ASTERISK-23498: Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported

[Home]

Summary: ASTERISK-23498: Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported

Reporter: Anthony Messina (amessina) Labels:

Date Opened: 2014-03-18 10:12:36 Date Closed: 2014-05-01 07:31:26

Priority: Major Regression? Yes

Status: Closed/Complete Components: Resources/res_pjsip

Versions: SVN 12.1.1 Frequency of
Occurrence Constant

Related
Issues:

Environment: Fedora 20 x86_64 Attachments: ( 0) pjsip_tls_cipher_string.patch

Description: When using Asterisk 12.1.1 and PJSIP 2.2 (compiled as described in the Asterisk Wiki), I am unable to use the 'ciphers' parameter to set the OpenSSL ciphers for TLS connections. Regardless of what is entered for ciphers

{code}
cipher=<whatever>
{code}

I always get the error
{code}
ERROR[2579]: res_pjsip/config_transport.c:404 transport_tls_cipher_handler: Cipher '<whatever>' is unsupported
{code}

This issue is the same as reported here: http://forums.asterisk.org/viewtopic.php?f=1&t=89309 but I can confirm that I have compiled PJSIP with OpenSSL libs

{code}
checking for OpenSSL installations..
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for ERR_load_BIO_strings in -lcrypto... yes
checking for SSL_library_init in -lssl... yes
OpenSSL library found, SSL support enabled
{code}

Comments: By: Rusty Newton (rnewton) 2014-03-19 13:44:56.088-0500

When testing I get the same. I also verified my OpenSSL is installed and it is detected during compilation. I'm pretty sure this is a regression, as several of us tested this. I know I had it working with before.

It would also be nice if we updated the help text for the {{cipher}} and {{method}} options, as they are not very explicit or explanatory.

{noformat}
newtonr-laptop*CLI> config show help res_pjsip transport cipher
[transport]
cipher = [Custom] (Default: ) (Regex: false)

Preferred Cryptography Cipher (TLS ONLY)

Many options for acceptable ciphers see link for more: http://www.openss
l.org/docs/apps/ciphers.html#CIPHER_STRINGS
{noformat}
{noformat}
newtonr-laptop*CLI> config show help res_pjsip transport method
[transport]
method = [Custom] (Default: ) (Regex: false)

Method of SSL transport (TLS ONLY)

default
unspecified
tlsv1
sslv2
sslv3
sslv23
{noformat}
By: Alexander Traud (traud) 2014-04-27 10:31:40.539-0500

Because selecting the cipher-suites is required in my project, I had to get this feature working and looked into pjlib/src/pj/ssl_sock_ossl.c:create_ssl(). There, I do not see an easy way to add support for cipher-string lists like we were used to in chan_sip, because the PJ Project does not use cipher strings but IDs internally. Therefore, no solution from me but there are at least three workarounds:

1. do not specify cipher at all, and chan_pjsip uses the DEFAULT list of your OpenSSL, see # openssl ciphers -v

2. if you have to restrict the cipher-suites, do so via their ID (see RFC 5246), for example to use just AES128-SHA plus 3DES (see RFC 3261 chapter 26.2.1):
[transport-tls]
type=transport
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key ; not optional anymore
cipher = 0x002f
cipher = 0x000a
method=sslv23 ; when unspecified, was the default of chan_sip
protocol=tls
bind=:

3. if you need a meta-value within the cipher-string list (for example HIGH or SUITEB128) apply the attached patch (hack) to pjsip, and build it: https://wiki.asterisk.org/wiki/display/AST/Building+and+Installing+pjproject

Hope this helps anyone. I went for workaround 2.