<div dir="ltr"><div>Hi, the problem with SIPS URI scheme is not only about the Contact header but record-route and other headers.<br><br></div>One option is to use TOPOS.<br><br><div><div>You can find more information here:<br></div><div><div class="gmail-module gmail-toggle-wrap"><div class="gmail-mod-content"><div class="gmail-issuePanelWrapper"><div class="gmail-issuePanelContainer"><div class="gmail-issue-data-block gmail-activity-comment gmail-twixi-block expanded"><div class="gmail-twixi-wrap gmail-verbose gmail-actionContainer"><div class="gmail-action-body gmail-flooded"><ul><li>PJSIP Ticket #1735: Check Contact/Record-Route header in a secure dialog.</li><li><a class="external-link" title="Follow link" href="https://flowroute.atlassian.net/secure/AddComment%21default.jspa?id=19438" name="add-comment" rel="nofollow">https://issues.asterisk.org/jira/browse/ASTERISK-24646</a><br><br></li></ul><p><a href="https://tools.ietf.org/html/rfc5630#section-3.2" class="external-link" rel="nofollow">https://tools.ietf.org/html/rfc5630#section-3.2</a></p></div></div></div></div></div></div></div>
<div class="gmail-container" title="Hint: double-click to select code"><div class="gmail-line gmail-number1 gmail-index0 gmail-alt2"><code class="gmail-text gmail-plain">3.2. Detection of Hop-by-Hop Security</code></div><div class="gmail-line gmail-number2 gmail-index1 gmail-alt1"> </div><div class="gmail-line gmail-number3 gmail-index2 gmail-alt2"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">The presence of a SIPS Request-URI does not necessarily indicate that</code></div><div class="gmail-line gmail-number4 gmail-index3 gmail-alt1"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">the request was sent securely on each hop. So how does a UAS know if</code></div><div class="gmail-line gmail-number5 gmail-index4 gmail-alt2"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">SIPS was used for the entire request path to secure the request end-</code></div><div class="gmail-line gmail-number6 gmail-index5 gmail-alt1"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">to-end? Effectively, the UAS cannot know for sure. However,</code></div><div class="gmail-line gmail-number7 gmail-index6 gmail-alt2"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">[RFC3261], Section 26.4.4, recommends how a UAS can make some checks</code></div><div class="gmail-line gmail-number8 gmail-index7 gmail-alt1"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">to validate the security. Additionally, the History-Info header</code></div><div class="gmail-line gmail-number9 gmail-index8 gmail-alt2"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">field [RFC4244] could be inspected for detecting retargeting from SIP</code></div><div class="gmail-line gmail-number10 gmail-index9 gmail-alt1"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">and SIPS. Retargeting from SIP to SIPS by a proxy is an issue</code></div><div class="gmail-line gmail-number11 gmail-index10 gmail-alt2"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">because it can leave the receiver of the request with the impression</code></div><div class="gmail-line gmail-number12 gmail-index11 gmail-alt1"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">that the request was delivered securely on each hop, while in fact,</code></div><div class="gmail-line gmail-number13 gmail-index12 gmail-alt2"><code class="gmail-text gmail-spaces"> </code><code class="gmail-text gmail-plain">it was not.</code></div></div><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 11, 2018 at 5:58 AM, Arik Halperin <span dir="ltr"><<a href="mailto:arik@mobilinq.io" target="_blank">arik@mobilinq.io</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word;line-break:after-white-space">
