Summary: | ASTERISK-23498: Asterisk PJSIP transport configuration fails on parsing of 'cipher' option, any valid option is reported as unsupported | ||
Reporter: | Anthony Messina (amessina) | Labels: | |
Date Opened: | 2014-03-18 10:12:36 | Date Closed: | 2014-05-01 07:31:26 |
Priority: | Major | Regression? | Yes |
Status: | Closed/Complete | Components: | Resources/res_pjsip |
Versions: | SVN 12.1.1 | Frequency of Occurrence | Constant |
Related Issues: | |||
Environment: | Fedora 20 x86_64 | Attachments: | ( 0) pjsip_tls_cipher_string.patch |
Description: | When using Asterisk 12.1.1 and PJSIP 2.2 (compiled as described in the Asterisk Wiki), I am unable to use the 'ciphers' parameter to set the OpenSSL ciphers for TLS connections. Regardless of what is entered for ciphers
{code} cipher=<whatever> {code} I always get the error {code} ERROR[2579]: res_pjsip/config_transport.c:404 transport_tls_cipher_handler: Cipher '<whatever>' is unsupported {code} This issue is the same as reported here: http://forums.asterisk.org/viewtopic.php?f=1&t=89309 but I can confirm that I have compiled PJSIP with OpenSSL libs {code} checking for OpenSSL installations.. checking openssl/ssl.h usability... yes checking openssl/ssl.h presence... yes checking for openssl/ssl.h... yes checking for ERR_load_BIO_strings in -lcrypto... yes checking for SSL_library_init in -lssl... yes OpenSSL library found, SSL support enabled {code} | ||
Comments: | By: Rusty Newton (rnewton) 2014-03-19 13:44:56.088-0500 When testing I get the same. I also verified my OpenSSL is installed and it is detected during compilation. I'm pretty sure this is a regression, as several of us tested this. I know I had it working with before. It would also be nice if we updated the help text for the {{cipher}} and {{method}} options, as they are not very explicit or explanatory. {noformat} newtonr-laptop*CLI> config show help res_pjsip transport cipher [transport] cipher = [Custom] (Default: ) (Regex: false) Preferred Cryptography Cipher (TLS ONLY) Many options for acceptable ciphers see link for more: http://www.openss l.org/docs/apps/ciphers.html#CIPHER_STRINGS {noformat} {noformat} newtonr-laptop*CLI> config show help res_pjsip transport method [transport] method = [Custom] (Default: ) (Regex: false) Method of SSL transport (TLS ONLY) default unspecified tlsv1 sslv2 sslv3 sslv23 {noformat} By: Alexander Traud (traud) 2014-04-27 10:31:40.539-0500 Because selecting the cipher-suites is required in my project, I had to get this feature working and looked into pjlib/src/pj/ssl_sock_ossl.c:create_ssl(). There, I do not see an easy way to add support for cipher-string lists like we were used to in chan_sip, because the PJ Project does not use cipher strings but IDs internally. Therefore, no solution from me but there are at least three workarounds: 1. do not specify cipher at all, and chan_pjsip uses the DEFAULT list of your OpenSSL, see # openssl ciphers -v 2. if you have to restrict the cipher-suites, do so via their ID (see RFC 5246), for example to use just AES128-SHA plus 3DES (see RFC 3261 chapter 26.2.1): [transport-tls] type=transport cert_file=/etc/asterisk/keys/asterisk.crt priv_key_file=/etc/asterisk/keys/asterisk.key ; not optional anymore cipher = 0x002f cipher = 0x000a method=sslv23 ; when unspecified, was the default of chan_sip protocol=tls bind=: 3. if you need a meta-value within the cipher-string list (for example HIGH or SUITEB128) apply the attached patch (hack) to pjsip, and build it: https://wiki.asterisk.org/wiki/display/AST/Building+and+Installing+pjproject Hope this helps anyone. I went for workaround 2. |