can't send sip MESSAGE directly to the client in TLS mode

[GoogleCodeExporter]

What steps will reproduce the problem?
1.use a build with TLS enable, and configure TLS to listen to the 5061 or 
another known port
2.Try to send a sip MESSAGE to the client directly, without using a sip server, 
to the ip/port of csipsimple listening in TLS mode

What is the expected output? What do you see instead?
The message should work as usual, opening a notification. It doesn't work, and 
looking in logcat with csipsimple in debug=5, it show the error as: 

libpjsip: Error calling SSL_accept(): error:1408A0C1:SSL 
routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This is a common error when you don't have any cipher matching between client 
and server, but it is not the case as i have a custom client with cipher list 
"ALL", and i use the same openssl version. This error is also common in the 
case when on the server side there is no certificate, and i think this is the 
case.

We should have a way to upload a certificate on the csipsimple client to let's 
the ssl "listening server" socket used by pjsip to have a valid certificate.

What version of the product are you using? On what operating system?
revision 830, latest pjsip_android self-compiled with tls enabled

Please provide any additional information below.
I'm working on android 2.1 and 2.2, but i don't think this matter in any way.

Original issue reported on code.google.com by antanisa...@gmail.com on 7 May 2011 at 8:22

[GoogleCodeExporter]

Ok you're absolutely right. 
I removed previously these settings cause thought it was useless but I forgot 
the direct calls use cases.

I guess these settings could be classed in 'Expert mode' settings.

I think there is maybe also something to ensure about the scheme. By default 
csipsimple always put "sip:" before uris. Maybe specifying "sips:" will be 
detected by the app will do the trick but I have to check that point too.

Original comment by r3gis...@gmail.com on 7 May 2011 at 9:52

• Changed state: Accepted
• Added labels: Priority-Low
• Removed labels: Priority-Medium

[GoogleCodeExporter]

not only direct calls. also incoming sips calls. freeswitch in my office trying 
to establish ssl connection to phone on incoming call, with same result. 

i try to build csipsimple with hardcoded path to CA, certificate and key. 
incoming calls works fine :) 

i think, path to CA should be in common options. path to server cert, path to 
key, and key password - in account options. 

also need option for generate CA, cert and key from csipsimple (if possible). 

Original comment by Alex.Gor...@gmail.com on 24 May 2011 at 8:54

[GoogleCodeExporter]

attached small fix for pjsip. if account config for zrtp is set to 0, do not 
return PJSIP_ESESSIONINSECURE. equivalent to:

if (acc->cfg.use_zrtp == 0) {
   acc->cfg.use_zrtp = PJMEDIA_NO_ZRTP;
}

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 10:35

Attachments:

• pjsua-lib-pjsua_media-zrtp_check_fix.patch

[GoogleCodeExporter]

Interesting point.

However, after some search on the code, the problem is not really here. In fact 
use_zrtp should never be 0. The java code do that correctly already. But I 
noticed that the zrtp patch for pjsip does not set the default use_zrtp value 
to PJSUA_DEFAULT_USE_ZRTP. I think that this is actually the root of the 
problem (Maybe other piece of the zrtp patch also assume use_zrtp should be 
either 1 or 2, so better to fix the root of the problem :).

Thx a lot for pointing this out, I'll do the fix about the default value so 
that you can let me know if it fix as well as your fix ;)

Original comment by r3gis...@gmail.com on 31 May 2011 at 11:11

[GoogleCodeExporter]

Can you review r896 and let me know how it goes with this fix?

Original comment by r3gis...@gmail.com on 31 May 2011 at 11:17

[GoogleCodeExporter]

didn't help. acc->cfg.use_zrtp still equals 0. 

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 12:30

[GoogleCodeExporter]

i tried to add 
PJ_LOG(4,(THIS_FILE, "ZRTP are enabled. ZRTP: %d", acc->cfg.use_zrtp));

after 
acc->cfg.use_zrtp = PJSUA_DEFAULT_USE_ZRTP;

cannot see debug message in log. 

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 12:35

[GoogleCodeExporter]

Mmmh, weird.
How do you create the account?

