<div dir="auto">Hi,<div dir="auto"><br></div><div dir="auto">The certificate is okay on Kamailio side (it's an valid one) and the remote side is also mine (self generated ca).</div><div dir="auto"><br></div><div dir="auto">For testing I found that setup better :) and remote side use tlsv1 in freeswitch. </div><div dir="auto"><br></div><div dir="auto"><span style="font-family:sans-serif">Tested both SIP server with an sipclient, works. </span><br></div><div dir="auto"><span style="font-family:sans-serif"><br></span></div><div dir="auto">Tcpdump on both ends shows me that traffic is send / received due the OPTION pings. </div><div dir="auto"><br></div><div dir="auto">And the debug stuff don't show me the right hint at this moment. </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Shaheryarkh <<a href="mailto:shaheryarkh@gmail.com">shaheryarkh@gmail.com</a>> schrieb am Mo., 17. Juni 2019, 22:02:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div id="m_-599496830438670829edo-message"><div></div>Many things can go wrong with tls setup, for example,</div><div id="m_-599496830438670829edo-message"><br></div><div id="m_-599496830438670829edo-message">1. TLS server is listening on different port then you are trying to connect to. Seems you are try to connect to defauly sip port for tls connection to destination where as it is usually 5061 port used for sip tls.</div><div id="m_-599496830438670829edo-message"><br></div><div id="m_-599496830438670829edo-message">2. Your kamailio and remote sbc do not agree on TLS protocol. Check if remote accept TLSv1.0 commections and do not force old / obsolete SSLv23.</div><div id="m_-599496830438670829edo-message"><br></div><div id="m_-599496830438670829edo-message">3. Remote only allows verifiable certificates but you seem to be using self-signed certificates.</div><div id="m_-599496830438670829edo-message"><br></div><div id="m_-599496830438670829edo-message">If all of this does not work then run kamailio with debug logging enabled and see what errors kamailio prints out about connection. You can post those error logs here for further discussion.</div><div id="m_-599496830438670829edo-message"><br></div><div id="m_-599496830438670829edo-message">Hope this helps.</div><div id="m_-599496830438670829edo-message"><br></div><div id="m_-599496830438670829edo-message">Thank you.</div><div id="m_-599496830438670829edo-meta"></div><div id="m_-599496830438670829edo-original"><div><br><br><blockquote type="cite" style="margin:1ex 0 0 0;border-left:1px #ccc solid;padding-left:0.5ex"><div>On Jun 17, 2019 at 7:10 PM, <<a href="mailto:khorsmann@gmail.com" target="_blank" rel="noreferrer">Karsten Horsmann</a>> wrote:<br><br></div><div><div dir="ltr"><div>Hi all,</div><div><br></div><div>i try to configure an SBC OS config [1] based kamailio 5.2.3 [2] with dispatcher and rtpengine.</div><div>I used transport=tcp to see the plain traffic and then switched to TLS (with tls.cfg, valid certificate and stuff).</div><div><br></div><div>After starting up, the Target is marked as "down".</div><div>Due the encryption its hard to debug that. <br></div><div>Any hints? Did i made an mistake in the configuration?</div><div><br></div><div>TLS calls from the target to my kamailio proxy works. So its "half broken" :) at the moment.</div><div><br></div><div>[1]</div><div><a href="https://github.com/voiceboys/sbcOS/blob/master/SbcOS/configs/voice/kamailio/kamailio.cfg" target="_blank" rel="noreferrer">https://github.com/voiceboys/sbcOS/blob/master/SbcOS/configs/voice/kamailio/kamailio.cfg</a> <br></div><div><br></div><div>[2]</div><div>kamailio -v</div><div>version: kamailio 5.2.3 (x86_64/linux) c36229<br>flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES<br>ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB<br>poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.<br>id: c36229<br>compiled on 11:28:11 May 22 2019 with gcc 4.8.5<br></div><br><br>-- %< --------------------- kamctl dispatcher dump<br> "SET": {<br> "ID": 1004,<br> "TARGETS": [{<br> "DEST": {<br> "URI": "sip:<a href="http://sip101.example.de" target="_blank" rel="noreferrer">sip101.example.de</a>;transport=tls",<br> "FLAGS": "TP",<br> "PRIORITY": 0,<br> "ATTRS": {<br> "BODY": "access=212.xx.xx.xx:5061;socket=tls:212.xx.xx.xx:5061;weight=100;ping_from=sip:<a href="http://mykamailio.example.de" target="_blank" rel="noreferrer">mykamailio.example.de</a>",<br> "DUID": "",<br> "MAXLOAD": 0,<br> "WEIGHT": 100,<br> "RWEIGHT": 0,<br> "SOCKET": "tls:212.xx.xx.xx:5061"<br> },<br> "LATENCY": {<br> "AVG": 30000,<br> "STD": 0,<br> "EST": 30000,<br> "MAX": 30000,<br> "TIMEOUT": 1<br> }<br> }<br> }]<br> }<br> },<br>-- %< --------------------- kamctl dispatcher dump <br><div> <br> WARNING: <script>: Destination down: OPTIONS ru=<a href="http://sip101.example.de" target="_blank" rel="noreferrer">sip101.example.de</a>;transport=tls du=<null><div><br></div><div><br></div><div>-- %< --------------------- tls.cfg</div><div>[server:default]<br>method = TLSv1<br>verify_certificate = no<br>require_certificate = no<br>private_key = /etc/pki/tls/private/mykamailio.example.de.pem<br>certificate = /etc/pki/tls/private/mykamailio.example.de.pem<br>server_name = <a href="http://mykamailio.example.de" target="_blank" rel="noreferrer">mykamailio.example.de</a><br><br>[server:212.xx.xx.xx:5061]<br>method = TLSv1+<br>verify_certificate = no<br>require_certificate = no<br><br>private_key = /etc/pki/tls/private/mykamailio.example.de.pem<br>certificate = /etc/pki/tls/private/mykamailio.example.de.pem<br>server_name = <a href="http://mykamailio.example.de" target="_blank" rel="noreferrer">mykamailio.example.de</a><br><br># This is the default client domain, settings<br># in this domain will be used for all outgoing<br># TLS connections that do not match any other<br># client domain in this configuration file.<br># We require that servers present valid certificate.<br>#<br><br>[client:
212.xx.xx.xx:5061]<br>method = TLSv1+<br>verify_certificate = no<br>require_certificate = no<br><br>private_key = /etc/pki/tls/private/mykamailio.example.de.pem<br>certificate = /etc/pki/tls/private/mykamailio.example.de.pem<br>server_name = <a href="http://mykamailio.example.de" target="_blank" rel="noreferrer">mykamailio.example.de</a><br><br>[client:default]<br>verify_certificate = no<br>require_certificate = no<br></div><div><br></div><div>-- %< --------------------- tls.cfg <br></div><div><br></div><div>Cheers Karsten<br clear="all"><div><br></div>-- <br><div dir="ltr" class="m_-599496830438670829gmail_signature" data-smartmail="gmail_signature">Mit freundlichen Grüßen<br>*Karsten Horsmann*<br></div></div></div></div>
_______________________________________________
Kamailio (SER) - Users Mailing List
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" rel="noreferrer">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</div></blockquote></div></div></div>_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>