11 Jan
2008
11 Jan
'08
10:09 a.m.
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do I need
to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have
to enable it on both sides, the server and the client. But if you use
the following approach you do not need it.
And where to put xlog("L_ERR","message
buffer: $mb"); anywhere in
openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
THX
BR
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>> wrote:
The capture file is not helpful, as it is encrypted. You could use NULL
cipher to have plaintext inside the TLS connection to inspect the
incoming SIP message, or add xlog("L_ERR","message buffer: $mb");
to see
the whole incoming SIP request.
regards
klaus
fengbin schrieb:
searching:
lookup...
flags=8000000
created
------------------------------------------------------------------------
Hi,Klaus
Thank you for your reply.
The enclosed is the config file ,the pcap between client and
server and
the log on the openser 's console.
Could you please take a look at them for me?
THX
BR
On 1/10/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at> >> wrote:
Can you show us the REGISTER request? (both, port 5060 and
port 5061).
Further show use your openser config
regards
klaus
fengbin schrieb:
>
> Hi,all
> I met a strange problem while I am testing TLS connection
between
> minisip and openser.
> The following is my openser.cfg (part of that)
>
> .........
> fork=no
> log_stderror=yes
>
> # Uncomment this to prevent the blacklisting of
temporary not
> available destinations
> #disable_dns_blacklist=yes
>
> # # Uncomment this to prevent the IPv6 lookup after v4
dns
lookup
> failures
> #dns_try_ipv6=no
>
> # uncomment the following lines for TLS support
> disable_tls = 0
> listen = tls: 10.11.57.197:5060
<http://10.11.57.197:5060>
<http://10.11.57.197:5060>
<http://10.11.57.197:5060>
calist.pem"
tls_verify_client = 1
tls_method = TLSv1
tls_certificate = "/usr/local/etc/openser//tls/user/user-
cert.pem"
tls_private_key =
"/usr/local/etc/openser//tls/user/user- privkey.pem"
> tls_ca_list = "/usr/local/etc/openser//tls/user/user- >
tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> ......
>
> When I set "tls:10.11.57.197:5061
<http://10.11.57.197:5061> <http://10.11.57.197:5061> <
http://10.11.57.197:5061>" the
> registration never succeed. But if I set it to 5060 the
registration
> over TLS is OK.
> I compared the log of two scenarioes and found the TLS
session
both are
> OK,but the difference is that:
> when the port is 5061 there is an error of forwarding. but the
> forwarding is because openser think it's not the
destination of
> the registration request. See bellow:
>
> Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI
found
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 && [
10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197
<http://10.11.57.197>>] ==
> [10.11.57.197 <http://10.11.57.197>
<http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if port
5061
matches port 5060
Jan 10 16:46:56 [9199] DBG:core:check_self: host != me
Jan 10 16:46:56 [9199] DBG:core:parse_headers:
flags=ffffffffffffffff
Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
entrance=0xffffffff
Jan 10 16:46:56 [9199]
DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78
> Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start > hash=58073, isACK=0
> Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261
transaction
matching failed
Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
transaction found
> Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS > Jan 10 16:46:56 [9199]
ERROR:tm:update_uac_dst: failed
to fwd
to af
> 2, proto 1 (no corresponding listening socket)
> Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
failure to
add
> branches
>
>
>
> With comparition to that when the port is set to 5060 the
trace is
:
>
> Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next
Route
HF found
> Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI
found
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 && [
10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197>] ==
> [ 10.11.57.197 <http://10.11.57.197>
<http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if port
> > 5060 matches port 5060
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 &&
[10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197>] ==
> [10.11.57.197 <http://10.11.57.197> <
http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if port
5060
matches port 5060
Jan 10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:core:parse_headers: Jan
10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:registrar:build_contact: Contact
5061,why did
HF: Contact:
<sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
>
>
>
> And there is no fwd needed then.So the error didnt occur.
>
> Its a little bit strange that when I set the port to openser
check the port 5060?????
Can anyone help me to figure it out?
THX
BR
--
Fengbin
>
> _______________________________________________
> Users mailing list
> Users(a)lists.openser.org <mailto:Users@lists.openser.org>
<mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>>
--
Fengbin