search

pjsip / pjproject

PJSIP project
http://www.pjsip.org
GNU General Public License v2.0
2.02k stars 770 forks source link

PJSIP uses IP address instead of hostname when creating TLS transport to the caller to send BYE #2706

Closed lauriva closed 1 year ago

lauriva commented 3 years ago

Describe the bug PJSIP uses IP address instead of hostname when creating TLS transport to the caller to send BYE.

To Reproduce Steps to reproduce the behavior:

  1. Start pjsua ./pjsua-x86_64-unknown-linux-gnu --use-tls --tls-ca-file=... --tls-cert-file=... --tls-privkey-file=... --tls-verify-server --contact="sip:sip.example.com:5063;transport=tls" --local-port=5062 --use-srtp=1
  2. Call to pjsua
  3. Answer the call in pjsua
  4. Hangup the call in pjsua
  5. PJSIP creates transport using IP address and thus certificate validation fails 10:25:16.696 tlsc0x55d222827818 ....TLS transport 10.10.10.231:32837 is connecting to 10.10.10.131:5081...

Expected behavior Transport is created and certificate is validated using hostname 11:20:19.813 tlsc0x55c17d93aee8 ....TLS transport 10.10.10.231:37387 is connecting to origin.example.com:5081...

Desktop/Smartphone (please complete the following information):

Additional context Works with PJSIP 2.10

Logs/Screenshots Call trace from pjsua

10:24:04.011           pjsua_core.c  .RX 2395 bytes Request msg INVITE/cseq=35545930 (rdata0x7f8b90045f28) from TLS 10.10.10.131:49769:
INVITE sip:7777@sip.example.com:5063;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.10.10.131:5081;rport;branch=z9hG4bKQ0F05jDcvQmgp
Max-Forwards: 69
From: "FreeSWITCH" <sip:fs@origin.example.com>;tag=B54eyBvvr1ZmK
To: <sip:7777@sip.example.com:5063>
Call-ID: b6209832-2815-123a-aab5-26faa99b4e3d
CSeq: 35545930 INVITE
Contact: <sip:gw+sip.example.com@origin.example.com:5081;transport=tls;gw=sip.example.com>
User-Agent: FreeSWITCH-mod_sofia/1.10.5-release+git~20200818T185121Z~25569c1631~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 1467
X-FS-Support: update_display,send_info
Remote-Party-ID: "FreeSWITCH" <sip:0000000000@origin.example.com>;party=calling;screen=yes;privacy=off

v=0
o=FreeSWITCH 1620169329 1620169330 IN IP4 10.10.10.131
s=FreeSWITCH
c=IN IP4 10.10.10.131
t=0 0
m=audio 30114 RTP/SAVP 102 8 0 103 101
a=rtpmap:102 opus/48000/2
a=fmtp:102 useinbandfec=1; maxaveragebitrate=30000; maxplaybackrate=48000; ptime=20; minptime=10; maxptime=40; stereo=1
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:103 telephone-event/48000
a=fmtp:103 0-16
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=crypto:1 AEAD_AES_256_GCM_8 inline:/orP8YekD3fTer5i1Q/PwMWSrFMh7LEEZkdhRDRFuLXNBcqxkGF6gG/k+TE=
a=crypto:2 AEAD_AES_256_GCM inline:1pvdwHuleV/dOE3ZOQbiDMJ7Sr6ttB62OmehnckzBEaIILC39OLbv977n28=
a=crypto:3 AEAD_AES_128_GCM_8 inline:72gyYRfQ7n4CnWzN/o8s4nyWNTOHBywvKXJGJw==
a=crypto:4 AEAD_AES_128_GCM inline:rynRcrD0PuXpHsMW+EkPjpruhoB1/RL2Ztey+g==
a=crypto:5 AES_256_CM_HMAC_SHA1_80 inline:q1Nt9X9uVSKjg5XlJhEt3aBjaOoASkwSnZgoIRmoWHN584lH6nKy9JfJ+13hzA==
a=crypto:6 AES_192_CM_HMAC_SHA1_80 inline:1gH7BEC3EcyypVaXev1UYm16IkJQiCilZSukcQl9uxdL4+N/qs0=
a=crypto:7 AES_CM_128_HMAC_SHA1_80 inline:WQrhPNZqdKUeEzDNW1PRTWZmzACnGuT0MgHk1p8a
a=crypto:8 AES_256_CM_HMAC_SHA1_32 inline:Kh5MVq15Wvlw8LFIe5u0RTuE4+8L1co7uU35+Do+Nw/mNYuhGzyKcx6f7LQ5ow==
a=crypto:9 AES_192_CM_HMAC_SHA1_32 inline:bMMYeizO0iCQZufjnUSRXnd+AgJ3gM3eXsz94N1+FTi/z6RmaQA=
a=crypto:10 AES_CM_128_HMAC_SHA1_32 inline:UkE/M7JAvdg39LOdCEovlCRH1b65b14MZt3bvXIw
a=crypto:11 AES_CM_128_NULL_AUTH inline:r3N5UuakY6jBjhwGVm8ywpFt1KH6X8LshriHpOj/
a=ptime:20

