Hello,
the fix was done from the perspective that websocket is required to be
over secure transport if not on localhost (iirc), so first the lookup
was done for wss.
On the other hand, even if there are two connections, one ws and one
wss, the tuple (local-ip/port, remote-ip/port) should be different for
the two connections. I haven't gone deep in the code due to lack of
time, but if it is still something to look at, this is one direction.
Actually my commit came based on the hint (referenced commit there) from
the comment:
-
Hi Daniel, Henning
I tested the commit 60165196ad3144597c24eb9f7bb7fb0cd56f8c25 (which is
the one after your fix
https://github.com/kamailio/kamailio/commit/aa794581ecf105b5313d2f5b8bcfe51…).
Although this gets my particular test INVITE working over TLS, it's
not ideal because it can allow a WSS INVITE to be relayed over TCP and
also allow a WS INVITE to be relayed over TLS (I'm not a C coder, but
that's what I suspected when I read the commit, so I tested it). It
seems as if the alias part ~5 or ~6 (for WS or WSS) is not fully
respected.
It's this scenario (the security problem of a TLS message being sent
in the clear) for which PR 3810 (which Henning mentioned earlier) was
made. That was important because an SBC might make multiple TCP/TLS
connections on behalf of sub-customers and then a conflict can arise
if/when a port get reused/shared.
However, now I see these points.
- This change affects only websocket, so doesn't completely undo the
good of that PR.
- A full/complete fix, I expect, might be much more complicated,
because it would involve changing how $du works internally and involve
nathelper as well as core.
- Perhaps I'll deprecate the non-TLS websocket listener in my proxy
server and then this won't matter any more. I expect that this will
result in everything (Via transport parameter, Record-Route port, etc)
working perfectly.
Thanks for your quick fix on this. I think it's going to unblock a
kamailio upgrade for me.
James
On Thu, 5 Sept 2024 at 08:59, James Browne <james(a)frideo.com> wrote:
> Thanks, Henning.
> Yes it looks like the same issue.
> I see that Daniel pushed a commit an hour ago for this, so I'm going
> to test it right now if I can and see what I can find.
>
> James
>
> On Thu, 5 Sept 2024 at 06:19, Henning Westerholt <hw(a)gilawa.com> wrote:
>> Hello James,
>>
>> Thanks for sending the logs. I just briefly looked to the log files, at least the
port 443 "wrong" scenario looks similar from the error message to the issue
described here from somebody else:
>>
https://github.com/kamailio/kamailio/issues/3969
>>
>> Cheers,
>>
>> Henning
>>
>>> -----Original Message-----
>>> From: James Browne via sr-users <sr-users(a)lists.kamailio.org>
>>> Sent: Mittwoch, 4. September 2024 12:23
>>> To: miconda(a)gmail.com
>>> Cc: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>rg>;
James
>>> Browne <james(a)frideo.com>
>>> Subject: [SR-Users] Re: Setting $du to websocket-secure
>>>
>>> Thanks, Daniel
>>> Here are attached the logs with timestamps. I made two tests, involving
>>> INVITEs that differed only in the Call-ID and CSeq.
>>> In each case, the logs include the time of the websocket connection being
>>> made. There was no other traffic on the server during the test.
>>>
>>> ###############
>>> INVITE
>>> sip:moon@bobbywomack.invalid;alias=11.15.32.1~33333~6;transport=ws
>>> SIP/2.0
>>> Via: SIP/2.0/UDP 192.168.25.4:5060;rport;branch=z9hG4bK-d8754z-
>>> cc2c63344f5218d
>>> Route: <sip:10.25.17.11;lr;r2=on>
>>> Route: <sip:198.18.55.66:443;transport=ws;lr;r2=on>
>>> From: <sip:+353877900000@someclient>;tag=1a56f142c2ed4d2f
>>> To: <sip:+35315220000@sip.frideo.eu>
>>> ###############
>>>
>>> In log "port-80.txt", there was a websocket connection open to
non-TLS port
>>> 80, and the INVITE was relayed over it.
>>> In log "port-443.txt", there was a websocket connection open to TLS
port 443,
>>> and the INVITE wasn't relayed.
>>>
>>> The kamailio.cfg was effectively this.
