TLS using PJSIP (Ast12)

Hi, I searched googled and searched this forum but I can’t find any references to running TLS using PJSIP in Ast12. I had TLS working in prior versions (1.8) so I know my certs are good. When I try to load TLS in the new version I get the following error in the log:

res_pjsip/config_transport.c: Cipher ‘ALL’ is unsupported

Going through the code, it seems like this is not implemented yet and will always return the above error regardless of the cipher chosen. (res/res_pjsip/config_transport.c lines (396 - 402). Am I coming to the right conclusion?

I built from svn source - v 12.1.0-rc1. My pjsip.conf transport setup:

[transport-local-tls] type=transport protocol=tls bind= cert_file=/etc/asterisk/keys/asterisk.crt priv_key_file=/etc/asterisk/keys/asterisk.key ca_list_file=/etc/asterisk/keys/ca.crt cipher=ALL method=tlsv1

Did your pjproject build find the OpenSSL libraries on your system during configuration?

A bug for this is filed here:

TLS works here. My trick: I did not specify a cipher parameter in my pjsip.conf at all. Without that parameter, pjsip uses the default cipher-suite list.

By the way: The same trick works for sip.conf (chan_sip). If you do not specify tlscipher at all, you get the DEFAULT cipher-suite list of your OpenSSL installation. Therefore, I never went for ALL especially because it includes cipher-suites without authentication (aNULL).[quote=“hoisinboi”]method=?[/quote]In my Asterisk 12 with chan_pjsip installation, I went for

because this disabled SSL 2.0 and enabled TLS v1.2 for me. That value calls the SSLv23_method() aka SSLv23_server_method() in OpenSSL. First, I got confused by the name of that method. However with method=sslv23, you do not specify any particular method. Nowadays, this disables SSL 2.0 and enables SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2. One day, it might disable SSL 3.0. Depends on the default of your OpenSSL installation. The PJ Project went for unspecified = default = tlsv1 (see pjlib/src/pj/ssl_sock_ossl.c:create_ssl). I am not sure, why the PJ Project did that because they loose TLS 1.2 that way.

By the way: In sip.conf (chan_sip), as server, chan_sip uses SSLv23_server_method() always (see main/tcptls.c:__ssl_setup). As client, if you specify tlsclientmethod, you are limited to a single version (and you cannot select TLS 1.2). Only if you do not specify tlsclientmethod, chan_sip is using SSLv23_client_method() which enables TLS 1.2.

Does this help? Otherwise, I check my pjsip.conf again. As stated, works here, double-checked with

openssl s_client -connect -cipher AES128-SHA

and triple-checked thanks to Qualys SSL Labs. And, yes this is pjsip.