Hi,
this is the phone->proxy case (traced on Proxy 192.168.0.89).
I also traced the successful case (Phoner Lite Register - phone->proxy):
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< New TCP connection #1: 192.168.0.176(1723) <-> 192.168.0.89(5061) 1 1 0.5784 (0.5784) C>S Handshake ClientHello Version 3.1 cipher suites Unknown value 0x39 Unknown value 0x38 Unknown value 0x35 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA Unknown value 0x33 Unknown value 0x32 Unknown value 0x2f TLS_RSA_WITH_IDEA_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_RC4_128_MD5 TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_RSA_EXPORT_WITH_RC4_40_MD5 compression methods NULL 1 2 0.5811 (0.0027) S>C Handshake ServerHello Version 3.1 session_id[0]=
cipherSuite Unknown value 0x35 compressionMethod NULL 1 3 0.5811 (0.0000) S>C Handshake Certificate 1 4 0.5811 (0.0000) S>C Handshake ServerHelloDone 1 5 0.5830 (0.0019) C>S Handshake ClientKeyExchange 1 6 0.5830 (0.0000) C>S ChangeCipherSpec 1 7 0.5830 (0.0000) C>S Handshake 1 8 0.5870 (0.0040) S>C ChangeCipherSpec 1 9 0.5870 (0.0000) S>C Handshake 1 10 0.5908 (0.0037) C>S application_data 1 11 0.6204 (0.0296) S>C application_data 1 12 0.6241 (0.0037) C>S application_data 1 13 0.6848 (0.0606) S>C application_data 1 14 0.6884 (0.0035) C>S application_data 1 15 0.6890 (0.0006) S>C application_data 1 16 0.6934 (0.0043) C>S application_data 1 17 0.6947 (0.0013) S>C application_data
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----Ursprüngliche Nachricht----- Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Gesendet: Montag, 25. Januar 2010 09:59 An: Andreas Rehbein Cc: sr-users@lists.sip-router.org Betreff: Re: AW: AW: AW: AW: AW: [SR-Users] TLS problems
Is this proxy->phone or phone->proxy?
klaus
Andreas Rehbein schrieb:
Hi Klaus,
this are the ssldump results:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< New TCP connection #1: 192.168.0.222(1619) <-> 192.168.0.89(5061) 1 1 0.2578 (0.2578) C>S Handshake ClientHello Version 3.1 cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_NULL_MD5 TLS_RSA_WITH_NULL_SHA TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_DH_anon_WITH_RC4_128_MD5 TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_DH_anon_WITH_DES_CBC_SHA compression methods NULL 1 0.4212 (0.1633) S>C TCP FIN 1 0.4225 (0.0013) C>S TCP FIN
Seems like snom doesn't offer compression methods...
regards Andreas
-----Ursprüngliche Nachricht----- Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Gesendet: Freitag, 22. Januar 2010 16:07 An: Andreas Rehbein Cc: sr-users@lists.sip-router.org Betreff: Re: AW: AW: AW: AW: [SR-Users] TLS problems
I managed to have SNOM 320 registering at kamailio-3.0 via TLS. But I do not have any crashes (openssl 0.9.8g-15+lenny6).
Andreas, when does the crash happen exactly: during TLS handshake or afterwards (you can for example use "ssldump port 5061" to debug the TLS connection)?
regards klaus
Andreas Rehbein schrieb:
Hi Klaus,
until now (OpenSER 1.3.x without client verification) it was not
necessary
to import certs into snom. To force the snom to send Messages via tls, you need to insert something like "192.168.0.89:5061;transport=tls" in the outbound proxy field (but
I'm
sure you already knew)
regards Andreas
-----Ursprüngliche Nachricht----- Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Gesendet: Freitag, 22. Januar 2010 13:17 An: Andreas Rehbein Cc: sr-users@lists.sip-router.org Betreff: Re: AW: AW: AW: [SR-Users] TLS problems
Andreas Rehbein schrieb:
Hello Klaus,
Linux: Red Hat Enterprise Linux 5; Kernel: 2.6.18-92.1.10.el5 OpenSSL: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Hi Andreas!
I fail to configure SNOM to accept the certificate. I imported the CA cert as trusted certificates, but TLS handshake is not successful. Is there something else I need to take care of?
I'm quite sure my certificates are OK as it works with eyebeam and
QjSimple.
regards Klaus