11 Jan
2008
11 Jan
'08
10:09 a.m.
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do I need
to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have
to enable it on both sides, the server and the client. But if you use
the following approach you do not need it.
And where to put xlog("L_ERR","message
buffer: $mb"); anywhere in
openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
THX
BR
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>> wrote:
The capture file is not helpful, as it is encrypted. You could use NULL
cipher to have plaintext inside the TLS connection to inspect the
incoming SIP message, or add xlog("L_ERR","message buffer: $mb");
to see
the whole incoming SIP request.
regards
klaus
fengbin schrieb:
searching:
lookup...
flags=8000000
created
------------------------------------------------------------------------
Hi,Klaus
Thank you for your reply.
The enclosed is the config file ,the pcap between client and
server and
the log on the openser 's console.
Could you please take a look at them for me?
THX
BR
On 1/10/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at> >> wrote:
Can you show us the REGISTER request? (both, port 5060 and
port 5061).
Further show use your openser config
regards
klaus
fengbin schrieb:
>
> Hi,all
> I met a strange problem while I am testing TLS connection
between
> minisip and openser.
> The following is my openser.cfg (part of that)
>
> .........
> fork=no
> log_stderror=yes
>
> # Uncomment this to prevent the blacklisting of
temporary not
> available destinations
> #disable_dns_blacklist=yes
>
> # # Uncomment this to prevent the IPv6 lookup after v4
dns
lookup
> failures
> #dns_try_ipv6=no
>
> # uncomment the following lines for TLS support
> disable_tls = 0
> listen = tls: 10.11.57.197:5060
<http://10.11.57.197:5060>
<http://10.11.57.197:5060>
<http://10.11.57.197:5060>
calist.pem"
tls_verify_client = 1
tls_method = TLSv1
tls_certificate = "/usr/local/etc/openser//tls/user/user-
cert.pem"
tls_private_key =
"/usr/local/etc/openser//tls/user/user- privkey.pem"
> tls_ca_list = "/usr/local/etc/openser//tls/user/user- >
tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> ......
>
> When I set "tls:10.11.57.197:5061
<http://10.11.57.197:5061> <http://10.11.57.197:5061> <
http://10.11.57.197:5061>" the
> registration never succeed. But if I set it to 5060 the
registration
> over TLS is OK.
> I compared the log of two scenarioes and found the TLS
session
both are
> OK,but the difference is that:
> when the port is 5061 there is an error of forwarding. but the
> forwarding is because openser think it's not the
destination of
> the registration request. See bellow:
>
> Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI
found
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 && [
10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197
<http://10.11.57.197>>] ==
> [10.11.57.197 <http://10.11.57.197>
<http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if port
5061
matches port 5060
Jan 10 16:46:56 [9199] DBG:core:check_self: host != me
Jan 10 16:46:56 [9199] DBG:core:parse_headers:
flags=ffffffffffffffff
Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
entrance=0xffffffff
Jan 10 16:46:56 [9199]
DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78
> Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start > hash=58073, isACK=0
> Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261
transaction
matching failed
Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
transaction found
> Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS > Jan 10 16:46:56 [9199]
ERROR:tm:update_uac_dst: failed
to fwd
to af
> 2, proto 1 (no corresponding listening socket)
> Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
failure to
add
> branches
>
>
>
> With comparition to that when the port is set to 5060 the
trace is
:
>
> Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next
Route
HF found
> Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI
found
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 && [
10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197>] ==
> [ 10.11.57.197 <http://10.11.57.197>
<http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if port
> > 5060 matches port 5060
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 &&
[10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197>] ==
> [10.11.57.197 <http://10.11.57.197> <
http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if port
5060
matches port 5060
Jan 10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:core:parse_headers: Jan
10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:registrar:build_contact: Contact
5061,why did
HF: Contact:
<sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
>
>
>
> And there is no fwd needed then.So the error didnt occur.
>
> Its a little bit strange that when I set the port to openser
check the port 5060?????
Can anyone help me to figure it out?
THX
BR
--
Fengbin
>
> _______________________________________________
> Users mailing list
> Users(a)lists.openser.org <mailto:Users@lists.openser.org>
<mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>>
--
Fengbin 
11 Jan
11 Jan
10:20 a.m.
New subject: [OpenSER-Users] TLS problem.
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
the
lookup...
--
Fengbin
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do I need
to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have
to enable it on both sides, the server and the client. But if you use
the following approach you do not need it.
And where to put
xlog("L_ERR","message buffer: $mb"); anywhere in
openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
THX
BR
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto: klaus.mailinglists(a)pernau.at>> wrote:
The capture file is not helpful, as it is encrypted. You could use
NULL
cipher to have plaintext inside the TLS
connection to inspect the
incoming SIP message, or add xlog("L_ERR","message buffer: $mb");
to
see
the whole incoming SIP request.
regards
klaus
fengbin schrieb:
"/usr/local/etc/openser//tls/user/user-
Hi,Klaus
Thank you for your reply.
The enclosed is the config file ,the pcap between client and
server and
the log on the openser 's console.
Could you please take a look at them for me?
THX
BR
On 1/10/08, *Klaus Darilion* < klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at> >> wrote:
Can you show us the REGISTER request? (both, port 5060 and
port 5061).