Original comment by r3gis...@gmail.com on 31 May 2011 at 12:36

[GoogleCodeExporter]

Ahah, you are probably building without ZRTP enabled :)

Ok , my bad, the default value should be done even if ZRTP is not activated.

Original comment by r3gis...@gmail.com on 31 May 2011 at 12:40

[GoogleCodeExporter]

r897, should be better ;)

Original comment by r3gis...@gmail.com on 31 May 2011 at 12:41

[GoogleCodeExporter]

no. i removed the #if defined immediately after 'svn co' :) because in struct 
pjsua_acc_config (pjmedia.h) use_zrtp defined without this.

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 1:00

[GoogleCodeExporter]

hmmm. pjsua_acc_modify should be called from addAccount, but 
currentAccountStatus.isAddedToStack() return false on my phones, and condition:

if (currentAccountStatus.isAddedToStack() )

is not satisfied, and pjsua_acc_modify isn't called. i don't know, this is 
local misconfiguration or bug in CSipSimple.

i use android 2.3.4 and 2.3.3 on htc hero and acer liquid me s120.

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 1:49

[GoogleCodeExporter]

so, there are 2 bugs.

1-st bug in pjsip library is partially fixed in 
https://code.google.com/p/csipsimple/source/detail?r=896

i say "partially", because 
acc->cfg.use_zrtp = PJSUA_DEFAULT_USE_ZRTP; 
should be changed to
acc->cfg.use_zrtp = cfg->use_zrtp;

2-nd bug in PJSipService.java

condition "if (currentAccountStatus.isAddedToStack() )" always return false, 
because it called *before* pjsua.acc_add. then isAddedToStack() always return 
-1.

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 6:12

[GoogleCodeExporter]

even if currentAccountStatus.isAddedToStack () returns true, 
pjsua.acc_modify(currentAccountStatus.getPjsuaId(), account.cfg) should return 
error, because acc_modify called before acc_add.

Original comment by Alex.Gor...@gmail.com on 31 May 2011 at 6:16

[GoogleCodeExporter]

In fact my fix was very wrong. 
My bad, I thought I was adding that to the set default params of account 
params. Instead cause of the search feature of eclipse I was in a function that 
has nothing to do with that ;)

And actually the way it does in java space is good. It should modify account 
only when already added. So most of the time, obviously, it will only add the 
account ;).

Original comment by r3gis...@gmail.com on 31 May 2011 at 8:41

[GoogleCodeExporter]

I'll stop commiting things at lunch time ;) -- I does weird things ;)

r898 should be better (at least it's what I was aiming first). 

Thx again for your feedback and investigations.

Original comment by r3gis...@gmail.com on 31 May 2011 at 8:50

[GoogleCodeExporter]

r898 works if PJSUA_DEFAULT_USE_ZRTP is set to PJMEDIA_NO_ZRTP in pjsua.h

if PJSUA_DEFAULT_USE_ZRTP set to PJMEDIA_CREATE_ZRTP (pjsip defaults), incoming 
calls still don't work. i add some debug prints to pjsip library, see result 
below:

$ adb -s 352809040254607 logcat | grep -iE 'srtp|zrtp|_acc|return|Current 
account isn|set.*to' 

D/libpjsip( 1811/ 1839):  13:56:31.337    pjsua_acc.c  pjsua_acc_config_dup()
D/libpjsip( 1811/ 1839):  13:56:31.337    pjsua_acc.c  cfg->use_zrtp = 2
D/libpjsip( 1811/ 1839):  13:56:31.337    pjsua_acc.c  
pjsua_var.acc[id].cfg.use_zrtp = 2
D/libpjsip( 1811/ 1839):  13:56:31.337    pjsua_acc.c  Account 
<sip:10.192.156.10:5060> added with id 0

D/libpjsip( 1811/ 1839):  13:56:31.338    pjsua_acc.c  pjsua_acc_config_dup()
D/libpjsip( 1811/ 1839):  13:56:31.338    pjsua_acc.c  cfg->use_zrtp = 2
D/libpjsip( 1811/ 1839):  13:56:31.338    pjsua_acc.c  
pjsua_var.acc[id].cfg.use_zrtp = 2
D/libpjsip( 1811/ 1839):  13:56:31.338    pjsua_acc.c  Account 
<sip:10.192.156.10:36469;transport=TCP> added with id 1

