TLS support

[GoogleCodeExporter]

What steps will reproduce the problem?
1. connect to a proxy or sip server listening for incoming connection on port 
5061

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
0.00-12-09 / Froyo 2.2 on HTC desire

Please provide any additional information below.
Ability to set destination port for both proxy and server will allow to connect 
to any SIP service not listening to 5060 port (like 5061)

Original issue reported on code.google.com by pierre.w...@gmail.com on 10 Aug 2010 at 12:16

[GoogleCodeExporter]

Forgot to tell that these settings are in network > secure transport > and 
available when TLS is activated .
But you have probably already seen that ;)

Original comment by r3gis...@gmail.com on 5 Mar 2012 at 2:07

[GoogleCodeExporter]

r3gis - that is interesting then, that the SSL Context handling is not done 
through the standard Android platform APIs. We have some custom SSL Context 
providers for Gibberbot, our secure xmpp app, that we hoped to port, but as 
pjsip handles it at the native level then, it may not be the same approach.

Is the default Root CA keystore used then the internal one, in the Android BKS 
format? 

Regardless, great to understand that a custom CA file can be provided already.

Original comment by nathanfr...@gmail.com on 5 Mar 2012 at 2:53

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

lee@rocking

I'm using freeswitch as well.  I can get two csipsimple endpoints to register 
and signal using TLS (sslv23) but can't get incoming calls on either of them 
from either of them.  Did you install client certs?  How did you get the two 
endpoints to communicate (receive incoming calls form each other?)

Thanks!

Original comment by maximk...@gmail.com on 11 Apr 2012 at 2:08

[GoogleCodeExporter]

r3gis - I have installed several nightly builds with the TLS and SRTP enabled. 
I am registered and are to place outgoing calls. However, neither on WIFI nor 
on 3G I am receiving incoming calls. Any idea what could be the problem?

Original comment by simon.ob...@gmail.com on 28 Jun 2012 at 12:06

[GoogleCodeExporter]

@simon : can you collect and send me logs (with this issue number in mail core) 
see HowToCollectLogs wiki page for details on how to collect logs.
While logs are recording try to receive a call.

Maybe there is some interesting clue when the call is incoming in CSipSimple 
logs. I had some problems on a ICS 4.0 with TCP on one (only one carrier) 3G 
network (broken pipe). I'm investigating that, but sounds a bug in the ICS ROM 
I'm using. Maybe I'm wrong and it's something more global with recent changes 
of pjsip library. So your logs could be valuable to determine root cause 
problem.

Original comment by r3gis...@gmail.com on 28 Jun 2012 at 12:49

[GoogleCodeExporter]

I try to use TLS transport (into release and nightly build) but if I try to 
activate account the csipsimple write to more time "Registering".
In asterisk logs I won't see this client.

In logs:
12-02 15:55:18.991 20112 20253 D DynamicReceiver: Internal receive 
com.csipsimple.service.ACCOUNT_CHANGED
12-02 15:55:19.061 20112 20253 D DynamicReceiver: Enqueue set account 
registration
12-02 15:55:19.061 20112 20253 D PjSipAccount: Create proxy 0
12-02 15:55:19.100 20112 20253 D libpjsip: 15:55:19.106    pjsua_acc.c  Adding 
account: id= <sip:01@xxxxxxx>
12-02 15:55:19.100 20112 20253 D libpjsip: 15:55:19.106    pjsua_acc.c  
.Account  <sip:01@xxxxxxxx> added with id 2
12-02 15:55:19.100 20112 20253 D libpjsip: 15:55:19.106    pjsua_acc.c  .Acc 2: 
setting registration..
12-02 15:55:19.108 20112 20253 E libpjsip: 15:55:19.109    pjsua_acc.c  
..Unable to generate suitable Contact header for registration: Unsupported 
transport (PJSIP_EUNSUPTRANSPORT) [status=171060]
12-02 15:55:19.108 20112 20253 E libpjsip: 15:55:19.109    pjsua_acc.c  
..Unable to create registration: Unsupported transport (PJSIP_EUNSUPTRANSPORT) 
[status=171060]
12-02 15:55:19.108 20112 20253 D DBProvider: Added status_text= status_code=-1 
display_name=s01 expires=0 account_id=3 added_status=0 priority=100 active=true 
wizard=EXPERT reg_uri=sip:some-mail.com pjsua_id=2
12-02 15:55:19.108 20241 20241 D AccountChooserButton: Accounts 
status.onChange( false)
12-02 15:55:19.139 20112 20253 D libpjsip: 15:55:19.139    pjsua_acc.c  Acc 2: 
setting online status to 1..
12-02 15:55:19.155 20241 20241 D         : Accounts status.onChange( false)
12-02 15:55:19.163 20112 20112 D SIP SRV : Accounts status.onChange( false)
12-02 15:55:19.163 20112 20112 D SIP SRV : Update registration state
12-02 15:55:24.147 20510 20510 D dalvikvm: GC_EXPLICIT freed 258 objects / 
15560 bytes in 82ms
12-02 15:55:29.553 20241 20241 D DnD view: Start dragging at 2 for 2 # 0
12-02 15:55:29.647 20241 20241 D AccEditListAd: Clicked on ...
12-02 15:55:29.741 20112 20253 D DynamicReceiver: Internal receive 
com.csipsimple.service.ACCOUNT_CHANGED
12-02 15:55:29.803 20112 20253 D DynamicReceiver: Enqueue set account 
registration
12-02 15:55:29.819 20112 20112 D SIP SRV : Accounts status.onChange( false)
12-02 15:55:29.819 20112 20112 D SIP SRV : Update registration state
12-02 15:55:29.827 20112 20253 D PjService: Account already added to stack, 
remove and re-load or delete
12-02 15:55:29.827 20112 20253 D PjService: Delete account !!
12-02 15:55:29.827 20112 20253 D libpjsip: 15:55:29.830    pjsua_acc.c  
Deleting account 2..
12-02 15:55:29.827 20112 20253 D libpjsip: 15:55:29.830    pjsua_acc.c  
.Account id 2 deleted

I used Android 2.2. This is a bug in PJSIP?

