sr-users November 2005

sr-users@lists.kamailio.org

245 participants
570 discussions

[Serusers] Values from a regular expression used in t_relay_to_tcp()

by Jamie Prady

Hi All, I am currently trying to set up SER to act as a proxy from a device which only sends UDP SIP to a host which only accepts TCP SIP. I have sort of got this working with the following config: t_relay_to_tcp("10.0.1.108", "5060"); The problem is, the host which only accepts TCP issues a redirect as part of the SIP handshaking, so I need to be able to dynamically select the port to relay to. I currently have the following set up for a few ports which the host seems to use, but the list of ports it could use is rather large, and I'd like to get it working properly with dynamic values e.g. the following is how I'm doing it at the minute: if (uri=~"^sip:(.+@)?(10\.0\.1\.108):1480(.*)$") { log (1, "port is 1480\n"); t_relay_to_tcp("10.0.1.108", "1480"); } else { log (1, "port is 5060\n"); t_relay_to_tcp("10.0.1.108", "5060"); } Whereas I'd like something like (with Perl style regexs): if (uri=~"^sip:(.+@)?10\.0\.1\.108:([0-9]+).*$") { log (1, "port is $2\n"); t_relay_to_tcp("10.0.1.108", "$2"); } else { log (1, "port is 5060\n"); t_relay_to_tcp("10.0.1.108", "5060"); } So I need to get the value as part of the regular expression in the URI pattern matching, then use this as a value in the t_relay_to_tcp(). I've searched the documentation but I can't seem to find an obvious way to do this. I've tried using the t_relay() method which doesn't seem to work for me. I need to use the t_relay_to_tcp() method. Thanks for your help. Jamie.

18 years, 11 months

[Users] Configurable TOS

by Bogdan-Andrei Iancu

Hi, thanks to the patch from Andreas Granig, OpenSER has now support for configurable TOS (Type Of Service) via configuration script. I did some small enhancements like the possibility to use for definition both numbers and names for TOS (names are easier to remember). The name are exactly as the defines in libc. For how to use it, please refer to: http://www.openser.org/dokuwiki/doku.php?id=openser_core_cookbook#tos regards, bogdan

18 years, 11 months

[Users] open letter

by harry gaillac

Hello open(ser) asterisk users Here is what i expect to do : Asterisk: registrar with public ip port=5050 open(ser): outbound proxy with public ip port=5060 Asterisk don't support IM and presence so i want to use SER because of it's a good proxy: I want user agents behind nat send registration to asterisk because of it's an ipbx :-) Look at this diagram when user agent behind nat send REGISTER to ser the contact field in sip header has a private address which one is forward to asterisk for registration. When user agent are registered in asterisk AOR is sip:user@private ip so asterisk query "sip:user@private" behind nat (not possible). How a session between two user agents behind nat could keep in the path |register | | register | agent1 asterisk| |ser/nat box | | | 200 OK | | 200 OK | agent2 One box --------------------------- | ---------------- | | | asterisk pbx | | | ---------------- | | || | | ---------- ---------- | | SER |====|NAT box |==== private network | ---------- ---------- --------------------------- Send me your questions if you don't understand what i expect to do . Harry ___________________________________________________________________________ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com

18 years, 11 months

[Users] TLS requirements and some brainstorming (long email)

by Klaus Darilion

Hi all! There are several scenarios where TLS will be used to interconnect SIP proxies. (open)ser's TLS implementation should be generic enough to handle all the useful scenarios. Thus, to better understand the requirements, first I present some examples where (open)ser+TLS will be useful. (I do not propose which of the following interconnect models are good or bad. However, openser should be capable to handle all of them, best in a mixed mode). Enterprise scenario: A company uses TLS to interconnect their SIP proxies via public Internet. The proxies import the companies selfsigned CA-cert as trusted CAs. The proxies trust other proxies as soon as their cert is validated using the root CA. This is already possible using openser 1.0.0 (= or ser+experimental TLS) Federation scenario: Some ITSPs form a federation. The federation-CA signs the certs of the ITSPs. Here, the validation is like in the enterprise scenario. (open)ser validates against the federations CA-cert. This works with openser 1.0.0 as long as the ITSP is only in one federation, or uses different egress/ingress points for each federation. If the ITSP is member of two federations and uses one egress/ingress proxy, it has to decide which certificate it should present to the peer. The originating proxy could choose the proper client certificate for example by using a table like (or having the certificate as blob directly in the DB): dst_domain certificate sip.atlanta.com /etc/openser/federationAcert.pem sip.biloxy.com /etc/openser/federationBcert.pem sip.chicago.com /etc/openser/federationAcert.pem Presenting the proper server certificate, is more difficult. The server does not know if the incoming TLS request belongs to a member of fedA, fedB or someone else. Thus, presenting the wrong certificate will lead to the clients rejecting the certificate due to failed validation. One solution would be sending the "trusted_ca_keys" (TLS extension) in Client Hello. Unfortunatelly this is not supported in openssl (and gnutls). Any workaround for this? Anyway, in this scenario it is important to have the certificate parameters (Subject, Issuer) available in the routing logic to make routing decisions based on the TLS authenticaten and adding them to the CDRs (e.g. via AVPs and extra accounting) Bilateral scenario: An ITSP has bilateral trust relationships. Each ITSP has its own CA which signs the certs of this ITSP. If another ITSP wants to trust this ISTP it only has to import the others CA-cert. This works already with openser 1.0.0, but exporting the cert parameters for extra accounting will be useful. Hosted SIP scenario: An ITSP hosts multiple SIP domains for its customers. If the server has to offer a certificate which includes the proper SIP domain, the server_name extension is needed to indicate the requested domain in the client_hello request. Then the server will present the proper certificate and domain validation (Subject domain == SIP domain) in the client will succeed. This will work fine with initial (out-of-dialog) requests as they usually will include the SIP domain in the request URI. There will be problems for responses and in-dialog requests as usually the Record-Route and Via headers only includes IP addresses. Thus, the SIP proxy either has to insert the SIP domain into Via and Record-Route, or the domain validation should only be done for in-dialog requests. This leads to the problem of domain validation. The TLS connection will be set up after all the routing logic, somewhere inside t_relay. Thus, if we want domain validation, it will be inside t_relay. Maybe we can use a certain flag to indicate if domain-validation should be done (on a per-transaction basis). This might cause problems if there is already a TLS connection to the requested destination, but without domain validation or validation against a different domain (virtual domain hosting). How to solve this? I can't propose a solution to all scenarios. But I think I showed that the certificate selection and validation should be very flexible, e.g. by choosing the proper client certificate for each transaction and different routing in the server depending on the presented client certificate and the cerfiticate signer (e.g. based on a whitelist). Further we have to take care to add certifcates and CA-certs during runtime, e.g. using a FIFO command "tls_reload". This should also drop all existing TLS connections. Having a maximum connection time after which we force re-validation will also be useful. Also (open)ser should allow to import CRL (certificate revocation lists) (shouldn't be a problem with openssl) or usage of OCSP (Online Certificate Status Protocol). Now I'm ready for some discussions :-) regards klaus