Further show use your openser config
regards
klaus
fengbin schrieb:
>
> Hi,all
> I met a strange problem while I am testing TLS connection
between
> minisip and openser.
> The following is my openser.cfg (part of that)
>
> .........
> fork=no
> log_stderror=yes
>
> # Uncomment this to prevent the blacklisting of
temporary not
> available destinations
> #disable_dns_blacklist=yes
>
> # # Uncomment this to prevent the IPv6 lookup after v4
dns
lookup
> failures
> #dns_try_ipv6=no
>
> # uncomment the following lines for TLS support
> disable_tls = 0
> listen = tls: 10.11.57.197:5060
<http://10.11.57.197:5060>
<http://10.11.57.197:5060>
> < http://10.11.57.197:5060>
> >
> >
> > tls_verify_client = 1
> > tls_method = TLSv1
> > tls_certificate =
cert.pem"
calist.pem"
> > tls_private_key =
"/usr/local/etc/openser//tls/user/user- privkey.pem"
> tls_ca_list = "/usr/local/etc/openser//tls/user/user- >
......
>
> When I set "tls: 10.11.57.197:5061
<http://10.11.57.197:5061> <http://10.11.57.197:5061> <
http://10.11.57.197:5061>" the
> registration never succeed. But if I set it to 5060 the
registration
> over TLS is OK.
> I compared the log of two scenarioes and found the TLS
session
> both are
> > OK,but the difference is that:
> > when the port is 5061 there is an error of forwarding. but >
forwarding is because openser think it's not the
destination of
> > the registration request. See bellow:
> >
> > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI found
flags=78
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 && [
10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197 <
http://10.11.57.197>>] ==
> [10.11.57.197 <http://10.11.57.197>
<
http://10.11.57.197> <http://10.11.57.197>]
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if port
> > 5061 matches port 5060
> > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> flags=ffffffffffffffff
> > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
> entrance=0xffffffff
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> flags=ffffffffffffffff
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers: >
Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start
searching:
> hash=58073, isACK=0
> Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261
transaction
matching failed
Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
transaction found
> Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS > Jan 10 16:46:56 [9199]
ERROR:tm:update_uac_dst: failed
to fwd
to af
> 2, proto 1 (no corresponding listening socket)
> Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
failure to
add
> branches
>
>
>
> With comparition to that when the port is set to 5060 the
trace is
:
>
> Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next
Route
> HF found
> > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI found
flags=8000000
created
------------------------------------------------------------------------
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 && [
10.11.57.197
<http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197>] ==
> [ 10.11.57.197 <http://10.11.57.197>
<http://10.11.57.197> < http://10.11.57.197>]
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if port
> > 5060 matches port 5060
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> host==us: 12==12 &&
[10.11.57.197
< http://10.11.57.197> <http://10.11.57.197>
<http://10.11.57.197>] ==
> [ 10.11.57.197 <http://10.11.57.197> <
http://10.11.57.197> <http://10.11.57.197 >]
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if port
5060
matches port 5060
Jan 10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:core:parse_headers: Jan
10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:registrar:build_contact: Contact
5061,why did
HF: Contact:
<sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
>
>
>
> And there is no fwd needed then.So the error didnt occur.
>
> Its a little bit strange that when I set the port to openser
check the port 5060?????
Can anyone help me to figure it out?
THX
BR
--
Fengbin
>
> _______________________________________________
> Users mailing list
> Users(a)lists.openser.org <mailto:Users@lists.openser.org>
<mailto:Users@lists.openser.org <mailto: Users(a)lists.openser.org>>
--
Fengbin
11:29 a.m.
New subject: [OpenSER-Users] TLS problem.
you have to load the xlog module
fengbin schrieb:
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>> wrote:
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
forwarding. but
the
next
URI
host !=
me
<http://10.11.57.197/>
flags=8000000
created
> Contact
> > HF: Contact:
> <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
> >
> >
> >
> > And there is no fwd needed then.So the error didnt occur.
------------------------------------------------------------------------
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do
I need
to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have
to enable it on both sides, the server and the client. But if you use
the following approach you do not need it.
And where to put
xlog("L_ERR","message buffer: $mb"); anywhere in
openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
THX
BR
On 1/11/08, *Klaus Darilion* < klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto: klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>>> wrote:
The capture file is not helpful, as it is encrypted. You
could use NULL
cipher to have plaintext inside the TLS
connection to inspect the
incoming SIP message, or add xlog("L_ERR","message buffer:
$mb"); to see
the whole incoming SIP request.
regards
klaus
fengbin schrieb:
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
Hi,Klaus
Thank you for your reply.
The enclosed is the config file ,the pcap between client and
server and
> the log on the openser 's console.
> Could you please take a look at them for me?
>
> THX
> BR
>
>
> On 1/10/08, *Klaus Darilion* < <mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>
> <mailto:
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>> >> wrote:
>
> Can you show us the REGISTER request? (both, port 5060
and
port 5061).
>
> Further show use your openser config
>
> regards
> klaus
>
> fengbin schrieb:
> >
> > Hi,all
> > I met a strange problem while I am testing TLS
connection
between
after
v4
> minisip and openser.
> The following is my openser.cfg (part of that)
>
> .........
