Summary: | ASTERISK-13845: TLS Client Hello handshake sent within SSLv2 header and not TLS header | ||
Reporter: | TheOldSaint (theoldsaint) | Labels: | |
Date Opened: | 2009-03-26 15:10:03 | Date Closed: | 2009-04-29 16:14:30 |
Priority: | Major | Regression? | No |
Status: | Closed/Complete | Components: | Channels/chan_sip/TCP-TLS |
Versions: | Frequency of Occurrence | ||
Related Issues: | |||
Environment: | Attachments: | ( 0) fromAsterisk.bmp ( 1) fromAvaya.bmp | |
Description: | This issue is found with Asterisk 1.6.1rc1 build. The network consists of a 3rd party gateway/SIP server (Avaya CM or Cisco UCM) on one end and Asterisk on the other. I have enabled TLS on each of the servers. The call scenario is as below - Avaya 9620 SIP phone is an Avaya CM end point Snom 300 SIP phone is an Asterisk end point Avaya 9620 <-TLS-> Avaya CM <---TLS---> Asterisk 1.6.1rc1 <-TLS-> Snom 300 A call from Avaya to Asterisk goes fine with SIP over TLS end to end. The problem comes when calling from Asterisk to Avaya. In this case, Asterisk sends a Client Hello to establish a TLS connection with Avaya. This Client Hello contains a 'SSLv2 Record layer' in the TCP packet as opposed to 'TLS Record Layer'. Within the 'SSLv2 Record layer' there is a 'Version' header of TLS 1.0. The ideal packet should have contained a 'TLS Record Layer' header with a 'Version' header of TLS 1.0. Because on this incompatibility, many industry standard SIP servers/Gateways reject the TLS handshake and the call cannot complete. Attached is a screenshot of SSL header from Avaya and that from Asterisk for the Client Hello. | ||
Comments: | By: Digium Subversion (svnbot) 2009-04-29 16:13:45 Repository: asterisk Revision: 191177 U trunk/CHANGES U trunk/configs/sip.conf.sample U trunk/include/asterisk/tcptls.h U trunk/main/tcptls.c ------------------------------------------------------------------------ r191177 | dvossel | 2009-04-29 16:13:44 -0500 (Wed, 29 Apr 2009) | 13 lines SIP option to specify outbound TLS/SSL client protocol. chan_sip allows for outbound TLS connections, but does not allow the user to specify what protocol to use (default was SSLv2, and still is if this new option is not specified). This patch lets the user pick the SSL/TLS client method for outbound connections in sip. (closes issue ASTERISK-13847) Reported by: TheOldSaint (closes issue ASTERISK-13845) Reported by: TheOldSaint Review: http://reviewboard.digium.com/r/240/ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=191177 By: Digium Subversion (svnbot) 2009-04-29 16:14:29 Repository: asterisk Revision: 191178 _U branches/1.6.2/ ------------------------------------------------------------------------ r191178 | dvossel | 2009-04-29 16:14:29 -0500 (Wed, 29 Apr 2009) | 18 lines Blocked revisions 191177 via svnmerge ........ r191177 | dvossel | 2009-04-29 16:13:43 -0500 (Wed, 29 Apr 2009) | 13 lines SIP option to specify outbound TLS/SSL client protocol. chan_sip allows for outbound TLS connections, but does not allow the user to specify what protocol to use (default was SSLv2, and still is if this new option is not specified). This patch lets the user pick the SSL/TLS client method for outbound connections in sip. (closes issue ASTERISK-13847) Reported by: TheOldSaint (closes issue ASTERISK-13845) Reported by: TheOldSaint Review: http://reviewboard.digium.com/r/240/ ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=191178 |