search

RestComm / jain-sip

Disclaimer: This repository is a git-svn mirror of the project found at http://java.net/projects/jsip whose original repository is developed collaboratively by the Advanced Networking Technologies Division at the National Institute of Standards and Technology (NIST) - an agency of the United States Department of Commerce and by a community of individual and enterprise contributors. TeleStax, Inc. will perform some productization work, new features experimentation branches, etc for its TelScale jSIP product that doesn't concern the community from the main repository hence this git repository.
http://www.restcomm.com/
141 stars 151 forks source link

NioTLSMessageProcessor : Can't disable certificate validation #180

Open albertpv opened 6 years ago

albertpv commented 6 years ago

When jain-sip creates TLS Sockets using NIO it seems (or due my configuration) certificate validation is done even if tried to disable it on Sip Stack roperties

I set the following options in SIP Stack properties sipStackProps.setProperty("gov.nist.javax.sip.TLS_CLIENT_AUTH_TYPE", "DisabledAll"); sipStackProps.setProperty("gov.nist.javax.sip.MESSAGE_PROCESSOR_FACTORY", NioMessageProcessorFactory.class.getName());

However NioTlsMessageChannel seems to validate certificate even if the property TLS_CLIENT_AUTH_TYPE is setup to DisabledAll

If i disable using Nio MessageChannels (comemnt out line sipStackProps.setProperty("gov.nist.javax.sip.MESSAGE_PROCESSOR_FACTORY", NioMessageProcessorFactory.class.getName()); ) then the certificate validation is not done and everything works fine.

See error below: ioSelector-TLS-10.66.172.178/5080, fatal error: 46: General SSLEngine problem sun.security.validator.ValidatorException: No trusted certificate found %% Invalidated: [Session-2, TLS_RSA_WITH_AES_256_CBC_SHA] NioSelector-TLS-10.66.172.178/5080, SEND TLSv1 ALERT: fatal, description = certificate_unknown NioSelector-TLS-10.66.172.178/5080, WRITE: TLSv1 Alert, length = 2 NioSelector-TLS-10.66.172.178/5080, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at gov.nist.javax.sip.stack.SSLStateMachine.unwrap(SSLStateMachine.java:254) at gov.nist.javax.sip.stack.SSLStateMachine.unwrap(SSLStateMachine.java:198) at gov.nist.javax.sip.stack.NioTlsMessageChannel.addBytes(NioTlsMessageChannel.java:216) at gov.nist.javax.sip.stack.NioTcpMessageChannel.readChannel(NioTcpMessageChannel.java:117) at gov.nist.javax.sip.stack.NioTcpMessageProcessor$ProcessorTask.read(NioTcpMessageProcessor.java:151) at gov.nist.javax.sip.stack.NioTcpMessageProcessor$ProcessorTask.run(NioTcpMessageProcessor.java:336) at java.lang.Thread.run(Thread.java:748)

Would any other info be useful? (eg sipstack logs?)

albertpv commented 6 years ago

BTW where can i download latest jain-sip-ri artifact? NioTlsMessageChannel i am using has a different implementation compared to the one in this repo so maybe this one fixes the problem already (DisabledAll was not handled in implementation i am using)

gsaslis commented 6 years ago

@albertpv it seems this issue has something to do with a certificate that isn't available in your trusted certs. I'd check if that's something you can add there.

On the other hand, if you would like to disable certificate validation, would you like to contribute a PR that addresses this issue?