--end msg--
10:24:04.011           pjsua_call.c  .Incoming Request msg INVITE/cseq=35545930 (rdata0x7f8b90045f28)
10:24:04.035     tlsc0x7f8b900533b8  ..TLS client transport created
10:24:04.035     tlsc0x7f8b900533b8  ..TLS transport 10.10.10.231:59309 is connecting to origin.example.com:5081...
10:24:04.035          pjsua_media.c  ..Call 0: initializing media..
10:24:04.082          pjsua_media.c  ...RTP socket reachable at 10.10.10.231:4000
10:24:04.082          pjsua_media.c  ...RTCP socket reachable at 10.10.10.231:4001
10:24:04.082          pjsua_media.c  ...Media index 0 selected for audio call 0
10:24:04.082     srtp0x7f8b9005c390  ..SRTP uses keying method SDES
10:24:04.082           pjsua_core.c  .....TX 328 bytes Response msg 100/INVITE/cseq=35545930 (tdta0x7f8b900676b8) to TLS 10.10.10.131:49769:
SIP/2.0 100 Trying
Via: SIP/2.0/TLS 10.10.10.131:5081;rport=49769;received=10.10.10.131;branch=z9hG4bKQ0F05jDcvQmgp
Call-ID: b6209832-2815-123a-aab5-26faa99b4e3d
From: "FreeSWITCH" <sip:fs@origin.example.com>;tag=B54eyBvvr1ZmK
To: <sip:7777@sip.example.com>
CSeq: 35545930 INVITE
Content-Length:  0

--end msg--
10:24:04.082            pjsua_aud.c  ..Conf connect: 2 --> 0
10:24:04.082            pjsua_aud.c  ...Set sound device: capture=-1, playback=-2
10:24:04.082            pjsua_app.c  ....Turning sound device -1 -2 ON
10:24:04.082            pjsua_aud.c  ....Opening sound device (speaker + mic) PCM@16000/1/20ms
10:24:04.086       ec0x7f8b90078360  .....Echo suppressor created, clock_rate=16000, channel=1, samples per frame=320, tail length=200 ms, latency=100 ms
10:24:04.086           conference.c  ...Port 2 (ring) transmitting to port 0 (default)
10:24:04.086            pjsua_app.c  ..Incoming call for account 2!
Media count: 1 audio & 0 video
From: "FreeSWITCH" <sip:fs@origin.example.com>
To: <sip:7777@sip.example.com>
Press a to answer or h to reject call
10:24:04.086      ssl0x7f8b90052370 !CA certificates loaded from '...'
10:24:04.086      ssl0x7f8b90052370  Certificate chain loaded from '...'
10:24:04.086      ssl0x7f8b90052370  Private key loaded from '...'
10:24:04.089            pjsua_app.c !SIP TLS transport is connected to origin.example.com:5081
10:24:04.089            pjsua_app.c  TLS cipher used: 0x00C030/ECDHE-RSA-AES256-GCM-SHA384
10:24:04.089            pjsua_app.c  TLS cert info of origin.example.com:5081:
...