<div>Daniel Hello,</div>
<div><br>
</div>
<div>Pasted below, 200 OK and Following ACK(Recorded at the client side via wireshark configured with private key)</div>
<div><br>
</div>
<div><br>
</div>
<div>BR,</div>
<div>Arik</div>
<div><br>
</div>
<div><br>
</div>
<div>Session Initiation Protocol (200)</div>
<div> Status-Line: SIP/2.0 200 OK</div>
<div> Message Header</div>
<div> Via: SIP/2.0/TLS 192.168.2.2:48182;received=82.<wbr>80.164.63;rport=33898;branch=<wbr>z9hG4bKPjVppvYKQb4X5lJrYpod1wU<wbr>N.j3KVLrEiT;alias</div>
<div> Record-Route: <sips:10.168.10.227:5099;r2=<wbr>on;lr=on;ftag=<wbr>ZmXcXh6ReoLbMco46J0fCpKOHkUR1s<wbr>WF;nat=yes></div>
<div> Record-Route: <sips:<a href="http://70.36.25.65:443">70.36.25.65:443</a>;<wbr>transport=tls;r2=on;lr=on;<wbr>ftag=<wbr>ZmXcXh6ReoLbMco46J0fCpKOHkUR1s<wbr>WF;nat=yes></div>
<div> From: "number" <sips:<a href="mailto:17813000000@XXXXXX.com" target="_blank">17813000000@XXXXXX.com</a>>;<wbr>tag=<wbr>ZmXcXh6ReoLbMco46J0fCpKOHkUR1s<wbr>WF</div>
<div> To: <sips:<a href="mailto:1111111@XXXXXX.com" target="_blank">1111111@XXXXXX.com</a>>;tag=<wbr>7t2StmvUeNpQD</div>
<div> Call-ID: yekcL-<wbr>0b2PhpgdQo52l921tjX1Z8wErH</div>
<div> CSeq: 10885 INVITE</div><span class="">
<div> Contact: <<a>sip:1111111@10.168.10.200:<wbr>5080;transport=tls</a>></div>
<div> User-Agent: FreeSWITCH-mod_sofia/1.6.20+<wbr>git~20180123T214909Z~<wbr>987c9b9a2a~64bit</div>
<div> Accept: application/sdp</div>
<div> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY</div>
<div> Require: timer</div>
</span><div> Supported: timer, path, replaces</div>
<div> Allow-Events: talk, hold, conference, refer</div>
<div> Session-Expires: 1800;refresher=uac</div>
<div> Content-Type: application/sdp</div>
<div> Content-Disposition: session</div>
<div> Content-Length: 1056</div>
<div> Remote-Party-ID: "1111111" <<a>sip:1111111@XXXXXX.com</a>>;<wbr>party=calling;privacy=off;<wbr>screen=no</div>
<div> Message Body</div>
<div> Session Description Protocol</div>
<div> Session Description Protocol Version (v): 0</div>
<div> Owner/Creator, Session Id (o): FreeSWITCH 1528683321 1528683322 IN IP4 70.36.25.66</div>
<div> Session Name (s): FreeSWITCH</div>
<div> Connection Information (c): IN IP4 70.36.25.66</div>
<div> Time Description, active time (t): 0 0</div>
<div> Session Attribute (a): msid-semantic: WMS V60mDk4CUtzxt4H5xDQPB48KjzMcYE<wbr>1K</div>
<div> Media Description, name and address (m): audio 37680 RTP/SAVP 107 96</div>
<div> Media Attribute (a): ice-ufrag:b6TC1SdbiQd6k5GL</div>
<div> Media Attribute (a): ice-pwd:<wbr>NtGGa3jbPjvwRLASIklz2oAa</div>
<div> Media Attribute (a): candidate:5807878115 1 udp 659136 10.168.10.200 38056 typ host generation 0</div>
<div> Media Attribute (a): candidate:5807878115 2 udp 659135 10.168.10.200 38057 typ host generation 0</div>
<div> Media Attribute (a): ssrc:3542382753 cname:ASW42RxMaWauQHpe</div>
