20074: TLS stops responding in 1.8.14-rc1 when an aastra phone tries to register
Reporter:Trevor Hemsley (themsley)Labels:
Date Opened:2012-06-29 04:53:35Date Closed:2012-07-03 10:12:46
Versions: Frequency of
is related toASTERISK-20122 [Regression] seg faulted 10 times supposedly in ast_ssl_teardown while a TCP TLS node was re-regestering after the Asterisk reload
Environment:Linux, CentOS 5.8Attachments:( 0) ASTERISK-20074.diff
( 1) debug.gz
Description:I have just built vanilla asterisk from source as we are testing TLS support and had some problems so figured it would be worth attempting on the latest version. We're using a real but trial 30 day certificate from GeoTrust which requires an intermediate certificate to work. If we configure an Aastra 6757i to connect over TLS then asterisk almost immediately stops responding on the TLS port - no longer able even to connect with `openssl s_client -connect ip.ad.dr.ess:5061`

$ openssl s_client -connect x.x.x.x:5061
2000:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

I have also built 1.8.13 and that does not suffer the same problem. Rebuilding and backing out the changes in main/tcptls.c and commenting the one liner in channels/chan_sip.c that calls ast_ssl_teardown() also fixes it so the problem is related to the changes in main/tcptls.c between 1.8.13 and .14.
Comments:By: Trevor Hemsley (themsley) 2012-06-29 04:58:04.444-0500

Presumably related to the changelog entry

2012-05-18 17:47 +0000 [r367002-367027]  Mark Michelson <mmichelson@digium.com>

By: Mark Michelson (mmichelson) 2012-06-29 08:56:08.462-0500

I think the offending code may be the addition to session_instance_destructor() in main/tcptls.c

When a session instance gets destroyed, then the session instance's parent configuration is having its SSL_CTX freed and set NULL. I think the result is that this screws up other session instances from performing correctly since the SSL_CTX is not set back up at any point. Furthermore, the change in the destructor seems superfluous since the SSL_CTX should get properly freed by ast_ssl_teardown when chan_sip.so is unloaded.

I'll attach a patch soon.

By: Mark Michelson (mmichelson) 2012-06-29 08:58:04.569-0500

I have attached ASTERISK-20074.diff to the issue. Please test and let us know if this fixes the problem.

By: Trevor Hemsley (themsley) 2012-06-29 09:29:40.307-0500

I've built and deployed with that patch on but unfortunately it appears my colleague has unplugged the offending aastra phone and gone home and 60 miles is a bit too far for me to reach to plug it back in again! The server is still up and running and accessible on port 5061 so it looks hopeful. Will report more fully on Monday when he's back in. Thanks!

By: Trevor Hemsley (themsley) 2012-06-29 13:45:19.970-0500

Yes, this does appear to fix the problem we had. Aastra now connected and even registers which is a first! We'll continue to test this but the TLS DoS seems to have gone, thanks.

By: Trevor Hemsley (themsley) 2012-07-03 10:12:46.688-0500

This appears to be fixed to me. Thanks