V/libpjsip( 1811/ 1839):  13:56:31.342    tls0x74b03c  TLS verification mode 
set to 0
D/libpjsip( 1811/ 1839):  13:56:31.347    pjsua_acc.c  pjsua_acc_config_dup()
D/libpjsip( 1811/ 1839):  13:56:31.347    pjsua_acc.c  cfg->use_zrtp = 2
D/libpjsip( 1811/ 1839):  13:56:31.347    pjsua_acc.c  
pjsua_var.acc[id].cfg.use_zrtp = 2
D/libpjsip( 1811/ 1839):  13:56:31.347    pjsua_acc.c  Account 
<sip:10.192.156.10:47320;transport=TLS> added with id 2

D/Pj profile( 1811/ 1839): --> added zrtp 1

D/PjService( 1811/ 1839): Current account isn't added to stack
D/libpjsip( 1811/ 1839):  13:56:31.419    pjsua_acc.c  pjsua_acc_config_dup()
D/libpjsip( 1811/ 1839):  13:56:31.419    pjsua_acc.c  cfg->use_zrtp = 1
D/libpjsip( 1811/ 1839):  13:56:31.419    pjsua_acc.c  
pjsua_var.acc[id].cfg.use_zrtp = 1
D/libpjsip( 1811/ 1839):  13:56:31.420    pjsua_acc.c  Account 
<sip:4565@immomsk.ru> added with id 3
D/libpjsip( 1811/ 1839):  13:56:31.420    pjsua_acc.c  Contact for acc 3 
updated for SIP outbound: 
<sip:4565@10.192.156.10:47320;transport=TLS;ob>;+sip.ice;reg-id=1;+sip.instance=
"<urn:uuid:00000000-0000-0000-0000-0000e922f243>"
I/libpjsip( 1811/ 1839):  13:56:31.430    pjsua_acc.c  Registration sent
D/libpjsip( 1811/ 2123):  13:56:31.726    pjsua_acc.c  SIP outbound status for 
acc 3 is not active
I/libpjsip( 1811/ 2123):  13:56:31.726    pjsua_acc.c  <sip:4565@immomsk.ru>: 
registration success, status=200 (OK), will re-register in 900 seconds

ZRTP settings for account 3 are applied. But on incoming call:

