Changes between Initial Version and Version 1 of Ticket #1735

Aug 21, 2014 5:36:49 AM (10 years ago)


  • Ticket #1735 – Description

    initial v1  
    11The standard says that a SIPS dialog should be secure end to end. However some proxies or UASes disobey this requirement and give back plain SIP URI in the Record-Route or Contact header. We should terminate such call. 
     3This ticket will implement !Contact/Record-Route header checks in incoming initial/subsequent INVITE/UPDATE request or 2xx response to INVITE/UPDATE. Contact URI should use "{{{sips}}}" scheme and Record-Route URI should use either "{{{sips}}}" scheme or "{{{transport=tls}}}" param. As UAC, if it receives 200/OK response to initial/subsequent INVITE/UPDATE with insecure !Contact/Record-Route, it will terminate the session. As UAS, if it receives initial/subsequent INVITE/UPDATE request with insecure !Contact/Route headers, it will send response with SIP status code 480 and Warning header: 381 "SIPS required". 
     5This feature can be disabled by setting {{{pjsip_cfg()->endpt.disable_secure_dlg_check}}} to {{{PJ_TRUE}}} (default is {{{PJ_FALSE}}}). 
     7Here are some texts from the standard: 
     8 * All hops must use TLS (should we check if all Record-Route URIs use "sips" scheme or "transport=tls" param? Currently we'll just check the top Record-Route header) 
     9   - 
     10     {{{ 
     11This document specifies that SIPS means that the SIP resource 
     12designated by the target SIPS URI is to be contacted securely, using 
     13TLS on each hop between the UAC and the remote UAS (as opposed to 
     14only to the proxy responsible for the target domain of the Request- 
     16     }}} 
     17 * Contact header must use "sips" scheme: 
     18   - in request 
     20     {{{ 
     21As mandated by [RFC3261], Section, in a request, "if the 
     22Request-URI or top Route header field value contains a SIPS URI, the 
     23Contact header field MUST contain a SIPS URI as well". 
     24     }}} 
     25   - in target refresh 
     27     {{{ 
     28When a target refresh occurs within a dialog (e.g., re-INVITE 
     29request, UPDATE request), the UAC MUST include a Contact header field 
     30with a SIPS URI if the original request used a SIPS Request-URI. 
     31     }}} 
     32   - in response 
     34     {{{ 
     35If the request that initiated the dialog contained a SIPS URI in 
     36the Request-URI or in the top Record-Route header field value, if 
     37there was any, or the Contact header field if there was no Record- 
     38Route header field, the Contact header field in the response MUST 
     39be a SIPS URI. 
     40     }}}