How can I set the destination URI for an INVITE to be a
websocket-secure destination? Is it possible?
Summary
I've a proxy with tcp_connection_match=1, but websocket URIs always
have transport=ws (never transport=wss) in them, so relaying a call to
a WSS connection always fails.
I tested running kamailio 6.0.0-dev2 compiled from a commit made this
week. This proxy server uses nathelper rather than outbound module.
Detail
We know that "transport=ws" is used for both WS and WSS. I've a proxy
server that receives an INVITE for a WSS destination, and this proxy
supports both WS and WSS.
This proxy server must have core parameter tcp_connection_match=1 set,
and this leads the t_relay() to fail.
When an INVITE comes, these are the steps.
- The URI is something like
sip:user@anonymous.invalid;alias=198.51.100.10~52833~6;transport=ws.
- First handle_ruri_alias() removes the alias (which has ~6 in it, for
wss) and sets the $du to something like
sip:198.51.100.10:52833;transport=ws.
- Then loose_route_preloaded() processes the Route header fields and
forces the outbound socket to the TLS websocket one.
- Then t_relay() fails to relay the INVITE and responds with 477 or 500.
If, however, there's a non-TLS websocket connection open to the proxy,
the INVITE would be erroneously relayed over that (using the wrong
kamailio-side TCP port).
I can go deeper with testing if required. I wonder whether this is a bug.
James
Hi,
I just tried to send numbers of SIP register to kamailio (release 5.8.2). It is reported that there are some memory leakage in shared memory after the expiry of all the registration sessions. After drill down the code. function save_pending(...) is called. (in ims_registrar_pcscf/save.c). Inside that function, it seems that "sec_verify_params" is not deallocated upon the function completes.
Findings:
- sec_verify_params uses the result from function cscf_get_security_verify(...)
- Function cscf_get_security_verify(...) returns the result of function parse_sec_agree(...)
- Function parse_sec_agree(...) returns "params" where "shm_malloc(...)" is called
It seems that the memory pointed by 'sec_verify_params' is not further referenced by others. Should shm_free(...) be called when leaving function save_pending(...) in order to free the unused memory of 'sec_verify_params'?
Please advice.
Thank you.
Regards,
Hong
Hello!
I need to disable topos for one specific SIP trunk (in-out), it looks like
it’s enough to use event_route with IP address filtering.
But for some reason, the incoming INVITE from the peer still gets processed
by topos and I also don’t see a mention of [msg-incoming] in the logs, only
this:
WARNING: <script>: [msg-outgoing] OPTIONS/you/1.1.1.1
Code snippet:
loadmodule "topos.so"
modparam("topos", "db_url", DBURL)
modparam("topos", "contact_mode", 1)
modparam("topos", "header_mode", 1)
modparam("topos", "methods_noinitial", "OPTIONS,SUBSCRIBE,PUBLISH")
modparam("topos", "dialog_expire", 7210)
modparam("topos", "rr_update", 1)
modparam("topos", "event_mode", 5)
/*
1 - execute event_route[topos:msg-outgoing]
2 - execute event_route[topos:msg-sending]
4 - execute event_route[topos:msg-incoming]
8 - execute event_route[topos:msg-receiving]
*/
request_route {
....
event_route[topos:msg-outgoing] {
if ( $sndto(ip) == "1.1.1.1" ) {
xlog("L_WARN","[msg-outgoing] $rm/$rU/$sndto(ip) \n");
drop;
}
}
}
event_route[topos:msg-incoming] {
if ( $si == "1.1.1.1" ) {
xlog("L_WARN","[msg-incoming] $rm/$rU/$si \n");
drop;
}
}
# kamailio -v
version: kamailio 5.7.1 (x86_64/linux) 1cf389-dirty
--
BR,
Denys Pozniak
Hello,
We have compiled openssl 3.0.9 from source because it's FIPS validated, and
want to use it with Kamailio. The server also has the Ubuntu openssl 3.0.2
package installed.
Does anyone know how we can tell Kamailio to use the openssl library in
/opt/openssl/lib64, and how we can verify that it really is using it?
Thanking you in advance,
--
David Cunningham, Voisonics Limited
http://voisonics.com/
USA: +1 213 221 1092
New Zealand: +64 (0)28 2558 3782
Hello,
I am considering to release Kamailio v5.8.3 (out of branch 5.8) sometime
next week, most likely on Wednesday, Sep 4, 2024. If anyone is aware of
issues not yet on the bug tracker, report them there asap in order to
have a better chance to be fixed.
Cheers,
Daniel
--
Daniel-Constantin Mierla (@ asipto.com)
twitter.com/miconda -- linkedin.com/in/miconda
Kamailio Consultancy, Training and Development Services -- asipto.com
Hi kamilians,
we have the intention to archive the app_mono module in a few[0]. Most likely at the end of next week. If you use app_mono and you don't want to see it fade away now it's the time to rise your voice.
Cheers,
Victor
[0] https://github.com/kamailio/kamailio/pull/3964
Hi All,
I am trying to replay a request to the destination via Kamailio, and I am using t_relay_to_tcp for that , but in that case Kamailio is adding its own address as the top VIA header. Is there a way I can instruct Kamailio not to add local via header ?
Hello all, context first, we have an REST API that performs queries to
external devices in the network (diameter to DRA's, REST to different
servers) and based on n conditions returns the content for a Contact header
to be used in a SIP 302.
Now we're consuming this API with http_client (synchronously) and as
there's no way to speed up the API (pipeline executions, delays on external
api's etc etc) we're hitting a limit where all children become busy waiting
for the API to answer.