10:24:04.089            pjsua_app.c  TLS cert verification result of origin.example.com:5081 : OK
10:24:04.089     tlsc0x7f8b900533b8  TLS transport 10.10.10.231:59309 is connected to origin.example.com:5081
10:24:06.150       ec0x7f8b90078360  Buffer size adjusted from 2340 to 1861 (eff_cnt=1440)
10:24:06.210       ec0x7f8b90078360  Buffer size adjusted from 1861 to 1383 (eff_cnt=1440)
10:24:14.983           pjsua_core.c  .RX 588 bytes Request msg OPTIONS/cseq=35545102 (rdata0x7f8b90045f28) from TLS 10.10.10.131:49769:
OPTIONS sip:sip.example.com:5063;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.10.10.131:5081;rport;branch=z9hG4bKr98r7DyFS0a3H
Max-Forwards: 70
From: <sip:origin.example.com>;tag=cey7Z6c0Nap7e
To: <sip:origin.example.com>
Call-ID: bcaac4b7-2815-123a-aab5-26faa99b4e3d
CSeq: 35545102 OPTIONS
User-Agent: FreeSWITCH-mod_sofia/1.10.5-release+git~20200818T185121Z~25569c1631~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Length: 0

--end msg--
10:24:14.983           pjsua_core.c  .TX 752 bytes Response msg 200/OPTIONS/cseq=35545102 (tdta0x7f8b90081528) to TLS 10.10.10.131:49769:
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.131:5081;rport=49769;received=10.10.10.131;branch=z9hG4bKr98r7DyFS0a3H
Call-ID: bcaac4b7-2815-123a-aab5-26faa99b4e3d
From: <sip:origin.example.com>;tag=cey7Z6c0Nap7e
To: <sip:origin.example.com>;tag=z9hG4bKr98r7DyFS0a3H
CSeq: 35545102 OPTIONS
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Accept: application/sdp, application/pidf+xml, application/xpidf+xml, application/simple-message-summary, message/sipfrag;version=2.0, application/im-iscomposing+xml, text/plain
Supported: replaces, 100rel, timer, norefersub, trickle-ice
Allow-Events: presence, message-summary, refer
User-Agent: PJSUA v2.11 Linux-5.4.0.72/x86_64/glibc-2.31
Content-Length:  0

--end msg--
a
Answer with code (100-699) (empty to cancel): 
10:24:17.062             tcptp:5062  TCP listener 10.10.10.231:5062: got incoming TCP connection from 10.10.10.131:34849, sock=26
10:24:17.062     tcps0x7f8b900814a8  TCP server transport created
10:24:17.062            pjsua_app.c  SIP TCP transport is connected to 10.10.10.131:34849
200
10:24:18.123           pjsua_call.c !Answering call 0: code=200
10:24:18.123      inv0x7f8b9003bbd8  ..SDP negotiation done: Success
10:24:18.123          pjsua_media.c  ...Call 0: updating media..
10:24:18.123          pjsua_media.c  .....Media stream call00:0 is destroyed
10:24:18.123     srtp0x7f8b9005c390  ....SRTP started, keying=SDES, crypto=AEAD_AES_256_GCM_8
10:24:18.123            pjsua_aud.c  ....Audio channel update..
10:24:18.123     strm0x55d22280ed58  .....Encoder stream started
10:24:18.123     strm0x55d22280ed58  .....Decoder stream started
10:24:18.123          pjsua_media.c  ....Audio updated, stream #0: opus (sendrecv)
10:24:18.123            pjsua_app.c  ...Call 0 media 0 [type=audio], status is Active
10:24:18.123            pjsua_aud.c  ...Conf disconnect: 2 -x- 0
10:24:18.123           conference.c  ....Port 2 (ring) stop transmitting to port 0 (default)
10:24:18.123            pjsua_aud.c  ...Conf connect: 3 --> 0
10:24:18.123           conference.c  ....Port 3 (sip:fs@origin.example.com) transmitting to port 0 (default)
10:24:18.123            pjsua_aud.c  ...Conf connect: 0 --> 3
10:24:18.123           conference.c  ....Port 0 (default) transmitting to port 3 (sip:fs@origin.example.com)
10:24:18.123           pjsua_core.c  ....TX 1048 bytes Response msg 200/INVITE/cseq=35545930 (tdta0x55d22280aaf8) to TLS 10.10.10.131:49769:
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.131:5081;rport=49769;received=10.10.10.131;branch=z9hG4bKQ0F05jDcvQmgp
Call-ID: b6209832-2815-123a-aab5-26faa99b4e3d
From: "FreeSWITCH" <sip:fs@origin.example.com>;tag=B54eyBvvr1ZmK
To: <sip:7777@sip.example.com>;tag=aee2b27c-e6e7-4f8f-82ab-fa9d9ae9929d
CSeq: 35545930 INVITE
Contact: <sip:10.10.10.231:5063;transport=TLS>
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Supported: replaces, 100rel, timer, norefersub
Content-Type: application/sdp
Content-Length:   454