> fork=no
> log_stderror=yes
>
> # Uncomment this to prevent the blacklisting of
temporary not
> > available destinations
> > #disable_dns_blacklist=yes
> >
> > # # Uncomment this to prevent the IPv6 lookup dns lookup
> > failures
> > #dns_try_ipv6=no
> >
> > # uncomment the following lines for TLS support
> > disable_tls = 0
> > listen = tls: 10.11.57.197:5060
<http://10.11.57.197:5060/>
< http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
<http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
> < http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
> > >
> > >
> > > tls_verify_client = 1
> > > tls_method = TLSv1
> > > tls_certificate =
"/usr/local/etc/openser//tls/user/user-
> cert.pem"
> > tls_private_key =
> "/usr/local/etc/openser//tls/user/user- privkey.pem"
> > tls_ca_list =
"/usr/local/etc/openser//tls/user/user-
calist.pem"
> >
tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> > ......
> >
> > When I set "tls: 10.11.57.197:5061
<http://10.11.57.197:5061/>
< http://10.11.57.197:5061
<http://10.11.57.197:5061/>>
<http://10.11.57.197:5061
<http://10.11.57.197:5061/>> <
http://10.11.57.197:5061 <http://10.11.57.197:5061/>>" the
> registration never succeed. But if I set it to 5060 the
registration
> over TLS is OK.
> I compared the log of two scenarioes and found the TLS
session
> both are
> > OK,but the difference is that:
> > when the port is 5061 there is an error of >
forwarding is because openser think it's not the
destination of
> > the registration request. See bellow:
> >
> > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No found
<http://10.11.57.197/>
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if
> > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/> <
http://10.11.57.197
<http://10.11.57.197/>>>] ==
> > [10.11.57.197
<http://10.11.57.197/> <
http://10.11.57.197
<http://10.11.57.197/>>
< http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
>
Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
checking if port
> > 5061 matches port 5060
> > Jan 10 16:46:56 [9199] DBG:core:check_self: > > Jan 10 16:46:56 [9199]
DBG:core:parse_headers:
> flags=ffffffffffffffff
> > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
> entrance=0xffffffff
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> flags=ffffffffffffffff
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
flags=78
> > Jan 10 16:46:56 [9199]
DBG:tm:t_lookup_request:
start
searching:
> > hash=58073, isACK=0
> > Jan 10 16:46:56 [9199] DBG:tm:matching_3261:
RFC3261
transaction
lookup...
> > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst:
failed
matching failed
Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
transaction found
> Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS to fwd
5060 the
to af
> 2, proto 1 (no corresponding listening socket)
> Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
failure to
add
> > branches
> >
> >
> >
> > With comparition to that when the port is set to trace is :
> >
> > Jan 10 17:07:59 [9410] DBG:rr:find_next_route:
No
next
Route
> HF found
> > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No
next
URI
found
<http://10.11.57.197/>
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/>>] ==
> > [ 10.11.57.197 <http://10.11.57.197/> <
http://10.11.57.197 <http://10.11.57.197/>>
<http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
>
Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
checking if port
> > 5060 matches port 5060
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> > host==us: 12==12 && [10.11.57.197 < http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/>>] ==
> > [ 10.11.57.197 <http://10.11.57.197/> <
http://10.11.57.197 <http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
>
Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
checking if port
5060
matches port 5060
Jan 10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:core:parse_headers: Jan
10 17:07:59 [9410] DBG:core:parse_headers:
flags=ffffffffffffffff
> Jan 10 17:07:59 [9410] DBG:registrar:build_contact:
>
> Its a little bit strange that when I set the port to
5061,why did
openser
check the port 5060?????
Can anyone help me to figure it out?
THX
BR
--
Fengbin
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)lists.openser.org
<mailto:Users@lists.openser.org> <mailto:Users@lists.openser.org
<mailto:Users@lists.openser.org>>
<mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org> <mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org>>>
--
Fengbin
--
Fengbin
11:39 a.m.
New subject: [OpenSER-Users] TLS problem.
Hi,Klaus
The following is the output of openser.....
It seems that minsip send a correct REGISTER.....
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10
Jan 11 17:37:20 [11282] DBG:core:_tls_read: 377 bytes read
Jan 11 17:37:20 [11282] DBG:core:tcp_read_req: content-length= 0
Jan 11 17:37:20 [11282] DBG:core:parse_msg: SIP Request:
Jan 11 17:37:20 [11282] DBG:core:parse_msg: method: <REGISTER>
Jan 11 17:37:20 [11282] DBG:core:parse_msg: uri: <sip:10.11.57.197>
Jan 11 17:37:20 [11282] DBG:core:parse_msg: version: <SIP/2.0>
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=2
Jan 11 17:37:20 [11282] DBG:core:parse_to: end of header reached, state=10
Jan 11 17:37:20 [11282] DBG:core:parse_to: display={}, ruri={
sip:888@10.11.57.197}
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: <To> [24]; uri=[
sip:888@10.11.57.197]
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: to body [<
sip:888@10.11.57.197>
]
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: cseq <CSeq>: <901>
<REGISTER>
Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type 235,
<rport> = <n/a>; state=6
Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type 232,
<branch> = <z9hG4bK26500>; state=16
Jan 11 17:37:20 [11282] DBG:core:parse_via: end of header reached, state=5
Jan 11 17:37:20 [11282] DBG:core:parse_headers: via found, flags=2
Jan 11 17:37:20 [11282] DBG:core:parse_headers: this is the first via
Jan 11 17:37:20 [11282] DBG:core:receive_msg: After parse_msg...
