search

MayamaTakeshi / sip-lab

A node module that helps to write SIP functional tests
3 stars 2 forks source link

Check TLS support #36

Closed MayamaTakeshi closed 1 month ago

MayamaTakeshi commented 1 year ago

If I am not mistaken we can use TLS transport against SIP servers but we cannot create two TLS transports and make a call between them as we get:

09:37:56.749        ssl_sock_ossl.c  OpenSSL version : 30000020
09:37:56.799                    SSL  SSL_ERROR_SSL (Handshake): Level: 0 err: <337092801> <error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher> len: 0 peer: 127.0.0.1:52055
09:37:56.799           ssl0x6cbf860  Handshake failed in accepting 127.0.0.1:52055: Unknown error 2018481
09:37:56.849                    SSL  SSL_ERROR_SSL (Handshake): Level: 0 err: <336151568> <error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure> len: 0 peer: 127.0.0.1:6062
09:37:56.849          tlsc0x6cd2ea8  TLS connect() error: [code=1077248] peer: 127.0.0.1: Unknown error 1077248
09:37:56.849           tsx0x6cd10c8  Failed to send Request msg INVITE/cseq=18591 (tdta0x6c8b578)! err=1077248 (Unknown error 1077248)
09:37:56.849           tsx0x6cd10c8  State changed from Calling to Terminated, event=TRANSPORT_ERROR
09:37:56.849           dlg0x6b3b1f8  .Transaction tsx0x6cd10c8 state changed to Terminated

Googling i found a hint that the 'no shared cipher' might be misleading:

https://community.asterisk.org/t/pjsip-tls-trouble/73813/4

So let's try to solve this and add a TLS sample.

MayamaTakeshi commented 4 months ago

Actually, I think the problem is that I need to set the ssl files. The client might not need such files but the server needs them. Let's check pjsua code following: https://docs.pjsip.org/en/latest/specific-guides/security/ssl.html#running-pjsua-as-tls-client

And if someone asks for support of mutual authentication we might need to provide different certs for each side:

The certificate is supposed to uniquely identify the peer. A shared KeyStore cannot accomplish that. It also violates private key privacy

https://stackoverflow.com/questions/44332008/can-i-use-the-same-self-signed-certificate-for-client-and-server-java-ssl

MayamaTakeshi commented 1 month ago

Lets do this before #51

MayamaTakeshi commented 1 month ago

Indeed issue was solved after setting tls cert/key files. I have created samples/tls.js. It shows that we can use the same tls files at both sides of the call.