v=0
o=- 3829188244 3829188245 IN IP4 10.10.10.231
s=pjmedia
b=AS:117
t=0 0
a=X-nat:0
m=audio 4000 RTP/SAVP 102 103
c=IN IP4 10.10.10.231
b=TIAS:96000
a=rtcp:4001 IN IP4 10.10.10.231
a=sendrecv
a=ssrc:222042927 cname:4fed7fbb183b8ce4
a=crypto:1 AEAD_AES_256_GCM_8 inline:/soxCkmVYmuvMaqA+isCTNDNeEPSQTft4Sp+obgtVoNfgOpaC0eMBuObpMI=
a=rtpmap:102 opus/48000/2
a=fmtp:102 useinbandfec=1
a=rtpmap:103 telephone-event/48000
a=fmtp:103 0-16

--end msg--
10:24:18.123            pjsua_app.c  .......Call 0 state changed to CONNECTING
10:24:18.125           pjsua_core.c  .RX 474 bytes Request msg ACK/cseq=35545930 (rdata0x7f8b90045f28) from TLS 10.10.10.131:49769:
ACK sip:10.10.10.231:5063;transport=TLS SIP/2.0
Via: SIP/2.0/TLS 10.10.10.131:5081;rport;branch=z9hG4bKSj2H98eKp90ND
Max-Forwards: 70
From: "FreeSWITCH" <sip:fs@origin.example.com>;tag=B54eyBvvr1ZmK
To: <sip:7777@sip.example.com:5063>;tag=aee2b27c-e6e7-4f8f-82ab-fa9d9ae9929d
Call-ID: b6209832-2815-123a-aab5-26faa99b4e3d
CSeq: 35545930 ACK
Contact: <sip:gw+sip.example.com@origin.example.com:5081;transport=tls;gw=sip.example.com>
Content-Length: 0

--end msg--
10:24:18.125            pjsua_app.c  ...Call 0 state changed to CONFIRMED
10:24:18.130     strm0x55d22280ed58 !Resetting jitter buffer in stream playback start
10:24:18.170           Master/sound  Underflow, buf_cnt=0, will generate 1 frame
10:24:22.990           sound_port.c  EC suspended because of inactivity
10:24:37.089     tlsc0x7f8b900533b8 !TLS transport destroyed normally
10:24:40.009           pjsua_core.c  .RX 588 bytes Request msg OPTIONS/cseq=35545103 (rdata0x7f8b90045f28) from TLS 10.10.10.131:49769:
OPTIONS sip:sip.example.com:5063;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.10.10.131:5081;rport;branch=z9hG4bKtUUaB4ZpKjQ8r
Max-Forwards: 70
From: <sip:origin.example.com>;tag=DQQ011X3jKcta
To: <sip:origin.example.com>
Call-ID: cb9574fb-2815-123a-aab5-26faa99b4e3d
CSeq: 35545103 OPTIONS
User-Agent: FreeSWITCH-mod_sofia/1.10.5-release+git~20200818T185121Z~25569c1631~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Length: 0

--end msg--
10:24:40.009           pjsua_core.c  .TX 752 bytes Response msg 200/OPTIONS/cseq=35545103 (tdta0x7f8b9004ec48) to TLS 10.10.10.131:49769:
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.131:5081;rport=49769;received=10.10.10.131;branch=z9hG4bKtUUaB4ZpKjQ8r
Call-ID: cb9574fb-2815-123a-aab5-26faa99b4e3d
From: <sip:origin.example.com>;tag=DQQ011X3jKcta
To: <sip:origin.example.com>;tag=z9hG4bKtUUaB4ZpKjQ8r
CSeq: 35545103 OPTIONS
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Accept: application/sdp, application/pidf+xml, application/xpidf+xml, application/simple-message-summary, message/sipfrag;version=2.0, application/im-iscomposing+xml, text/plain
Supported: replaces, 100rel, timer, norefersub, trickle-ice
Allow-Events: presence, message-summary, refer
User-Agent: PJSUA v2.11 Linux-5.4.0.72/x86_64/glibc-2.31
Content-Length:  0