>>> #############################################
>>> tcp_connection_match=1
>>> request_route {
>>> route(INITIAL_INVITE_OUTGOING);
>>> }
>>> route[INITIAL_INVITE_OUTGOING] {
>>> loose_route_preloaded();
>>> handle_ruri_alias();
>>> xlog("L_NOTICE", "[$ci] P1052 About to relay WS call to
$dd:$dp from $fs
>>> ($$du is $du)\n");
>>> if (!t_relay_to("0x02")) {
>>> xlog("L_WARN", "[$ci] P1052 Failed relaying WS call to
$dd:$dp\n");
>>> t_reply("503", "Relaying over WS to next hop
failed");
>>> }
>>> exit;
>>> }
>>> #############################################
>>>
>>> James
>>>
>>> On Tue, 3 Sept 2024 at 15:53, Daniel-Constantin Mierla
>>> <miconda(a)gmail.com> wrote:
>>>> Hello,
>>>>
>>>> can you run with debug=3 in kamailio.cfg and attach all the debug
>>>> messages printed by Kamailio in such case? It will help to figure out
>>>> where it fails first to find properly the connection.
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>> On 03.09.24 15:24, James Browne wrote:
>>>>> Thanks for your continued answers, Daniel.
>>>>>
>>>>> I have an edge proxy in front of the registrar. The edge proxy calls
>>>>> add_contact_alias() whenever a REGISTER is received over websocket
>>>>> (before relaying the REGISTER to the registrar).
>>>>>
>>>>> 2) Today I tested swapping the order of the loose_route() and
>>>>> handle_ruri_alias() functions, but the result was the same. Always
>>>>> if the RURI (after handle_ruri_alias() is called) has transport=ws
>>>>> in it, then kamailio won't deliver it over a TLS websocket
>>>>> connection (when tcp_connection_match is set).
>>>>>
>>>>> 1) So how can I set the $du to specify what websocket-over-tls
>>>>> (rather than websocket-over-tcp-without tls) should be used? The
>>>>> handle_ruri_alias() function does not achieve this when I test it.
>>>>> Remember that "transport=ws" is used for both WS and WSS.
>>>>>
>>>>> James
>>>>>
>>>>> On Mon, 2 Sept 2024 at 16:00, Daniel-Constantin Mierla
>>>>> <miconda(a)gmail.com> wrote:
>>>>>> Hello,
>>>>>>
>>>>>> I didn't have the time to go in details over this discussion,
but
>>>>>> if I got it right quickly, then:
>>>>>>
>>>>>> 1) you can set $du to any SIP URI, where the transport parameter
>>>>>> can be whatever you want
>>>>>>
>>>>>> 2) handle_ruri_alias() should be done after and loose-route
processing.
>>>>>> The Route headers are about intermediary hops, not the end
points,
>>>>>> and therefore they have to be consumed first. The ruri-alias
should
>>>>>> be about endpoint, so handling it has to be done by the last SIP
>>>>>> proxy before the endpoint, where there is no other intermediary
SIP hop
>>> (proxy).
>>>>>> Cheers,
>>>>>> Daniel
>>>>>>
>>>>>> On 02.09.24 16:50, James Browne via sr-users wrote:
>>>>>>> Thanks, Daniel
>>>>>>> The problem is specifically about sending traffic to
websocket
>>>>>>> clients that have already established connections to my
kamailio proxy.
>>>>>>>
>>>>>>> Thanks, Henning
>>>>>>> You're right. That PR caused this problem, but it
didn't really
>>>>>>> _create_ a bug but highlighted one that was already there.
>>>>>>> Before that PR, kamailio would relay traffic destined for a
>>>>>>> websocket client via a WSS connection, but it was working
only due
>>>>>>> to two bugs that would cancel each other out. As far as I
can
>>>>>>> tell, this is how it worked.
>>>>>>> - Kamailio would see the transport=ws and decide it would
relay
>>>>>>> the message over a TCP Websocket connection to the
customer's TCP
>>> port.
>>>>>>> - Kamailio would see a TLS connection open using that
>>>>>>> customer-side TCP port and relay what it was treating as a
non-TLS
>>>>>>> message through a TLS connection.
>>>>>>> Of course, after that PR fixed the second bug, the first came
to light.
>>>>>>>
>>>>>>> Anyway, is there a way to set the $du to a TLS-websocket URI?
If
>>>>>>> not, then this looks like a bug to me and I think I should
log a
>>>>>>> bug report. I've tested this thoroughly already and have
a good
>>>>>>> feel for it.
>>>>>>>
>>>>>>> (Full disclosure: I was involved with that PR 3810 that
Henning
>>>>>>> mentioned.)