So i decided to move to http_async_client and started working on it on the
lab with this first and base concept to test.
request_route {
#for testing purposes only
if(is_method("ACK")){
exit;
}
$http_req(all) = $null;
$http_req(suspend) = 1;
$http_req(timeout) = 500;
$http_req(method) = "POST";
$http_req(hdr) = "Content-Type: application/json";
jansson_set("string", "event", "sip-routing", "$var(cre_query)");
xlog("L_INFO","API ASYNC ROUTING REQUEST: $var(cre_query)\n");
$http_req(body) = $var(cre_query);
t_newtran();
http_async_query("http://192.168.86.128:8000/", "CRE_RESPONSE");
}
http://192.168.86.128:8000/ receives the POST, randomly creates a delay
between 0.5 and 1 second and responds (simulating the real api with an
excess delay to probe the concept)
Then
route[CRE_RESPONSE] {
if ($http_ok && $http_rs == 200) {
xlog("L_INFO","CRE RESPONSE: $http_rb\n");
# for testing purpose, Contact content will be replaced from the received
api response
append_to_reply("Contact: <sip:1234@google.com>\r\n");
send_reply(302,"Moved Temporarily");
exit;
}
send_reply(500, "Internal error");
exit;
}
INVITE is received and processed, API is called, after API response, 302 is
replied and then an ACK (ignored by now).
Situation is that the 302 retransmitted
37 1519.846253067 192.168.86.34 → 192.168.86.128 SIP/SDP 585 Request:
INVITE sip:service@192.168.86.128:5060 |
38 1519.848100380 192.168.86.128 → 192.168.86.34 SIP 318 Status: 100
Trying |
39 1520.094997642 192.168.86.128 → 192.168.86.34 SIP 407 Status: 302
Moved Temporarily |
40 1520.102323728 192.168.86.34 → 192.168.86.128 SIP 453 Request: ACK
sip:service@192.168.86.128:5060 |
41 1520.591300933 192.168.86.128 → 192.168.86.34 SIP 407 Status: 302
Moved Temporarily |
42 1521.591061065 192.168.86.128 → 192.168.86.34 SIP 407 Status: 302
Moved Temporarily |
43 1523.591227956 192.168.86.128 → 192.168.86.34 SIP 407 Status: 302
Moved Temporarily |
18(24) DEBUG: tm [t_reply.c:1703]: t_retransmit_reply(): reply
retransmitted. buf=0x7f6d79745dc0: SIP/2.0 3..., shmem=0x7f6d75187fd8:
SIP/2.0 3
18(24) DEBUG: tm [t_reply.c:1703]: t_retransmit_reply(): reply
retransmitted. buf=0x7f6d79745dc0: SIP/2.0 3..., shmem=0x7f6d75187fd8:
SIP/2.0 3
18(24) DEBUG: tm [t_reply.c:1703]: t_retransmit_reply(): reply
retransmitted. buf=0x7f6d79745dc0: SIP/2.0 3..., shmem=0x7f6d75187fd8:
SIP/2.0 3
18(24) DEBUG: tm [timer.c:634]: wait_handler(): finished transaction:
0x7f6d75184cc8 (p:0x7f6d74f600c8/n:0x7f6d74f600c8)
18(24) DEBUG: tm [h_table.c:132]: free_cell_helper(): freeing transaction
0x7f6d75184cc8 from timer.c:643
Any help to avoid the retransmission and make the transaction just finish
right after the 302 will be appreciated.
regards
Hello,
I wanted to know if this can be accomplished, or if I'm doing something wrong.
What I'm hoping to accomplish is to have kamailio periodically send OPTIONS packets to endpoints that are connected over UDP only.
As of right now, I currently have the following configured under usrloc:
modparam("usrloc", "timer_interval", 5)
modparam("usrloc", "timer_procs", 2)
modparam("usrloc", "use_domain", MULTIDOMAIN)
modparam("usrloc", "db_url", DBURL)
modparam("usrloc", "db_mode", 0)
modparam("usrloc", "ka_mode", 1)
modparam("usrloc", "ka_method", "OPTIONS")
modparam("usrloc", "ka_from", "sip:ping@sip-domain.com")
modparam("usrloc", "ka_domain", "sip-domain.com")
modparam("usrloc", "ka_timeout", 125)
modparam("usrloc", "ka_interval", 60)
With these parameters, all endpoints will be sent OPTIONS packets periodically as expected. When setting "ka_mode" to "4", as expected, endpoints registered with UDP only receive OPTIONS packets; which is what I wanted.
The issue that I'm having with these parameters is that endpoints registered with anything other that UDP are triggering a contact-expired event after a little over 2 minutes. I have the registrar set to 3600 as an expiry; I'm assuming the contact is expiring due to the "ka_timeout" value.
--------------------------
Is there a way to only have keep-alive packets/ and timeouts apply to endpoints registered on UDP?
Thank you.
Hi all!
I need to integrate a REST Service with Kamailio. Integration is easy, not
a problem, but my concern is that the REST Services has a JWT token
authentication required for each request, common to many (it not all) REST
Services.
So, it is required to POST for authentication (username and password) and
once I get authentication done, and receive a JWT token, I will need to use
this token in all other requests to the REST Service. The token is valid
for 24h.
My question is:
- how to save the token for use during 24h, on all calls/sessions, without
the need to authenticate on every call?
- how to detect the token has expired and re-authenticate?
I looked for some modules, but could not find any that suited me.
I am thinking of executing a Python script for this, but concerned about
latency and PDD....
Any thoughts? Any suggestions? Any known best-practice?
Atenciosamente / Kind Regards / Cordialement / Un saludo,
*Sérgio Charrua*