[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-dev
Subject: Re: [asterisk-dev] SIP TLS handshake needs a timeout
From: Klaus Darilion <klaus.mailinglists () pernau ! at>
Date: 2009-09-29 21:27:53
Message-ID: 4AC27BD9.8010107 () pernau ! at
[Download RAW message or body]
Olle E. Johansson wrote:
> 29 sep 2009 kl. 09.50 skrev Klaus Darilion:
>
> >
> > David Vossel schrieb:
> > > Hello!
> > >
> > > Here's the problem. Right now, if Asterisk attempts to initiate a
> > > SIP TLS client connection with another Asterisk box, but the
> > > receiving box only has TCP bound to the incoming connection's port, a
> > > TCP connection will be established between the two boxes, but the box
> > > initiating the connection will forever be stuck waiting for the
> > > receiving box to complete the TLS handshake. This is a huge problem
> > > because TLS connection setup is done while the monitor lock is held.
> > > This patch aims at fixing that issue,
> > > https://reviewboard.asterisk.org/r/380/, but does not resolve the
> > > fact that a TLS connection will never go away if the TLS handshake
> > > does not complete.
> > >
> > > I've looked over the openssl toolkit and have not been able to find a
> > > successful method of doing this. I've even attempted some rather
> > > unorthodox methods of scheduling the file descriptor's closure during
> > > the handshake after a period of time, and that did not work either.
> > > Note that this is not a timeout involving the setup of TCP socket, it
> > > occurs after that once the the TLS client initiates the TLS handshake
> > > and gets no response.
> > >
> > > Perhaps I am overlooking some obvious solution here. Does anyone
> > > have any ideas?
> > sip-router tls module has several timeout values:
> >
> > send_timeout (int)
> > Sets the maximum interval of time after which sip-router will give up
> > trying to send a message over tls (time after a tls send will be
> > aborted
> > and the corresponding tls connection closed). The value is in seconds.
> >
> > handshake_timeout (int)
> > Sets the maximum interval of time after which sip-router will give up
> > trying to accept a tls connection or connect to a tls peer. The
> > value is
> > in seconds.
> >
> > connection_timeout (int)
> > Sets the amount of time after which an idle tls connection will be
> > closed. This is similar to tcp_connection_lifetime. The value is
> > expressed in seconds.
> >
> >
> > So, it should be doable. Maybe you get some ideas of his code:
> > http://git.sip-router.org/cgi-bin/gitweb.cgi?p=sip-router;a=tree;f=modules/tls;h=163532152dcbf9618212230a38d1f934d2bd2125;hb=HEAD
> >
>
> Due to licensing issues we can't copy source code from sip-router.org.
>
> Thanks for the information though!
>
> Any BSD licensed code that we can look at?
libcurl?
_______________________________________________
--Bandwidth and Colocation Provided by http://www.api-digital.com--
AstriCon 2009 - October 13 - 15 Phoenix, Arizona
Register Now: http://www.astricon.net
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic