<div dir="ltr"><div>Hi Leo</div><div>I don't know for sure. I know that TLS can work over more protocols than just TCP (SCTP, for example), so sips/tcp makes more sense than sip/tls.</div><div>Implementations differ; I tend to implement what "just works".</div><div><br></div><div><a href="https://datatracker.ietf.org/doc/html/rfc3261#section-26.2.2">https://datatracker.ietf.org/doc/html/rfc3261#section-26.2.2</a></div><div> <i>The use of "transport=tls" has consequently been deprecated...</i></div><div><i><br></i></div><div>James<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 20 Oct 2022 at 20:42, beer Ll <<a href="mailto:llcfhllml@gmail.com">llcfhllml@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi James</div><div><br></div><div>Thanks , You confirm my idea .<br></div><div><br></div><div>I will write to the UAC developers and check this problem asking to fix it.</div><div><br></div><div>Is safer use sip-tls or sips-tcp ?<br></div><div><br></div><div>Best Regards</div><div>Leo<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Oct 19, 2022 at 2:07 PM James Browne <<a href="mailto:james@frideo.com" target="_blank">james@frideo.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">You make calls using SIP over TLS and it's OK.<br>You make calls using SIPS and it's not OK.<br><br>The 200-OK Contact is this<br>- Contact: <sip:<a href="http://172.16.0.2:5060" target="_blank">172.16.0.2:5060</a>><br><br>The RURI in the ACK is this.<br>- sips:172.16.0.2:5060;transport=tcp SIP/2.0<br><br>The client should be using _exactly_ the same URI in the ACK as was in the Contact in the 200-OK response. The client is getting it wrong (<a href="https://datatracker.ietf.org/doc/html/rfc3261#section-12.2.1.1" target="_blank">https://datatracker.ietf.org/doc/html/rfc3261#section-12.2.1.1</a>).<br><br>With the ACK, the Routeset is this.<br>- ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0<br>- Route: <sip:80.0.0.2:5061;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F><br>- Route: <sip:172.16.0.1:5060;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F><br><br>This is asking kamailio to send the ACK to 172.16.0.2 over TLS on port 5060 (from the RURI), but use a UDP socket to do it (the second Route header field). This can't work. The client should be fixed.<br><div>(Else you may try getting asterisk to use sips, but maybe that's not going to be easy.)</div><div><br></div><div>James<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 13 Oct 2022 at 06:30, beer Ll <<a href="mailto:llcfhllml@gmail.com" target="_blank">llcfhllml@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi everyone, <div>I'm using Kamailio as TLS gateway/filter for an internal Asterisk server<br></div><div><br></div><div>the network schema is : <br></div><div><br></div><div>UAC (tls) --- INTERNET --- (tls) KAMAILIO (sip udp) --- LAN --- (sip udp) ASTERISK</div><div> </div><div>with kamailio in multi-homed mode <br></div><div><br></div><div>WAN network interface for sip tls <br></div><div>LAN network interface for sip udp to asterisk server <br></div><div><br></div><div><div><br></div><div>UAC address 80.0.0.1</div><div>KAMAILIO Wan address 80.0.0.2</div><div><br></div><div>KAMAILIO Lan address 172.16.0.2</div><div>ASTERISK Lan address 172.16.0.3</div><div><br><br></div></div><div><br></div><div>SIP-TLS call example<br></div><div>If the UAC use tls(sip) all works good <br></div><br><div><img src="cid:ii_l95lfjd11" alt="sip-ok-small.jpeg" width="558" height="363"><br></div><div><br></div><div>SIPS call example<br></div><div>If the same UAC use his default settings tls(sips) , there are problems with ACK and BYE packet</div><div><br></div><div><img src="cid:ii_l95ln33g2" alt="sip-ko-small.jpeg" width="558" height="367"><br></div><div>the SIP OK SDP packet from kamailio to UAC is <br></div><div><br></div><div>2022/10/10 09:28:47.854721 <a href="http://80.0.0.2:5061" target="_blank">80.0.0.2:5061</a> -> <a href="http://80.0.0.1:49992" target="_blank">80.0.0.1:49992</a><br>SIP/2.0 200 OK<br>Via: SIP/2.0/TLS 192.168.0.1:49992;rport=49992;received=80.0.0.1;branch=z9hG4bKM01j360VrBdH5VSV<br>Record-Route: <sip:172.16.0.1:5060;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F><br>Record-Route: <sip:80.0.0.2:5061;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F><br>Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7<br>From: <<a href="mailto:sips%3A200@pbx.voip.com" target="_blank">sips:200@pbx.voip.com</a>>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F<br>To: <sips:*<a href="mailto:43@pbx.voip.com" target="_blank">43@pbx.voip.com</a>>;tag=961d0e22-a4f0-453c-9870-6a41578afc96<br>CSeq: 2 INVITE<br>Contact: <sip:<a href="http://172.16.0.2:5060" target="_blank">172.16.0.2:5060</a>><br>P-Asserted-Identity: "xxxxxxxxx" <sips:*<a href="mailto:43@pbx.voip.com" target="_blank">43@pbx.voip.com</a>><br>Content-Type: application/sdp<br><br></div><div><br></div><div>and the UAC send the ACK and BYE from a different tcp port and to: sips:172.16.0.2:5060;transport=tcp <br></div><div><br></div><div><br></div><div>2022/10/10 09:28:48.495365 <a href="http://80.0.0.1:49996" target="_blank">80.0.0.1:49996</a> -> <a href="http://80.0.0.2:5061" target="_blank">80.0.0.2:5061</a><br>ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0<br>Via: SIP/2.0/TLS 192.168.0.1:49996;branch=z9hG4bKppftdQze20lnwT41;rport<br>Route: <sip:80.0.0.2:5061;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F><br>Route: <sip:172.16.0.1:5060;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F><br>Max-Forwards: 70<br>To: <sips:*<a href="mailto:43@pbx.voip.com" target="_blank">43@pbx.voip.com</a>>;tag=961d0e22-a4f0-453c-9870-6a41578afc96<br>From: <<a href="mailto:sips%3A200@pbx.voip.com" target="_blank">sips:200@pbx.voip.com</a>>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F<br>Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7<br>CSeq: 2 ACK<br></div><div><br></div><div><br></div><div>kamailio error log</div><div>WARNING: <core> [core/forward.c:229]: get_send_socket2(): protocol/port mismatch (forced udp:<a href="http://172.16.0.2:5060" target="_blank">172.16.0.2:5060</a>, to tls:<a href="http://172.16.0.3:5060" target="_blank">172.16.0.3:5060</a>)<br></div><div><br></div><div><br></div><div><br></div><div><br></div><div>
How can I solve this ?<br></div><div><br></div><div>Best Regards</div><div><br></div><div>Leo<br></div><div><br></div></div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial Discussions<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial Discussions<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>
__________________________________________________________<br>
Kamailio - Users Mailing List - Non Commercial Discussions<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a><br>
Important: keep the mailing list in the recipients, do not reply only to the sender!<br>
Edit mailing list options or unsubscribe:<br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>