Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#957 closed enhancement (fixed)

SSL/secure socket abstraction and SIP TLS transport rewrite

Reported by: nanang Owned by: bennylp
Priority: normal Milestone: release-1.5
Component: common Version: trunk
Keywords: Cc:
Backport to 1.x milestone: Backported:

Description (last modified by bennylp)

Objective:

To create a portable SSL/secure socket abstraction in PJLIB and to rewrite the SIP TLS transport in PJSIP.

Specifications:

  1. General:
    • supports client and server socket operations (note: Symbian's CSecureSocket only supports client sockets)
  2. I/O:
    • asynchronous I/O API similar to PJLIB's Active Socket API
    • timeout setting for SSL negotiation
    • buffer size control
  3. Options:
    • select SSL version to use (SSLv23, TLSv1, etc)
    • select ciphersuite to use
    • verify server's certificate (note: not available on Symbian)
    • server require client certificate (note: not available on Symbian)
    • verify client's certificate (note: not available on Symbian)
    • TLS server name extension to support connecting to multihosted TLS server (note: only available on recent OpenSSL versoins)
  4. Certificate management (note: not available on Symbian):
    • specify which certificate to use
    • load the certificate, either from file(s) or OS's certificate store.
    • retrieve certificate infos.

Backends:

  1. OpenSSL
  2. CSecureSocket on Symbian

Change History (24)

comment:1 Changed 10 years ago by nanang

In r2913, initial version of TLS transport for Symbian, includes:

  • Secure socket, generic abstraction and Symbian implementation (using CSecureSocket).
  • Initial rewrite of SIP TLS transport.
  • Updated symbian_ua.mmp to support SIP transport TLS (experimental).

comment:2 Changed 10 years ago by nanang

  • Component changed from pjsip to common
  • Summary changed from TLS transport on Symbian to Implement SSL socket abstraction and rewrite SIP TLS transport.

comment:3 Changed 10 years ago by nanang

In r2950:

  • Added SSL socket abstraction with OpenSSL backend (source only, i.e: hasn't been integrated to build settings).
  • Updated cipher data type and added cipher constants (Symbian SSL socket has also been updated).
  • Updated SIP TLS transport to allow setting certificate/credential (via file).

comment:4 Changed 10 years ago by bennylp

  • Description modified (diff)
  • Summary changed from Implement SSL socket abstraction and rewrite SIP TLS transport. to SSL/secure socket abstraction and SIP TLS transport rewrite

comment:5 Changed 10 years ago by bennylp

  • Description modified (diff)

comment:6 Changed 10 years ago by bennylp

  • Description modified (diff)

comment:7 Changed 10 years ago by bennylp

  • Description modified (diff)

comment:8 Changed 10 years ago by nanang

In r2970:

  • Added features in secure socket: handshake timeout timer, certificate info, renegotiation API.
  • Added unit test for secure socket, along with testing purpose certificate & private key.
  • Updated build configs for secure socket.

comment:9 Changed 10 years ago by nanang

In r2971:

  • Fixed SSL socket unit test issues (mostly on Linux platform): let OS manage the binding port (specify port to 0), use pj_sockaddr_get_len() instead of sizeof() for sockaddr size, DOS eol format for certificate and private key files.
  • Temporary fix for SSL_CTX_use_certificate_chain_file() false error alarm (after previous OpenSSL handshake error), by clearing OpenSSL thread error queue in reset_ssl_sock_state().

comment:10 Changed 10 years ago by nanang

In r2972:

  • Removed DTLS proto in SSL socket with OpenSSL backend as it hasn't been really supported.

comment:11 Changed 10 years ago by nanang

In r2973:

  • Updated PJSIP_HAS_TLS_TRANSPORT default value to refer to PJ_HAS_SSL_SOCK.

comment:12 Changed 10 years ago by nanang

In r2981:

  • Added SSL socket performance test.
  • Added incompatible SSL proto test.

comment:13 Changed 10 years ago by nanang

In r2986:

  • Applied workaround solution for getting local address problem with getsockname on win IOCP by using parent local address instead.
  • Fixed SSL socket not to return PJ_FALSE in active socket accept callback, to keep accepting connections.
  • Applied workaround solution for OpenSSL error mapping, as OpenSSL error codes are big numbers that won't fit pj_status_t.
  • Minor updates, e.g: using pj_perror(), removing some logs, OpenSSL error print callback.
  • Minor updates on SSL unit test, e.g: start_read() before start sending, additional ioqueue poll to cleanup sockets, add timeout feature to https client test.

comment:14 Changed 10 years ago by nanang

In r2989:

  • Workaround fix for SSL socket specific related to ticket #985.

comment:15 Changed 10 years ago by nanang

In r2990:

  • Updated Symbian PJLIB test build setting to enable SSL sock test.
  • Fixed ciphers enumeration in Symbian SSL sock.
  • Fixed OpenSSL SSL sock to avoid initializing OpenSSL multiple times.
  • Fixed SSL unit test to avoid divide-by-zero in setting random seed.

comment:16 Changed 10 years ago by nanang

  • Resolution set to fixed
  • Status changed from new to closed

comment:17 Changed 10 years ago by bennylp

In r2994:

  • updated pj_perror() with the new PJ_PERROR() API

comment:18 Changed 10 years ago by bennylp

In r2998:

  • added QoS options on PJLIB/PJLIB SSL/TLS socket/transport
  • added demo in Symbian ua.cpp

comment:19 Changed 10 years ago by bennylp

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopened because of error in connecting to untrusted server in one of the handset

comment:20 Changed 10 years ago by bennylp

In r2999:

  • added missing servername setup in symbian_ua. Without this, TLS connection will fail with KErrAborted/Interrupted on some devices (it may succeed on some FP1 devices but not others)

comment:21 Changed 10 years ago by nanang

  • Resolution set to fixed
  • Status changed from reopened to closed

In r3000:

  • Fixed 0.0.0.0:0 address returned by SIP TLS client transport, which also caused 0.0.0.0:0 address in SIP via header.

comment:22 Changed 10 years ago by bennylp

In r3008:

  • exclude sip_transport_tls_ossl.c from VS6 (Release) build

comment:23 Changed 10 years ago by nanang

In r3018:

  • Updated SSL sock performance test to avoid false connected state problem caused by server listen backlog excess (problem examined on mac platform).

comment:24 Changed 10 years ago by nanang

In r3020:

  • Fixed compile error of incompatible param type (or bad type conversion) on Symbian 5th ed (and perhaps also on some GCC versions).
  • Fixed on_connect_complete() to reset SSL sock state before callback when connection fails (OpenSSL impl).
  • Fixed saving remote address before start connecting, so it won't miss remote address info when socket connection establishes immediately (OpenSSL impl).
Note: See TracTickets for help on using tickets.