18 years, 11 months

[Users] STUN still mandatory ?

by Christophe Irles

Hi, Is the use of a STUN server or any other solution of this type (another daemon) still mandatory to solve NAT problem since I have set up correctly a media proxy and the netHelper module in my configuration file ? If it's not the case which type of configuration is out of the scope if my server is in this configuration ? For example for this network configuration, is a STUN server with UA compatible mandatory ? UA1 --- [openSER+MediaProxy+FW wiht NAT] --- [ Internet ] --- [ FW/NAT ] --- UA2 If it the case, which module(s) must be used with openSER and which STUN server (open source/free) can be used ? I already tested that this network configuration is working without any STUN server UA1 --- [openSER+MediaProxy+FW wiht NAT] --- [Internet] --- [FW] --- UA2(softphone on PC with direct access on internet) Thanks, Christophe

18 years, 11 months

[Serusers] loadbalancer for SER

by Ramin Nikaeen

Friends, I want use multiple instances of SER with a load balancer to ensure scalability and redundancy. Does any load balancer exist that has been proven to work well with SER? Thanks ramin

18 years, 11 months

Re: [Users] open letter

by harry gaillac

> And in your special case it's really hard to > actually understand what your > problem is and what you want. This is partially due > to your english skills > (please do not take this as an insult, I'm not a > native english speaker > myself, but it's just a fact: I can't understand > most of your sentences). The > other problem (at least with the last help request > I've read from you) is > that there wasn't enough information in it to > actually understand what your > problem was and what you want. Ok I post I new mail I try my best in english Harry ___________________________________________________________________________ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com

18 years, 11 months

[Serusers] Conference call

by Matthieu anonymous

Hi, I just have a simple question: can i set up several-users conference calls with SER? And if yes, which softphone can I use to do that? Thank you for your help. Matthieu _________________________________________________________________ Trouvez vos fichiers en un clin dil : Windows Desktop Search http://desktop.msn.fr/

18 years, 11 months

Re: [Users] open letter

by harry gaillac

--- Marc Haisenko <marc(a)darkdust.net> a écrit : > On Tuesday 22 November 2005 12:47, harry gaillac > wrote: > > Dear open(ser) users, > > > > I posted many mails in the past in order to find > some > > help to solve a problem. > > Some people can't answer however I don't think ALL > > people on these lists can not give me a way . > > > > I do hope some people will answer unless those > people > > has blacklisted me ! > > > > Regards > > Harry > > You get what you pay for. Since you paid nothing, > everything you get is a > present. So if someone answers you, be thankful. But > noone is required to > answer your support requests ! What do you mean "you paid nothing" ? I've never though people have to answer but when you can help why not doing it ! > What I've seen on the list is that most of your > support requests where > answered. So I find it quite rude and impolite of > you to complain if you > don't get an immediate answer or one that solves all > your problems ! An immediate answer ! What's a none "immediate answer" the next year may be ! I do hope you're still kidding I posted many mails without replies. I'm tired of the kind of people like you who waste its time to advice . You're not the moderator so if you can help don't pollute the list Harry ___________________________________________________________________________ Appel audio GRATUIT partout dans le monde avec le nouveau Yahoo! Messenger Téléchargez cette version sur http://fr.messenger.yahoo.com

18 years, 11 months

[Users] dbtext maintenance

by Florian Overkamp

Hi guys, Okay, so with Daniels help we have a running config using dbtext. Are there any good cookbooks on how to administer a box using this type of setup ? Using openserctl keeps complaining about missing mysql and I apparently don't know how to add a ha1 hashed password to the database, it won't really do much with the cleartext one I have set. Best regards, Florian

18 years, 11 months

← Newer
1
...
19
20
21
22
23
24
25
...
57
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

sr-users November 2005