Jan 11 17:37:20 [11282] DBG:core:receive_msg: preparing to run routing
scripts...
message buffer: REGISTER sip:10.11.57.197 SIP/2.0
Route: <sip:10.11.57.197:5061;transport=TLS;lr>
From: <sip:888@10.11.57.197>
To: <sip:888@10.11.57.197>
Call-ID: 6334(a)10.11.57.192
CSeq: 901 REGISTER
Max-Forwards: 70
Contact: <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
User-Agent: Minisip
Via: SIP/2.0/TLS 10.11.57.192:5061;rport;branch=z9hG4bK26500
Content-Length: 0
Jan 11 17:37:20 [11282] DBG:maxfwd:is_maxfwd_present: value = 70
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200
Jan 11 17:37:20 [11282] DBG:rr:is_preloaded: is_preloaded: Yes
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if host==us:
12==12 && [10.11.57.197] == [10.11.57.197]
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port 5061
matches port 5061
Jan 11 17:37:20 [11282] DBG:rr:after_loose: Topmost route URI: 'sip:
10.11.57.197:5061;transport=TLS;lr' is me
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: content_length=0
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: found end of header
Jan 11 17:37:20 [11282] DBG:rr:find_next_route: No next Route HF found
Jan 11 17:37:20 [11282] DBG:rr:after_loose: No next URI found
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if host==us:
12==12 && [10.11.57.197] == [10.11.57.197]
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port 5061
matches port 5060
Jan 11 17:37:20 [11282] DBG:core:check_self: host != me
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 17:37:20 [11282] DBG:tm:t_newtran: T on entrance=0xffffffff
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=78
Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: start searching:
hash=58073, isACK=0
Jan 11 17:37:20 [11282] DBG:tm:matching_3261: RFC3261 transaction matching
failed
Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: no transaction found
Jan 11 17:37:20 [11282] DBG:core:mk_proxy: doing DNS lookup...
Jan 11 17:37:20 [11282] ERROR:tm:update_uac_dst: failed to fwd to af 2,
proto 1 (no corresponding listening socket)
Jan 11 17:37:20 [11282] ERROR:tm:t_forward_nonack: failure to add branches
Jan 11 17:37:20 [11282] DBG:tm:t_relay_to: t_forward_nonack returned error
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 17:37:20 [11282] DBG:core:check_via_address: params 10.11.57.192,
10.11.57.192, 0
Jan 11 17:37:20 [11282] DBG:core:_shm_resize: resize(0) called
Jan 11 17:37:20 [11282] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
Jan 11 17:37:20 [11282] DBG:tm:insert_timer_unsafe: [2]: 0xb5d06518 (20)
Jan 11 17:37:20 [11282] DBG:core:tcp_send: tcp connection found
(0xb5ce24f8), acquiring fd
Jan 11 17:37:20 [11282] DBG:core:tcp_send: c= 0xb5ce24f8, n=8
Jan 11 17:37:20 [11286] DBG:core:handle_ser_child: read response= b5ce24f8,
1, fd -1 from 2 (11282)
Jan 11 17:37:20 [11282] DBG:core:tcp_send: after receive_fd: c= 0xb5ce24f8
n=4 fd=11
Jan 11 17:37:20 [11282] DBG:core:tcp_send: sending...
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 11
Jan 11 17:37:20 [11282] DBG:core:tls_write: write was successful (325 bytes)
Jan 11 17:37:20 [11282] DBG:core:tcp_send: after write: c= 0xb5ce24f8 n=325
fd=11
Jan 11 17:37:20 [11282] DBG:core:tcp_send: buf=
SIP/2.0 500 Server error occurred (7/TM)
From: <sip:888@10.11.57.197>
To: <sip:888@10.11.57.197>;tag=6de70244a9439b1a95183831634130e2-feb6
Call-ID: 6334(a)10.11.57.192
CSeq: 901 REGISTER
Via: SIP/2.0/TLS 10.11.57.192:5061;rport=1613;branch=z9hG4bK26500
Server: OpenSER (1.3.0-pre1-tls (i386/linux))
Content-Length: 0
On 1/11/08, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:
you have to load the xlog module
fengbin schrieb:
and
"/usr/local/etc/openser//tls/user/user-
the
next
URI
host !=
me
no
ERROR:tm:t_forward_nonack:
<http://10.11.57.197/>
DBG:registrar:build_contact:
to
------------------------------------------------------------------------
http://lists.openser.org/cgi-bin/mailman/listinfo/users
--
Fengbin
--
Fengbin
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>> wrote:
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
have
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do
I need
to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You to enable it on both sides, the server and
the client. But if you
use
the following approach you do not need it.
the
And where to put
xlog("L_ERR","message buffer: $mb"); anywhere in
openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
THX
BR
On 1/11/08, *Klaus Darilion* < klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto: klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>>> wrote:
The capture file is not helpful, as it is encrypted. You
could use NULL
> cipher to have plaintext inside the TLS connection to inspect
incoming SIP message, or add xlog("L_ERR","message buffer:
$mb"); to see
> the whole incoming SIP request.
>
> regards
> klaus
>
> fengbin schrieb:
> > Hi,Klaus
> > Thank you for your reply.
