Bug#897412: asterisk res_pjsip supported ciphersuites limited to 100

Ondřej Holas ondrej.holas at post.cz
Wed May 2 09:34:25 BST 2018 

Package: asterisk-modules
Version: 1:13.20.0~dfsg-1

In res_pjsip, the maximum number of supported SSL/TLS ciphersuites is
limited to 100:

=== begin excerpt from
asterisk-13.20.0~dfsg/res/res_pjsip/config_transport.c ===
...
static pj_ssl_cipher cipher_name_to_id(const char *name)
{
        pj_ssl_cipher ciphers[100];
        pj_ssl_cipher id = 0;
        unsigned int cipher_num = PJ_ARRAY_SIZE(ciphers);
...
=== end excerpt from asterisk-13.20.0~dfsg/res/res_pjsip/config_transport.c
===

When used with libpj2 2.7.2 and OpenSSL 1.1.0, the total number of supported
ciphersuites exceeds this hardcoded maximum, resulting in refusing some
supported ciphersuites:

=== begin excerpt from /var/log/asterisk/full ===
[2018-05-01 13:26:03.316] ERROR[27025] res_pjsip/config_transport.c: Cipher
'AES256-SHA' is unsupported
[2018-05-01 13:26:03.317] ERROR[27025] res_pjsip/config_transport.c: Cipher
'AES128-SHA' is unsupported
[2018-05-01 13:26:03.317] ERROR[27025] config_options.c: Error parsing
cipher=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECD
SA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDS
A-AES128-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-R
SA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES1
28-SHA,AES256-GCM-SHA384,AES128-GCM-SHA256,AES256-SHA256,AES128-SHA256,AES25
6-SHA,AES128-SHA at line 18 of
[2018-05-01 13:26:03.317] ERROR[27025] res_sorcery_config.c: Could not
create an object of type 'transport' with id 'transport-tls-ipv4' from
configuration file 'pjsip.conf'
[2018-05-01 13:26:03.318] ERROR[27025] res_pjsip/config_transport.c: Cipher
'AES256-SHA' is unsupported
[2018-05-01 13:26:03.318] ERROR[27025] res_pjsip/config_transport.c: Cipher
'AES128-SHA' is unsupported
[2018-05-01 13:26:03.318] ERROR[27025] config_options.c: Error parsing
cipher=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECD
SA-AES256-SHA384,ECDHE-ECDSA-AES128-SHA256,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDS
A-AES128-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-R
SA-AES256-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES1
28-SHA,AES256-GCM-SHA384,AES128-GCM-SHA256,AES256-SHA256,AES128-SHA256,AES25
6-SHA,AES128-SHA at line 51 of
[2018-05-01 13:26:03.319] ERROR[27025] res_sorcery_config.c: Could not
create an object of type 'transport' with id 'transport-tls-ipv6' from
configuration file 'pjsip.conf'
=== end excerpt from /var/log/asterisk/full ===

Since libpj2 harvests supported ciphersuites from OpenSSL by cipherspec
'ALL:COMPLEMENTOFALL', both ciphersuites from log above, marked by res_pjsip
as unsupported, are ordered to later places:

=== begin ciphersuite harvest ===
$ openssl ciphers -v 'ALL:COMPLEMENTOFALL' | cat -n | grep -P "[\t
]AES(128|256)-SHA[\t ]"
   103  AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)
Mac=SHA1
   120  AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)
Mac=SHA1
=== end ciphersuite harvest ===

Also, the command "pjsip list ciphers" shows only 100 ciphersuites known to
res_pjsip:

=== begin pjsip list ciphers ===
# rasterisk -x "pjsip list ciphers" | cut -f 2 -d "'" | sed -r "s/, /\n/g" |
cat -n | tail -1
   100  ECDHE-PSK-CAMELLIA256-SHA384
=== end pjsip list ciphers ===

Proposed solution is to align hardcoded maximum number of ciphersuites in
function cipher_name_to_id() [res/res_pjsip/config_transport.c] with pjlib2
(currently 256, better to use pjlib2's macro PJ_SSL_SOCK_MAX_CIPHERS).

Best regards,

Ondrej Holas

More information about the Pkg-voip-maintainers mailing list