--end msg--
10:25:04.034           pjsua_core.c  .RX 588 bytes Request msg OPTIONS/cseq=35545104 (rdata0x7f8b90045f28) from TLS 10.10.10.131:49769:
OPTIONS sip:sip.example.com:5063;transport=tls SIP/2.0
Via: SIP/2.0/TLS 10.10.10.131:5081;rport;branch=z9hG4bKU4m3cZgtgUDUm
Max-Forwards: 70
From: <sip:origin.example.com>;tag=e0gS3ve7Fv2cp
To: <sip:origin.example.com>
Call-ID: d9e76337-2815-123a-aab5-26faa99b4e3d
CSeq: 35545104 OPTIONS
User-Agent: FreeSWITCH-mod_sofia/1.10.5-release+git~20200818T185121Z~25569c1631~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Length: 0

--end msg--
10:25:04.034           pjsua_core.c  .TX 752 bytes Response msg 200/OPTIONS/cseq=35545104 (tdta0x7f8b9004ec48) to TLS 10.10.10.131:49769:
SIP/2.0 200 OK
Via: SIP/2.0/TLS 10.10.10.131:5081;rport=49769;received=10.10.10.131;branch=z9hG4bKU4m3cZgtgUDUm
Call-ID: d9e76337-2815-123a-aab5-26faa99b4e3d
From: <sip:origin.example.com>;tag=e0gS3ve7Fv2cp
To: <sip:origin.example.com>;tag=z9hG4bKU4m3cZgtgUDUm
CSeq: 35545104 OPTIONS
Allow: PRACK, INVITE, ACK, BYE, CANCEL, UPDATE, INFO, SUBSCRIBE, NOTIFY, REFER, MESSAGE, OPTIONS
Accept: application/sdp, application/pidf+xml, application/xpidf+xml, application/simple-message-summary, message/sipfrag;version=2.0, application/im-iscomposing+xml, text/plain
Supported: replaces, 100rel, timer, norefersub, trickle-ice
Allow-Events: presence, message-summary, refer
User-Agent: PJSUA v2.11 Linux-5.4.0.72/x86_64/glibc-2.31
Content-Length:  0

--end msg--

>>> h
10:25:16.695           pjsua_call.c !Call 0 hanging up: code=0..
10:25:16.695          pjsua_media.c  .Call 0: deinitializing media..
10:25:16.695     pjsua_app_common.c  ...
  [CONFIRMED] To: "FreeSWITCH" <sip:fs@origin.example.com>;tag=B54eyBvvr1ZmK
    Call time: 00h:00m:58s, 1st res in 14112 ms, conn in 14114ms
    #0 audio opus @48kHz, sendrecv, peer=-
       EC stat: Echo suppressor learning in progress at t=016.880s, tail=210 ms,
          factor min/avg=0.000/-2147483.-648
       SRTP status: Active Crypto-suite: AEAD_AES_256_GCM_8
       RX pt=102, last update:00h:00m:00.000s ago
          total 0pkt 0B (0B +IP hdr) @avg=0bps/0bps
          pkt loss=0 (0.0%), discrd=0 (0.0%), dup=0 (0.0%), reord=0 (0.0%)
                (msec)    min     avg     max     last    dev
          loss period:   0.000   0.000   0.000   0.000   0.000
          jitter     :   0.000   0.000   0.000   0.000   0.000
       TX pt=102, ptime=20, last update:00h:00m:00.669s ago
          total 2.9Kpkt 199.6KB (316.8KB +IP hdr) @avg=27.2Kbps/43.2Kbps
          pkt loss=1 (0.0%), dup=0 (0.0%), reorder=0 (0.0%)
                (msec)    min     avg     max     last    dev 
          loss period:  40.000  40.000  40.000  40.000   0.000
          jitter     :   0.000   0.000   0.000   0.000   0.000
       RTT msec      :  15.045  15.297  15.502  15.319   0.066
10:25:16.695          pjsua_media.c  ...Media stream call00:0 is destroyed
10:25:16.695            pjsua_app.c  .Call 0 is DISCONNECTED [reason=200 (OK)]
10:25:16.696     tlsc0x55d222827818  ....TLS client transport created
10:25:16.696     tlsc0x55d222827818  ....TLS transport 10.10.10.231:32837 is connecting to 10.10.10.131:5081...
10:25:16.696           pjsua_core.c  ....TX 508 bytes Request msg BYE/cseq=22833 (tdta0x55d22280edd8) to TLS 10.10.10.131:5081:
BYE sip:gw+sip.example.com@origin.example.com:5081;transport=tls;gw=sip.example.com SIP/2.0
Via: SIP/2.0/TLS 10.10.10.231:59309;rport;branch=z9hG4bKPj75e422c9-a0eb-4ac5-bdd1-349c48d99c74;alias
Max-Forwards: 70
From: <sip:7777@sip.example.com>;tag=aee2b27c-e6e7-4f8f-82ab-fa9d9ae9929d
To: "FreeSWITCH" <sip:fs@origin.example.com>;tag=B54eyBvvr1ZmK
Call-ID: b6209832-2815-123a-aab5-26faa99b4e3d
CSeq: 22833 BYE
User-Agent: PJSUA v2.11 Linux-5.4.0.72/x86_64/glibc-2.31
Content-Length:  0

