Summary:ASTERISK-23498: Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported
Reporter:Anthony Messina (amessina)Labels:
Date Opened:2014-03-18 10:12:36Date Closed:2014-05-01 07:31:26
Versions:SVN 12.1.1 Frequency of
Environment:Fedora 20 x86_64Attachments:( 0) pjsip_tls_cipher_string.patch
Description:When using Asterisk 12.1.1 and PJSIP 2.2 (compiled as described in the Asterisk Wiki), I am unable to use the 'ciphers' parameter to set the OpenSSL ciphers for TLS connections.  Regardless of what is entered for ciphers


I always get the error
ERROR[2579]: res_pjsip/config_transport.c:404 transport_tls_cipher_handler: Cipher '<whatever>' is unsupported

This issue is the same as reported here: http://forums.asterisk.org/viewtopic.php?f=1&t=89309 but I can confirm that I have compiled PJSIP with OpenSSL libs

checking for OpenSSL installations..
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for ERR_load_BIO_strings in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
OpenSSL library found, SSL support enabled
Comments:By: Rusty Newton (rnewton) 2014-03-19 13:44:56.088-0500

When testing I get the same. I also verified my OpenSSL is installed and it is detected during compilation. I'm pretty sure this is a regression, as several of us tested this. I know I had it working with before.

It would also be nice if we updated the help text for the {{cipher}} and {{method}} options, as they are not very explicit or explanatory.

newtonr-laptop*CLI> config show help res_pjsip transport cipher
cipher = [Custom] (Default: ) (Regex: false)

Preferred Cryptography Cipher (TLS ONLY)

Many options for acceptable ciphers see link for more: http://www.openss
newtonr-laptop*CLI> config show help res_pjsip transport method
method = [Custom] (Default: ) (Regex: false)

Method of SSL transport (TLS ONLY)


By: Alexander Traud (traud) 2014-04-27 10:31:40.539-0500

Because selecting the cipher-suites is required in my project, I had to get this feature working and looked into pjlib/src/pj/ssl_sock_ossl.c:create_ssl(). There, I do not see an easy way to add support for cipher-string lists like we were used to in chan_sip, because the PJ Project does not use cipher strings but IDs internally. Therefore, no solution from me but there are at least three workarounds:

1. do not specify cipher at all, and chan_pjsip uses the DEFAULT list of your OpenSSL, see # openssl ciphers -v

2. if you have to restrict the cipher-suites, do so via their ID (see RFC 5246), for example to use just AES128-SHA plus 3DES (see RFC 3261 chapter 26.2.1):
priv_key_file=/etc/asterisk/keys/asterisk.key ; not optional anymore
cipher = 0x002f
cipher = 0x000a
method=sslv23 ; when unspecified, was the default of chan_sip

3. if you need a meta-value within the cipher-string list (for example HIGH or SUITEB128) apply the attached patch (hack) to pjsip, and build it: https://wiki.asterisk.org/wiki/display/AST/Building+and+Installing+pjproject

Hope this helps anyone. I went for workaround 2.