<div> Media Attribute (a): ssrc:3542382753 msid:<wbr>V60mDk4CUtzxt4H5xDQPB48KjzMcYE<wbr>1K a0</div>
<div> Media Attribute (a): ssrc:3542382753 mslabel:<wbr>V60mDk4CUtzxt4H5xDQPB48KjzMcYE<wbr>1K</div>
<div> Media Attribute (a): ssrc:3542382753 label:<wbr>V60mDk4CUtzxt4H5xDQPB48KjzMcYE<wbr>1Ka0</div>
<div> Media Attribute (a): rtpmap:107 opus/48000/2</div>
<div> Media Attribute (a): rtpmap:96 telephone-event/8000</div>
<div> Media Attribute (a): fmtp:107 useinbandfec=1; minptime=10; maxptime=40</div>
<div> Media Attribute (a): fmtp:96 0-16</div>
<div> Media Attribute (a): sendrecv</div>
<div> Media Attribute (a): rtcp:37681</div>
<div> Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/KCNveJuRh5lQ+<wbr>g3YWnyb2QwQhl0GgdmxtKAJ5G3</div>
<div> Media Attribute (a): ptime:20</div>
<div> Media Attribute (a): candidate:K6gXQsPK0KD4MsGa 1 UDP 2130706431 70.36.25.66 37680 typ host</div>
<div> Media Attribute (a): candidate:K6gXQsPK0KD4MsGa 2 UDP 2130706430 70.36.25.66 37681 typ host</div>
<div> Media Attribute (a): end-of-candidates</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div> 1201 272.987349 192.168.2.2 70.36.25.65 SIP 695 Request: ACK
<a>sip:1111111@10.168.10.200:<wbr>5080;transport=tls</a> | 1201</div>
<div><br>
</div>
<div>Frame 1201: 695 bytes on wire (5560 bits), 695 bytes captured (5560 bits) on interface 0</div>
<div>Ethernet II, Src: Htc_50:62:7b (ac:37:43:50:62:7b), Dst: 9a:01:a7:d9:66:64 (9a:01:a7:d9:66:64)</div>
<div>Internet Protocol Version 4, Src: 192.168.2.2, Dst: 70.36.25.65</div>
<div>Transmission Control Protocol, Src Port: 48182, Dst Port: 443, Seq: 8791, Ack: 10303, Len: 629</div>
<div>Secure Sockets Layer</div>
<div>Session Initiation Protocol (ACK)</div>
<div> Request-Line: ACK <a>
sip:1111111@10.168.10.200:<wbr>5080;transport=tls</a> SIP/2.0</div>
<div> Message Header</div>
<div> Via: SIP/2.0/TLS 192.168.2.2:48182;rport;<wbr>branch=<wbr>z9hG4bKPjFpv1IqHt9ON8nS6zOYuUZ<wbr>5HxhNTDTBq7;alias</div>
<div> Max-Forwards: 70</div>
<div> From: "number" <sips:<a href="mailto:17813000000@XXXXXXXX.com" target="_blank">17813000000@XXXXXXXX.com</a><wbr>>;tag=<wbr>ZmXcXh6ReoLbMco46J0fCpKOHkUR1s<wbr>WF</div>
<div> To: sips:<a href="mailto:1111111@XXXXXXX.com" target="_blank">1111111@XXXXXXX.com</a>;tag=<wbr>7t2StmvUeNpQD</div>
<div> Call-ID: yekcL-<wbr>0b2PhpgdQo52l921tjX1Z8wErH</div>
<div> CSeq: 10885 ACK</div>
<div> Route: <sips:<a href="http://70.36.25.65:443">70.36.25.65:443</a>;<wbr>transport=tls;lr;r2=on;ftag=<wbr>ZmXcXh6ReoLbMco46J0fCpKOHkUR1s<wbr>WF;nat=yes></div>
<div> Route: <sips:10.168.10.227:5099;lr;<wbr>r2=on;ftag=<wbr>ZmXcXh6ReoLbMco46J0fCpKOHkUR1s<wbr>WF;nat=yes></div>
<div> Content-Length: 0</div><div><div class="h5">
<div><br>
</div>
<div><br>
<blockquote type="cite">
<div>On 11 Jun 2018, at 13:32, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>> wrote:</div>
<br class="m_-3060299537539607422Apple-interchange-newline">
<div>
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>can you paste here the 200OK for INVITE sent out by kamailio and the ACK received by kamailio?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="m_-3060299537539607422moz-cite-prefix">On 11.06.18 09:51, Arik Halperin wrote:<br>
</div>
<blockquote type="cite">
Daniel, Thank you!
<div><br>
</div>
<div>You are right about this.