D/libpjsip( 2167/ 2184):  14:03:36.579    tls0x318c2c  TLS listener 
10.192.156.10:51198: got incoming TCP connection from 10.192.168.70:51850, 
sock=63
D/libpjsip( 2167/ 2184):  14:03:36.580   tlss0x33a64c  TLS server transport 
created
V/libpjsip( 2167/ 2184):  14:03:36.580   tlss0x33a64c  Starting SSL_accept() 
negotiation
V/libpjsip( 2167/ 2184):  14:03:37.340   tlss0x33a64c  SSL_accept() negotiation 
completes successfully
V/libpjsip( 2167/ 2185):  14:03:37.642 sip_endpoint.c  Processing incoming 
message: Request msg INVITE/cseq=13125244 (rdata0x33a770)
D/libpjsip( 2167/ 2185):  14:03:37.642   pjsua_core.c  RX 1340 bytes Request 
msg INVITE/cseq=13125244 (rdata0x33a770) from tls 10.192.168.70:51850:
D/libpjsip( 2167/ 2185): INVITE sip:4565@10.192.156.10:51198;transport=TLS;ob 
SIP/2.0
D/libpjsip( 2167/ 2185): Via: SIP/2.0/TLS 
10.192.168.70:5071;rport;branch=z9hG4bKtK6rSvmH52H0c
D/libpjsip( 2167/ 2185): Max-Forwards: 69
D/libpjsip( 2167/ 2185): From: "Ilyasova Lyudmila" 
<sip:246@10.192.168.70>;tag=Nmm93y21y2eca
D/libpjsip( 2167/ 2185): To: <sip:4565@10.192.156.10:51198;transport=TLS;ob>
D/libpjsip( 2167/ 2185): Call-ID: 42116824-06d9-122f-a69c-001a64642a14
D/libpjsip( 2167/ 2185): CSeq: 13125244 INVITE
D/libpjsip( 2167/ 2185): Contact: 
<sip:mod_sofia@10.192.168.70:5071;transport=tls>
D/libpjsip( 2167/ 2185): User-Agent: FreeSWITCH-mod_sofia/1.0.head-git-3de9b51 
2011-04-08 14-53-59 +0200
D/libpjsip( 2167/ 2185): Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, 
UPDATE, INFO, REGISTER, REFER, NOTIFY, PUBLISH, SUBSCRIBE
D/libpjsip( 2167/ 2185): Supported: timer, precondition, path, replaces
D/libpjsip( 2167/ 2185): Allow-Events: talk, hold, presence, dialog, 
line-seize, call-info, sla, include-session-description, presence.winfo, 
message-summary, refer
D/libpjsip( 2167/ 2185): Content-Type: application/sdp
D/libpjsip( 2167/ 2185): Content-Disposition: session
D/libpjsip( 2167/ 2185): Content-Length: 345
D/libpjsip( 2167/ 2185): X-FS-Support: update_display
D/libpjsip( 2167/ 2185): Remote
D/libpjsip( 2167/ 2185):  14:03:37.643  pjsua_media.c  SRTP and ZRTP are 
enabled. ZRTP: 2
E/libpjsip( 2167/ 2185):  14:03:37.643   pjsua_call.c  Error initializing media 
channel: Require secure session/transport (PJSIP_ESESSIONINSECURE) 
[status=171142]
V/libpjsip( 2167/ 2185):  14:03:37.644       endpoint  Response msg 
1685202976/INVITE/cseq=13125244 (tdta0x3694a8) created
V/libpjsip( 2167/ 2185):  14:03:37.644    tsx0x34a32c  Transaction created for 
Request msg INVITE/cseq=13125244 (rdata0x33a770)
V/libpjsip( 2167/ 2185):  14:03:37.644    tsx0x34a32c  Incoming Request msg 
INVITE/cseq=13125244 (rdata0x33a770) in state Null
V/libpjsip( 2167/ 2185):  14:03:37.645    tsx0x34a32c  State changed from Null 
to Trying, event=RX_MSG
V/libpjsip( 2167/ 2185):  14:03:37.645    tsx0x34a32c  Sending Response msg 
1685202976/INVITE/cseq=13125244 (tdta0x3694a8) in state Trying
D/libpjsip( 2167/ 2185):  14:03:37.645   pjsua_core.c  TX 362 bytes Response 
msg 1685202976/INVITE/cseq=13125244 (tdta0x3694a8) to tls 10.192.168.70:51850:
D/libpjsip( 2167/ 2185): SIP/2.0 1685202976 Default status message
D/libpjsip( 2167/ 2185): Via: SIP/2.0/TLS 
10.192.168.70:5071;rport=51850;received=10.192.168.70;branch=z9hG4bKtK6rSvmH52H0
c
D/libpjsip( 2167/ 2185): Call-ID: 42116824-06d9-122f-a69c-001a64642a14
D/libpjsip( 2167/ 2185): From: "Ilyasova Lyudmila" 
<sip:246@10.192.168.70>;tag=Nmm93y21y2eca
D/libpjsip( 2167/ 2185): To: 
<sip:4565@10.192.156.10;ob>;tag=z9hG4bKtK6rSvmH52H0c
D/libpjsip( 2167/ 2185): CSeq: 13125244 INVITE
D/libpjsip( 2167/ 2185): Content-Length:  0

Original comment by Alex.Gor...@gmail.com on 1 Jun 2011 at 10:14

[GoogleCodeExporter]

i really don't understand next things:
- why accounts with id from 0 to 2 are added ?
- why zrtp settings for account 3 has been changed from NO_ZRTP to CREATE_ZRTP 
? 

Original comment by Alex.Gor...@gmail.com on 1 Jun 2011 at 10:20

[GoogleCodeExporter]

now all works fine (r993). you may close this bug. 

Original comment by Alex.Gor...@gmail.com on 4 Aug 2011 at 5:31

[GoogleCodeExporter]

Original comment by r3gis...@gmail.com on 10 Nov 2011 at 10:51

• Changed state: Fixed