PJSIP does not use TLS if Record-Route in 200 OK contains "sips:" scheme

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, according to RFC 3261 and RFC 5630, if the UAC receives a 200 OK
response (for an INVITE) with a Record-Route as follows:

  Record-Route: <sips:IP_PROXY:PORT>

or:

  Record-Route: <sips:IP_PROXY:PORT;transport=tcp>

the UAC should send the ACK (and every new in-dialog request) using
TLS. This is because when constructing the ACK (or a BYE,
re-INVITE...) the request would contain a topmost Route header as the
above Record-Route, with a "sips" schema. According to RFC 3261 and
RFC 5630, that means that the connection must be done using TLS.

But PJSIP fails on this and just connects to the proxy using TLS if
the Record-Route contains a ";transport=tls" URI param.

Please note that ;transport=tls is depcretated since RFC 3261, and RFC
5630 explains it in section 3.1.4:

-------------------------------------------------------
  3.1.4.  Usage of the transport=tls URI Parameter and the TLS Via Parameter

   [RFC3261], Section 26.2.2 deprecated the "transport=tls" URI
   transport parameter in SIPS or SIP URIs:

      Note that in the SIPS URI scheme, transport is independent of TLS,
      and thus "sips:alice at atlanta.com;transport=TCP" and
      "sips:alice at atlanta.com;transport=sctp" are both valid (although
      note that UDP is not a valid transport for SIPS).  The use of
      "transport=tls" has consequently been deprecated, partly because
      it was specific to a single hop of the request.  This is a change
      since RFC 2543.

   The "tls" parameter has not been eliminated from the ABNF in
   [RFC3261], Section 25, since the parameter needs to remain in the
   ABNF for backward compatibility in order for parsers to be able to
   process the parameter correctly.  The transport=tls parameter has
   never been defined in an RFC, but only in some of the Internet drafts
   between [RFC2543] and [RFC3261].
-------------------------------------------------------


Also, please check the mail thread I've started in sip-implementors in
which the same is said:

  https://lists.cs.columbia.edu/pipermail/sip-implementors/2011-July/027407.html


So, it's clear that PJSIP should use TLS if the topmost Route header
of the locally generated request (i.e. ACK for 200) contains a "sips:"
schema. Then the topmost Route URI transport could be "tcp" or could
not exist (if it's "tls" then it's a bit ugly and depretated, so also
use TLS as well).

This is, a topmost Route with sips schema requires sending the request
to the first hop using TLS, always.


Is it possible to fix this issue in PJSIP please?

Thanks a lot.


-- 
I?aki Baz Castillo
<ibc at aliax.net>
[Index of Archives]     [Asterisk Users]     [Asterisk App Development]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [Linux API]
  Powered by Linux