Original comment by pakhom...@gmail.com on 2 Dec 2012 at 12:10

[GoogleCodeExporter]

Did you enable TLS transport in global settings too?
It's not yet made automatically by the app but to have a TLS account you need 2 
settings enabled :
1- is the global TLS transport that must be activated. It can be done in 
settings > network > secure transport. Here check the TLS transport. This will 
allow the SIP stack to use a TLS transport if necessary for one account.
2- it the account setting. Each account can define which transport it should 
use. This setting is at account level. To enable TLS for an account, transform 
the account to "expert" wizard (if was not already the case) by long pressing 
account row and choose wizard. Then, select TLS in transport.
I advise you to not start from "expert" wizard directly as a mistake in this 
wizard can be done quickly. It's better to start from basic wizard and after to 
long press >choose wizard to transform it into expert one and just modify the 
transport option.

Original comment by r3gis...@gmail.com on 2 Dec 2012 at 2:14

[GoogleCodeExporter]

Thanks!
I didn't enable TLS in global setting.

Original comment by pakhom...@gmail.com on 2 Dec 2012 at 7:37

[GoogleCodeExporter]

Hi -- I notice in TLS Method selection, I can choose between major revs... i.e. 
TLSv1.
I assume this means TLS 1.0?
Is there a way to specify TLS 1.1 or TLS 1.2?  
Or will it support any of the TLS v1 variants depending on SIP Server?

Original comment by aunt.jom...@yahoo.com on 17 Dec 2012 at 6:51

[GoogleCodeExporter]

I noticed the certificate validation checkbox has been removed with the last 
release. Is this intentional?

Original comment by l...@rockingtiger.com on 24 Jan 2013 at 10:28

[GoogleCodeExporter]

@lee : no, it should still be there. Are you in ExpertSettingMode (see the 
related wiki page).

Original comment by r3gis...@gmail.com on 25 Jan 2013 at 9:48

[GoogleCodeExporter]

@aunt : no. 
Basically settings you see here are settings from pjsip.
You can get more details here :
http://www.pjsip.org/docs/2.0-alpha2/pjsip/docs/html/structpjsip__tls__setting.h
tm
http://www.pjsip.org/docs/2.0-alpha2/pjsip/docs/html/group__PJSIP__TRANSPORT__TL
S.htm#gaf7a54e10ef4a56549720976c1418e9a3
(I suspect a typo for TLSv1).

But seems it doesn't support TLSv1.1 and v1.2. 
I'm also not sure the build we use as linking base includes v1.1 and v1.2 and 
even less sure that android openssl builds also includes tlsv1.1 and tlsv1.2.
If both already support it's probably not too hard to patch pjsip to add the 
feature. Else, it means the need to add these method to the builds too (and 
probably to hack to get it bundled inside csipsimple instead of relying on 
system crypto binaries).

Original comment by r3gis...@gmail.com on 25 Jan 2013 at 10:12

[GoogleCodeExporter]

I also cannot find TLS Certificate validation enable/disable box (on 
GooglePlaystore version of application). Furthemore, my account gets registered 
over TLS in both cases: when my CA certificate is imported to Android CA store, 
and when I delete it, so it seems that something is causing server certificate 
not to be validated by CA certificate at all.

Original comment by nen...@gmail.com on 7 May 2013 at 2:50

[GoogleCodeExporter]

@nen, you have to press the hardware menu button and select "Expert Mode" when 
in the Network settings. You'll see many more options.

As for TLS validation, I figured out a work around documented on my team's 
issue tracker[1]

The standard SIP TLS implementations (pjsip, kamailio, etc) in C have an option 
for server certificate validation to a root CA using a single file encoded in 
PEM format and stored on the local filesystem. This file stores all common root 
CA certificates. Since CSipSimple uses a C library for this functionality, the 
shortest development path is to implement those C functions in Java with the 
default parameters. This means the Android system certificates are bypassed.

So, if you download this file[2] to your device's SD card and enter in the full 
path in the CSipSimple configuration for CA certificates, validation will work 
as expected. This file was created with the contents of a Debian package[3] 
named ca-certificates. It is a concatenated list of every file that package 
writes to /etc/ssl/certs/

Obviously, this does not scale. A possible solution would be to create a plugin 
APK (like the codec pack) for CSipSimple that performs this concatenation and 
sends the file to app local storage, though having the CA Certificates in r/w 
storage creates a new security issue. Perhaps this plugin could also manage a 
revocation list and perform some kind of periodic update from upstream.

Regards,
Lee

[1] https://dev.guardianproject.info/issues/1258
[2] https://ostel.co/ca_list.pem
[3] http://packages.debian.org/wheezy/ca-certificates

Original comment by l...@rockingtiger.com on 7 May 2013 at 5:51

[GoogleCodeExporter]

@lee: Thanks, it works way you described it. Only thing needed was nighly build 
of csipsimple :)

Original comment by nen...@gmail.com on 8 May 2013 at 3:17