<div><br>
</div>
<div>I configured PJSIP not to check whether the contact contains SIPS. </div>
<div><br>
</div>
<div>This solved the problem on one of my setups where I have one NIC that has a public IP.</div>
<div><br>
</div>
<div>However on the original setup, the kamailio has one public IP and one private IP. In that setup, the ACK to the 200 OK is not forwarded over the private IP to the freeswitch. This only happens in TLS, when I work with TCP it works well. I believe
it is somehow connected to the record route, and I’m looking into PJSIP to try to find the answer, but is there anything I could do in the kamailio? </div>
<div><br>
</div>
<div>I have the same problems with other SIP clients(Bria for example)</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Arik Halperin<br>
<div><br>
<blockquote type="cite">
<div>On 11 Jun 2018, at 9:43, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>> wrote:</div>
<br class="m_-3060299537539607422Apple-interchange-newline">
<div>
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>Kamailio is not involved in the issue reported here. Practically, pjsip expects sips: scheme in the contact URI, which was set by FreeSwitch in 200ok. Maybe there is an option that you have to turn on for FreeSwitch to use sips: scheme.</p>
<p>Otherwise, you can try to replace sip with sips in kamailio config and do the reverse the other way.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="m_-3060299537539607422moz-cite-prefix">On 05.06.18 06:56, Arik Halperin wrote:<br>
</div>
<blockquote type="cite">
Hello,
<div><br>
</div>
<div>I’m using TLS</div>
<div><br>
</div>
<div>After receiving 200OK from kamailio:</div>
<div><br>
</div>
<div>
<div>
<div>r2voip.clear2voipdialer I/(NativeSdk_2_0) 1528174138320 PJSIP: (NativeSdk_2_0) 1528174138320 PJSIP:2018-05 07:48:58.319 pjsua_core.c RX 2203 bytes Response msg 200/INVITE/cseq=8107 (rdata0x7a2c56fb38) from TLS <a href="http://70.36.25.65:443" target="_blank">70.36.25.65:443</a>:</div>
<div> SIP/2.0 200 OK</div>
<div> Via: SIP/2.0/TLS 10.134.232.109:44097;received=<wbr>109.253.173.146;rport=31373;<wbr>branch=<wbr>z9hG4bKPj4MV5llP9SW5ufk-OcFB-<wbr>Qh78PmIQFrRk;alias</div>
<div> Record-Route: <sips:10.168.10.227:5099;r2=<wbr>on;lr=on;ftag=<wbr>mgMLDFMLmCZGzcpASoODG8XgeFJVtc<wbr>RO;nat=yes></div>
<div> Record-Route: <sips:<a href="http://70.36.25.65:443">70.36.25.65:443</a>;<wbr>transport=tls;r2=on;lr=on;<wbr>ftag=<wbr>mgMLDFMLmCZGzcpASoODG8XgeFJVtc<wbr>RO;nat=yes></div>
<div> From: "number" <sips:<a href="mailto:972523391991@kamprod.telemessage.com" target="_blank">972523391991@XXXXXXX.com</a><wbr>>;tag=<wbr>mgMLDFMLmCZGzcpASoODG8XgeFJVtc<wbr>RO</div>
<div> To: <sips:<a href="mailto:1111111@kamprod.telemessage.com" target="_blank">1111111@XXXXXX.com</a>>;tag=<wbr>64H63g861ajHj</div>
<div> Call-ID: Sq4jR85o3Caz2XTXo-<wbr>71FKAdbJ1x9vz2</div>
<div> CSeq: 8107 INVITE</div>
<div> Contact: <<a>sip:1111111@10.168.10.200:<wbr>5080;transport=tls</a>></div>
<div> User-Agent: FreeSWITCH-mod_sofia/1.6.20+<wbr>git~20180123T214909Z~<wbr>987c9b9a2a~64bit</div>
<div> Accept: application/sdp</div>
<div> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY</div>
<div> Require: timer</div>
<div> Supported: ti</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div><b>PJSIP responds with:</b></div>
<div><b><br>
</b></div>
<div><b>Secure dialog requires SIPS scheme in Contact and Record-Route headers, ending the session</b></div>
</div>
<div><b><br>
</b></div>
<div>What is the reason for this? How can I fix this issue?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Arik Halperin</div>
<br>
<fieldset class="m_-3060299537539607422mimeAttachmentHeader"></fieldset> <br>
<pre>______________________________<wbr>_________________
Kamailio (SER) - Users Mailing List
<a class="m_-3060299537539607422moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a>
<a class="m_-3060299537539607422moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a>
</pre>
</blockquote>
<br>
<pre class="m_-3060299537539607422moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.asipto.com/" target="_blank">www.asipto.com</a>
<a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio World Conference -- <a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.kamailioworld.com/" target="_blank">www.kamailioworld.com</a></pre>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
<br>
<pre class="m_-3060299537539607422moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.asipto.com/" target="_blank">www.asipto.com</a>
<a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio World Conference -- <a class="m_-3060299537539607422moz-txt-link-abbreviated" href="http://www.kamailioworld.com/" target="_blank">www.kamailioworld.com</a></pre>
</div>
</div>
</blockquote>
</div>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a><br>
<br></blockquote></div><br></div>