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>> On Fri, 30 Aug 2024 at 09:08, Henning Westerholt
<hw(a)gilawa.com>
>>> wrote:
>>>>>>>> Hello James,
>>>>>>>>
>>>>>>>> It sounds a bit like a similar issue that was fixed some
time ago
>>>>>>>> for overlapping TCP and TLS sockets:
>>>>>>>>
https://github.com/kamailio/kamailio/pull/3810
>>>>>>>>
>>>>>>>> Cheers,
>>>>>>>>
>>>>>>>> Henning
>>>>>>>>
>>>>>>>> --
>>>>>>>> Henning Westerholt -
https://skalatan.de/blog/ Kamailio
services
>>>>>>>> -
https://gilawa.com
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: James Browne via sr-users
<sr-users(a)lists.kamailio.org>
>>>>>>>>> Sent: Donnerstag, 29. August 2024 13:35
>>>>>>>>> To: Kamailio (SER) - Users Mailing List
>>>>>>>>> <sr-users(a)lists.kamailio.org>
>>>>>>>>> Cc: James Browne <james(a)frideo.com>
>>>>>>>>> Subject: [SR-Users] Setting $du to websocket-secure
>>>>>>>>>
>>>>>>>>> How can I set the destination URI for an INVITE to be
a
>>>>>>>>> websocket-secure destination? Is it possible?
>>>>>>>>>
>>>>>>>>> Summary
>>>>>>>>> I've a proxy with tcp_connection_match=1, but
websocket URIs
>>>>>>>>> always have transport=ws (never transport=wss) in
them, so
>>>>>>>>> relaying a call to a WSS connection always fails.
>>>>>>>>> I tested running kamailio 6.0.0-dev2 compiled from a
commit made
>>> this week.
>>>>>>>>> This proxy server uses nathelper rather than outbound
module.
>>>>>>>>>
>>>>>>>>> Detail
>>>>>>>>> We know that "transport=ws" is used for
both WS and WSS. I've a
>>>>>>>>> proxy server that receives an INVITE for a WSS
destination, and
>>>>>>>>> this proxy supports both WS and WSS.
>>>>>>>>> This proxy server must have core parameter
>>>>>>>>> tcp_connection_match=1 set, and this leads the
t_relay() to fail.
>>>>>>>>> When an INVITE comes, these are the steps.
>>>>>>>>> - The URI is something like
>>>>>>>>>
>>> sip:user@anonymous.invalid;alias=198.51.100.10~52833~6;transport=ws.
>>>>>>>>> - First handle_ruri_alias() removes the alias (which
has ~6 in
>>>>>>>>> it, for
>>>>>>>>> wss) and sets the $du to something like
>>>>>>>>> sip:198.51.100.10:52833;transport=ws.
>>>>>>>>> - Then loose_route_preloaded() processes the Route
header fields
>>>>>>>>> and forces the outbound socket to the TLS websocket
one.
>>>>>>>>> - Then t_relay() fails to relay the INVITE and
responds with 477 or 500.
>>>>>>>>>
>>>>>>>>> If, however, there's a non-TLS websocket
connection open to the
>>>>>>>>> proxy, the INVITE would be erroneously relayed over
that (using
>>>>>>>>> the wrong kamailio-side TCP port).
>>>>>>>>> I can go deeper with testing if required. I wonder
whether this is a bug.
>>>>>>>>>
>>>>>>>>> James
>>>>>>>>>
__________________________________________________________
>>>>>>>>> Kamailio - Users Mailing List - Non Commercial
Discussions To
>>>>>>>>> unsubscribe send an email to
sr-users-leave(a)lists.kamailio.org
>>>>>>>>> Important: keep the mailing list in the recipients,
do not reply
>>>>>>>>> only to the sender!
>>>>>>>>> Edit mailing list options or unsubscribe:
>>>>>>> __________________________________________________________
>>>>>>> Kamailio - Users Mailing List - Non Commercial Discussions
To
>>>>>>> unsubscribe send an email to
sr-users-leave(a)lists.kamailio.org
>>>>>>> Important: keep the mailing list in the recipients, do not
reply only to the
>>> sender!
>>>>>>> Edit mailing list options or unsubscribe:
>>>>>> --
>>>>>> Daniel-Constantin Mierla (@
asipto.com)
twitter.com/miconda --
>>>>>>
linkedin.com/in/miconda Kamailio Consultancy, Training and
>>>>>> Development Services --
asipto.com Kamailio Advanced Training,
>>>>>> October 8-10, 2024 --
asipto.com
>>>>>>
>>>> --
>>>> Daniel-Constantin Mierla (@
asipto.com)
twitter.com/miconda --
>>>>
linkedin.com/in/miconda Kamailio Consultancy, Training and Development
>>>> Services --
asipto.com Kamailio Advanced Training, October 8-10, 2024
>>>> --
asipto.com
>>>>