> > The enclosed is the config file ,the pcap between client
server and
> the log on the openser 's console.
> Could you please take a look at them for me?
>
> THX
> BR
>
>
> On 1/10/08, *Klaus Darilion* <
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>
> <mailto:
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>> >> wrote:
>
> Can you show us the REGISTER request? (both, port 5060
and
port 5061).
>
> Further show use your openser config
>
> regards
> klaus
>
> fengbin schrieb:
> >
> > Hi,all
> > I met a strange problem while I am testing TLS
connection
between
after
v4
> minisip and openser.
> The following is my openser.cfg (part of that)
>
> .........
> fork=no
> log_stderror=yes
>
> # Uncomment this to prevent the blacklisting of
temporary not
> > available destinations
> > #disable_dns_blacklist=yes
> >
> > # # Uncomment this to prevent the IPv6 lookup dns lookup
> > failures
> > #dns_try_ipv6=no
> >
> > # uncomment the following lines for TLS support
> > disable_tls = 0
> > listen = tls: 10.11.57.197:5060
<http://10.11.57.197:5060/>
< http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
<http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
<
http://10.11.57.197:5060 <http://10.11.57.197:5060/
> >
> >
> > tls_verify_client = 1
> > tls_method = TLSv1
> > tls_certificate = > cert.pem"
> > tls_private_key =
> "/usr/local/etc/openser//tls/user/user- privkey.pem"
> > tls_ca_list =
"/usr/local/etc/openser//tls/user/user-
calist.pem"
> >
tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> > ......
> >
> > When I set "tls: 10.11.57.197:5061
<http://10.11.57.197:5061/>
< http://10.11.57.197:5061
<http://10.11.57.197:5061/>>
<http://10.11.57.197:5061
<http://10.11.57.197:5061/>> <
> > http://10.11.57.197:5061
<http://10.11.57.197:5061/>>" > > > registration never
succeed. But if I set it to 5060
the
> registration
> > > over TLS is OK.
> > > I compared the log of two scenarioes and found the
TLS
session
> both are
> > OK,but the difference is that:
> > when the port is 5061 there is an error of
forwarding. but
the
>
forwarding is because openser think it's not the
destination of
> > the registration request. See bellow:
> >
> > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No found
<http://10.11.57.197/>
> Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
checking if
> > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/> <
http://10.11.57.197
<http://10.11.57.197/>>>] ==
> > [10.11.57.197
<http://10.11.57.197/> <
http://10.11.57.197
<http://10.11.57.197/>>
< http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
>
Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
checking if port
> > 5061 matches port 5060
> > Jan 10 16:46:56 [9199] DBG:core:check_self: > > Jan 10 16:46:56 [9199]
DBG:core:parse_headers:
> flags=ffffffffffffffff
> > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
> entrance=0xffffffff
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> flags=ffffffffffffffff
> > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
flags=78
> > Jan 10 16:46:56 [9199]
DBG:tm:t_lookup_request:
start
searching:
> > hash=58073, isACK=0
> > Jan 10 16:46:56 [9199] DBG:tm:matching_3261:
RFC3261
> transaction
> > > matching failed
> > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: > > transaction found
> > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing
DNS
lookup...
> > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst:
failed
> to fwd
> > to af
> > > 2, proto 1 (no corresponding listening socket)
> > > Jan 10 16:46:56 [9199]
failure to add
> > branches
> >
> >
> >
> > With comparition to that when the port is set to
5060 the
trace is :
> >
> > Jan 10 17:07:59 [9410] DBG:rr:find_next_route:
No
next
Route
> HF found
> > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No
next
URI
found
<http://10.11.57.197/>
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/>>] ==
> > [ 10.11.57.197 <http://10.11.57.197/> <
http://10.11.57.197 <http://10.11.57.197/>>
<http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
>
Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
checking if port
> > 5060 matches port 5060
> Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
checking if
> > host==us: 12==12 && [10.11.57.197 < http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/>>] ==
> > [ 10.11.57.197 <http://10.11.57.197/> <
http://10.11.57.197 <http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
> > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> checking if port
> > > 5060 matches port 5060
> > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> flags=8000000
> > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 17:07:59 [9410]
created
> Contact
> > HF: Contact:
> <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
> >
> >
> >
> > And there is no fwd needed then.So the error didnt
occur.
> > >
> > > Its a little bit strange that when I set the port
5061,why did
> openser check the port 5060?????
> Can anyone help me to figure it out?
> THX
> BR
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Fengbin
>
>
>
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)lists.openser.org
<mailto:Users@lists.openser.org> <mailto:Users@lists.openser.org
<mailto:Users@lists.openser.org>>
<mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org> <mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org>>>
> > >
--
Fengbin
--
Fengbin
12:18 p.m.
New subject: [OpenSER-Users] TLS problem.
Maybe this is caused by only listening to TLS socket, but not UDP/TCP.
Workaround 1: try adding: alias=10.11.57.197 to the config
Workaround 2: try what happens if you listen to other ports to:
listen = udp:10.11.57.197:5060
listen = tcp:10.11.57.197:5060
listen = tls:10.11.57.197:5061
regards
klaus
fengbin schrieb:
Hi,Klaus
The following is the output of openser.....
It seems that minsip send a correct REGISTER.....