--end msg--
10:25:16.706      ssl0x55d22280c030 !CA certificates loaded from '...'
10:25:16.706      ssl0x55d22280c030  Certificate chain loaded from '...'
10:25:16.706      ssl0x55d22280c030  Private key loaded from '...'
10:25:16.709        sip_transport.c  Transport tlsc0x55d222827818 shutting down, force=0
10:25:16.709            pjsua_app.c  SIP TLS transport is disconnected from 10.10.10.131:5081: SSL certificate verification error (PJSIP_TLS_ECERTVERIF) [status=171173]
10:25:16.709            pjsua_app.c  TLS cipher used: 0x00C030/ECDHE-RSA-AES256-GCM-SHA384
10:25:16.709            pjsua_app.c  TLS cert info of 10.10.10.131:5081:
...

10:25:16.709            pjsua_app.c  TLS cert verification result of 10.10.10.131:5081 : The server identity does not match to any identities specified in the certificate
10:25:16.709            pjsua_acc.c  Disconnected notification for transport tlsc0x55d222827818
10:25:16.709        sip_transport.c  .Transport tlsc0x55d222827818 shutting down, force=0
10:25:16.709     tlsc0x55d222827818  TLS connect() error: [code=171173] peer: 10.10.10.131: SSL certificate verification error (PJSIP_TLS_ECERTVERIF)
10:25:16.709      tsx0x55d22280fde8  Failed to send Request msg BYE/cseq=22833 (tdta0x55d22280edd8)! err=171173 (SSL certificate verification error (PJSIP_TLS_ECERTVERIF))
10:25:16.709     tlsc0x55d222827818  TLS transport destroyed with reason 171173: SSL certificate verification error (PJSIP_TLS_ECERTVERIF)
10:25:17.696            pjsua_aud.c  Closing sound device after idle for 1 second(s)
10:25:17.696            pjsua_app.c  .Turning sound device -1 -2 OFF
10:25:17.696            pjsua_aud.c  .Closing default sound playback device and default sound capture device
10:25:29.060           pjsua_core.c  .RX 588 bytes Request msg OPTIONS/cseq=35545105 (rdata0x7f8b90045f28) from TLS 10.10.10.131:49769:
lauriva commented 2 years ago

This issue also effects latest release 2.12.1 The first effected commit is 67e46c1ac4.

With some more investigation I found out that create_uas_dialog() stores remote IP address and port from transport (incoming connection) to dialog's initial destination, and thus TLS certificate validation fails when new connection is needed towards the caller. I think that in this scenario caller's contact should be used when creating new connection for the request.

pekkaar commented 2 years ago

Can this be the reason for FreePBX 16.0.21.18 / Asterisk 18.14.0 PJSIP errors such as:

ERROR[6320]: res_pjsip/pjsip_transport_events.c:160 verify_log_result: Transport 'xxxx-tls' to remote '1.2.3.4' - The server identity does not match to any identities specified in the certificate

And also why the BYEs attempting to be sent from FreePBX on TLS trunks are actually never received (as they are not sent)?