asterisk icon indicating copy to clipboard operation
asterisk copied to clipboard

Published 20 hours ago verified publisher icon asterisk

[bug]: pjsip reload does not reload tls certificates

Open kobaz opened this issue 1 year ago • 6 comments
trafficstars

Severity

Minor

Versions

20.9.2

Components/Modules

res_pjsip

Operating Environment

Debian Bullseye

Frequency of Occurrence

Constant

Issue Description

  1. Set up pjsip.conf with a tls transport
Steps:
type                       = transport
protocol                   = tls
allow_reload               = no
cert_file                  = /etc/asterisk/keys/asterisk.crt
priv_key_file              = /etc/asterisk/keys/asterisk.key
  1. Start Asterisk
  2. Observe TLS Certificate: openssl s_client --connect localhost:5061

Modify cert_file/priv_key_file names with a new certificate

cert_file                  = /etc/asterisk/keys/asterisk_new.crt
priv_key_file              = /etc/asterisk/keys/asterisk_new.key

module reload res_pjsip.so 4) Observe TLS Certificate: openssl s_client --connect localhost:5061 --- Certificate not changed

Relevant log output

[2024-08-23 18:55:07.820-0400] NOTICE[9269]: Transport 'transport-tcp-tls' is not fully reloadable, not reloading: protocol, bind, TLS (everything but certificate and private key if filename is unchanged), TCP, ToS, or CoS options.

Asterisk Issue Guidelines

  • [X] Yes, I have read the Asterisk Issue Guidelines

kobaz avatar Aug 23 '24 22:08 kobaz

Confirm please: You DID change the filenames and not just the contents of the files?

That NOTICE could be a bit clearer though.

gtjoseph avatar Aug 23 '24 23:08 gtjoseph

Yes, I did change the filenames too. Let me update my report.

kobaz avatar Aug 23 '24 23:08 kobaz

To have it reload without requiring allow_reload the filenames MUST be the same, PJSIP doesn't support changing the filenames. I just tested changing the underlying files (using the same names) and issuing "module reload res_pjsip.so" and the TLS server used the new certificate and key.

jcolp avatar Aug 23 '24 23:08 jcolp

Got it. Yeah the NOTICE is really not clear about this. Knowing this limitation, re-reading the NOTICE makes more sense.

It would be nice to be able to change the filename. I'll stick up a PR for this.

kobaz avatar Aug 23 '24 23:08 kobaz

You'd need to submit a PR to pjproject unfortunately. When the transport is created, we pass the filenames directly to them and they store them. If you have allow_reload = true and reload, then we basically pass all the new values to pjproject to create a new transport instance and the old one eventually disappears when the last transaction that references it ends. If you have allow_reload = false and reload, then we call pjsip_tls_transport_restart() to restart the current transport without tearing the old one down and re-creating it but it doesn't allow changing parameters. Changing the filenames won't do anything because pjproject will continue to use the ones we gave it when we created (or re-created) the transport. If you do change the file names and reload when allow_reload = false, we'll print an error because pjproject won't use them.

gtjoseph avatar Aug 24 '24 21:08 gtjoseph

@kobaz Do you want to at least submit a PR to make that message a bit more clear? Otherwise, can I close this issue?

gtjoseph avatar Aug 28 '24 17:08 gtjoseph

This issue has been marked stale because it has been open 7 days with no feedback. Please provide feedback within 7 days or this issue will be closed.

asteriskteam avatar Sep 05 '24 02:09 asteriskteam

This issue has been closed because it has been open 14 days with no feedback.

asteriskteam avatar Sep 12 '24 02:09 asteriskteam