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10
Jan 11 17:37:20 [11282] DBG:core:_tls_read: 377 bytes read
Jan 11 17:37:20 [11282] DBG:core:tcp_read_req: content-length= 0
Jan 11 17:37:20 [11282] DBG:core:parse_msg: SIP Request:
Jan 11 17:37:20 [11282] DBG:core:parse_msg: method: <REGISTER>
Jan 11 17:37:20 [11282] DBG:core:parse_msg: uri: <sip:
10.11.57.197 <http://10.11.57.197>>
Jan 11 17:37:20 [11282] DBG:core:parse_msg: version: <SIP/2.0>
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=2
Jan 11 17:37:20 [11282] DBG:core:parse_to: end of header reached,
state=10
Jan 11 17:37:20 [11282] DBG:core:parse_to: display={},
ruri={sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>}
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: <To> [24]; uri=[
sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>]
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: to body
[<sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>>
]
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: cseq <CSeq>: <901>
<REGISTER>
Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type
235, <rport> = <n/a>; state=6
Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type
232, <branch> = <z9hG4bK26500>; state=16
Jan 11 17:37:20 [11282] DBG:core:parse_via: end of header reached,
state=5
Jan 11 17:37:20 [11282] DBG:core:parse_headers: via found, flags=2
Jan 11 17:37:20 [11282] DBG:core:parse_headers: this is the first via
Jan 11 17:37:20 [11282] DBG:core:receive_msg: After parse_msg...
Jan 11 17:37:20 [11282] DBG:core:receive_msg: preparing to run
routing scripts...
message buffer: REGISTER sip:10.11.57.197 <http://10.11.57.197> SIP/2.0
Route: <sip:10.11.57.197:5061
<http://10.11.57.197:5061>;transport=TLS;lr>
From: <sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>>
To: < sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>>
Call-ID: 6334(a)10.11.57.192 <mailto:6334@10.11.57.192>
CSeq: 901 REGISTER
Max-Forwards: 70
Contact: <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
User-Agent: Minisip
Via: SIP/2.0/TLS 10.11.57.192:5061
<http://10.11.57.192:5061>;rport;branch=z9hG4bK26500
Content-Length: 0
Jan 11 17:37:20 [11282] DBG:maxfwd:is_maxfwd_present: value = 70
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200
Jan 11 17:37:20 [11282] DBG:rr:is_preloaded: is_preloaded: Yes
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if
host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197>] ==
[10.11.57.197 <http://10.11.57.197>]
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port
5061 matches port 5061
Jan 11 17:37:20 [11282] DBG:rr:after_loose: Topmost route URI: 'sip:
10.11.57.197:5061 <http://10.11.57.197:5061>;transport=TLS;lr' is me
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: content_length=0
Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: found end of header
Jan 11 17:37:20 [11282] DBG:rr:find_next_route: No next Route HF found
Jan 11 17:37:20 [11282] DBG:rr:after_loose: No next URI found
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if
host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197>] ==
[10.11.57.197 <http://10.11.57.197>]
Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port
5061 matches port 5060
Jan 11 17:37:20 [11282] DBG:core:check_self: host != me
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 17:37:20 [11282] DBG:tm:t_newtran: T on entrance=0xffffffff
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=78
Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: start searching:
hash=58073, isACK=0
Jan 11 17:37:20 [11282] DBG:tm:matching_3261: RFC3261 transaction
matching failed
Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: no transaction found
Jan 11 17:37:20 [11282] DBG:core:mk_proxy: doing DNS lookup...
Jan 11 17:37:20 [11282] ERROR:tm:update_uac_dst: failed to fwd to af
2, proto 1 (no corresponding listening socket)
Jan 11 17:37:20 [11282] ERROR:tm:t_forward_nonack: failure to add
branches
Jan 11 17:37:20 [11282] DBG:tm:t_relay_to: t_forward_nonack returned
error
Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 17:37:20 [11282] DBG:core:check_via_address: params
10.11.57.192 <http://10.11.57.192>, 10.11.57.192
<http://10.11.57.192>, 0
Jan 11 17:37:20 [11282] DBG:core:_shm_resize: resize(0) called
Jan 11 17:37:20 [11282] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
Jan 11 17:37:20 [11282] DBG:tm:insert_timer_unsafe: [2]: 0xb5d06518 (20)
Jan 11 17:37:20 [11282] DBG:core:tcp_send: tcp connection found
(0xb5ce24f8), acquiring fd
Jan 11 17:37:20 [11282] DBG:core:tcp_send: c= 0xb5ce24f8, n=8
Jan 11 17:37:20 [11286] DBG:core:handle_ser_child: read response=
b5ce24f8, 1, fd -1 from 2 (11282)
Jan 11 17:37:20 [11282] DBG:core:tcp_send: after receive_fd: c=
0xb5ce24f8 n=4 fd=11
Jan 11 17:37:20 [11282] DBG:core:tcp_send: sending...
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 11
Jan 11 17:37:20 [11282] DBG:core:tls_write: write was successful
(325 bytes)
Jan 11 17:37:20 [11282] DBG:core:tcp_send: after write: c=
0xb5ce24f8 n=325 fd=11
Jan 11 17:37:20 [11282] DBG:core:tcp_send: buf=
SIP/2.0 500 Server error occurred (7/TM)
From: <sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>>
To: < sip:888@10.11.57.197
<mailto:sip:888@10.11.57.197>>;tag=6de70244a9439b1a95183831634130e2-feb6
Call-ID: 6334(a)10.11.57.192 <mailto:6334@10.11.57.192>
CSeq: 901 REGISTER
Via: SIP/2.0/TLS 10.11.57.192:5061
<http://10.11.57.192:5061>;rport=1613;branch=z9hG4bK26500
Server: OpenSER (1.3.0-pre1-tls (i386/linux))
Content-Length: 0
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>> wrote:
you have to load the xlog module
fengbin schrieb:
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
inspect
the
client
and
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>
>
privkey.pem"
<http://10.11.57.197:5061>
DBG:rr:after_loose:
No
DBG:core:parse_headers:
<http://10.11.57.197/>>]
------------------------------------------------------------------------
--
Fengbin
--
Fengbin
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, *Klaus Darilion* <klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>> wrote:
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
> Hi,Klaus,
>
> How to use NULL cipher? Only setting in Openser is ok? I
mean do
I need
reasons). You have
to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security to enable it on both sides, the server and
the client. But if
you use
the following approach you do not need it.
> And where to put xlog("L_ERR","message buffer: $mb");
anywhere in
openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
> THX
> BR
>
>
> On 1/11/08, *Klaus Darilion* < <mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>
> <mailto:
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>>> wrote:
The capture file is not helpful, as it is encrypted. You
could use NULL
> cipher to have plaintext inside the TLS connection to
incoming SIP message, or add xlog("L_ERR","message buffer:
$mb"); to see
> the whole incoming SIP request.
>
> regards
> klaus
>
> fengbin schrieb:
> > Hi,Klaus
> > Thank you for your reply.
> > The enclosed is the config file ,the pcap between
server and
> the log on the openser 's console.
> Could you please take a look at them for me?
>
> THX
> BR
>
>
> On 1/10/08, *Klaus Darilion* <
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at> >>
> > <mailto:
klaus.mailinglists(a)pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>>
>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at>
<mailto:klaus.mailinglists@pernau.at
<mailto:klaus.mailinglists@pernau.at> >> >> wrote:
> >
> > Can you show us the REGISTER request? (both,
port
5060
and
blacklisting
of
port 5061).
>
> Further show use your openser config
>
> regards
> klaus
>
> fengbin schrieb:
> >
> > Hi,all
> > I met a strange problem while I am testing TLS
connection
> between
> > > minisip and openser.
> > > The following is my openser.cfg (part of that)
> > >
> > > .........
> > > fork=no
> > > log_stderror=yes
> > >
> > > # Uncomment this to prevent the > temporary not
> > > available destinations
> > > #disable_dns_blacklist=yes
> > >
> > > # # Uncomment this to prevent the IPv6
lookup
after v4
> dns lookup
> > > failures
> > > #dns_try_ipv6=no
> > >
> > > # uncomment the following lines for TLS
support
> > > disable_tls =
0
> > > listen = tls: 10.11.57.197:5060
<http://10.11.57.197:5060>
< http://10.11.57.197:5060/>
http://10.11.57.197:5060/>>
< http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
< http://10.11.57.197:5060
<http://10.11.57.197:5060/>>
> > < http://10.11.57.197:5060 < >
>
> >
> > tls_verify_client = 1
> > tls_method = TLSv1
> > tls_certificate =
"/usr/local/etc/openser//tls/user/user-
> > cert.pem"
> > > tls_private_key =
> > "/usr/local/etc/openser//tls/user/user- >
> tls_ca_list =
"/usr/local/etc/openser//tls/user/user-
calist.pem"
> >
tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> > > ......
> > >
> > > When I set "tls: 10.11.57.197:5061 <http://10.11.57.197:5061/>
<http://10.11.57.197:5061/
<http://10.11.57.197:5061/>>>" the
< http://10.11.57.197:5061
<http://10.11.57.197:5061/>>
<http://10.11.57.197:5061
<http://10.11.57.197:5061/>> <
> > http://10.11.57.197:5061 > > > registration never
succeed. But if I set it
to 5060 the
> registration
> > > over TLS is OK.
> > > I compared the log of two scenarioes and
found
the TLS
session
> both are
> > OK,but the difference is that:
> > when the port is 5061 there is an error of
forwarding. but
the
> > > forwarding is because openser think it's not the
> destination of
> > > the registration request. See bellow:
> > >
> > > Jan 10 16:46:56 [9199] next URI
> found
> > > Jan 10 16:46:56 [9199]
DBG:core:grep_sock_info:
> checking if
> > > host==us: 12==12 && [ 10.11.57.197
<http://10.11.57.197>
<http://10.11.57.197/
<http://10.11.57.197/>>
<http://10.11.57.197/> <
<http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197> <http://10.11.57.197/>>
> <http://10.11.57.197
<http://10.11.57.197/ > <
http://10.11.57.197
<http://10.11.57.197/>>>] ==
> > > [ 10.11.57.197 <http://10.11.57.197> http://10.11.57.197
<http://10.11.57.197/>>
DBG:core:grep_sock_info:
< http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197 <
http://10.11.57.197/>>]
> > > Jan 10 16:46:56 [9199]
checking if port
> > 5061 matches port 5060
> > Jan 10 16:46:56 [9199] DBG:core:check_self:
host !=
me
> > > Jan 10 16:46:56 [9199] > > flags=ffffffffffffffff
> > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran:
T
on
> > entrance=0xffffffff
> > > Jan 10 16:46:56 [9199]
DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 16:46:56 [9199]
DBG:core:parse_headers:
flags=78
> > > Jan 10 16:46:56 [9199]
DBG:tm:t_lookup_request:
start
DBG:tm:t_lookup_request: no
searching:
> > hash=58073, isACK=0
> > Jan 10 16:46:56 [9199] DBG:tm:matching_3261:
RFC3261
> transaction
> > > matching failed
> > > Jan 10 16:46:56 [9199] > > transaction found
> > > Jan 10 16:46:56 [9199]
DBG:core:mk_proxy:
doing DNS
> lookup...
> > > Jan 10 16:46:56 [9199]
ERROR:tm:update_uac_dst:
failed
> to fwd
> > to af
> > > 2, proto 1 (no corresponding listening
socket)
> > > Jan 10 16:46:56
[9199]
ERROR:tm:t_forward_nonack:
> failure to add
> > > branches
> > >
> > >
> > >
> > > With comparition to that when the port is
set
to
5060 the
> trace is :
> > >
> > > Jan 10 17:07:59 [9410]
DBG:rr:find_next_route:
No next
> Route
> > HF found
> > > Jan 10 17:07:59 [9410]
DBG:rr:after_loose:
No
next URI
> found
> > > Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
> checking if
> > > host==us: 12==12 && [ 10.11.57.197
<http://10.11.57.197>
<http://10.11.57.197/
<http://10.11.57.197/>>
<http://10.11.57.197/> <
<http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197> <http://10.11.57.197/>>
> > <http://10.11.57.197 <http://10.11.57.197/ >>] ==
> > > [ 10.11.57.197 <http://10.11.57.197> http://10.11.57.197
<http://10.11.57.197> <http://10.11.57.197/>>
DBG:core:grep_sock_info:
<http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197/>>]
> > > Jan 10 17:07:59 [9410] > checking if port
> > > 5060 matches port 5060
> > > Jan 10 17:07:59 [9410]
DBG:core:grep_sock_info:
> checking if
> > > host==us: 12==12 && [10.11.57.197
<http://10.11.57.197>
<http://10.11.57.197/>
<http://10.11.57.197/> <
< http://10.11.57.197
<http://10.11.57.197/>> <
http://10.11.57.197 <
http://10.11.57.197/>>
> > <http://10.11.57.197 <http://10.11.57.197/>>] ==
> > > [ 10.11.57.197 <http://10.11.57.197> http://10.11.57.197 <http://10.11.57.197/
<http://10.11.57.197/>>> <
http://10.11.57.197 <http://10.11.57.197/>> <
http://10.11.57.197
<http://10.11.57.197> > > > Jan 10 17:07:59
[9410]
DBG:core:grep_sock_info:
> checking if port
> > > 5060 matches port 5060
> > > Jan 10 17:07:59 [9410]
DBG:core:parse_headers:
> > > flags=ffffffffffffffff
> > > Jan 10 17:07:59
[9410]
DBG:core:parse_headers:
> > flags=8000000
> > > Jan 10 17:07:59
[9410]
DBG:core:parse_headers:
> > > flags=ffffffffffffffff
> > > Jan 10 17:07:59
[9410]
DBG:registrar:build_contact:
> created
> > Contact
> > > HF: Contact:
> >
<sip:888@10.11.57.192:5061;transport=TLS>;expires=1000
> > >
> > >
> > >
> > > And there is no fwd needed then.So the error
didnt
occur.
> > >
> > > Its a little bit strange that when I set the
port to
5061,why did
> openser check the port 5060?????
> Can anyone help me to figure it out?
> THX
> BR
>
>
>
>
>
>
>
>
>
>
>
>
> --
> Fengbin
>
>
>
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users(a)lists.openser.org
<mailto:Users@lists.openser.org>
<mailto:Users@lists.openser.org
<mailto:Users@lists.openser.org>> <mailto:Users@lists.openser.org
<mailto:Users@lists.openser.org>
<mailto:Users@lists.openser.org
<mailto:Users@lists.openser.org>>>
> <mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org>
<mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org>> <mailto: Users(a)lists.openser.org
<mailto:Users@lists.openser.org>
<mailto:Users@lists.openser.org
<mailto:Users@lists.openser.org>>>>
> > >
http://lists.openser.org/cgi-bin/mailman/listinfo/users
--
Fengbin
--
Fengbin
14 Jan
14 Jan
5:03 a.m.
New subject: [OpenSER-Users] TLS problem.
Dear Klaus,
Its working when I set alias=10.11.57.197!
Thank you very much.
BR
-fengbin
On 1/11/08, Klaus Darilion <klaus.mailinglists(a)pernau.at> wrote:
Maybe this is caused by only listening to TLS socket, but not UDP/TCP.
Workaround 1: try adding: alias=10.11.57.197 to the config
Workaround 2: try what happens if you listen to other ports to:
listen = udp:10.11.57.197:5060
listen = tcp:10.11.57.197:5060
listen = tls:10.11.57.197:5061
regards
klaus
6187
days inactive
6190
days old
5 comments
2 participants
participants (2)
-
fengbin -
Klaus Darilion