11 Jan
2008
11 Jan
'08
8:09 a.m.
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do I need to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have to enable it on both sides, the server and the client. But if you use the following approach you do not need it.
And where to put xlog("L_ERR","message buffer: $mb"); anywhere in openser.cfg ?
Put it just in the beginning of the route block.
regards klaus
THX BR
On 1/11/08, *Klaus Darilion* <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:
The capture file is not helpful, as it is encrypted. You could use NULL cipher to have plaintext inside the TLS connection to inspect the incoming SIP message, or add xlog("L_ERR","message buffer: $mb"); to see the whole incoming SIP request. regards klaus fengbin schrieb: > Hi,Klaus > Thank you for your reply. > The enclosed is the config file ,the pcap between client and server and > the log on the openser 's console. > Could you please take a look at them for me? > > THX > BR > > > On 1/10/08, *Klaus Darilion* <klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> >> wrote: > > Can you show us the REGISTER request? (both, port 5060 and port 5061). > > Further show use your openser config > > regards > klaus > > fengbin schrieb: > > > > Hi,all > > I met a strange problem while I am testing TLS connection between > > minisip and openser. > > The following is my openser.cfg (part of that) > > > > ......... > > fork=no > > log_stderror=yes > > > > # Uncomment this to prevent the blacklisting of temporary not > > available destinations > > #disable_dns_blacklist=yes > > > > # # Uncomment this to prevent the IPv6 lookup after v4 dns lookup > > failures > > #dns_try_ipv6=no > > > > # uncomment the following lines for TLS support > > disable_tls = 0 > > listen = tls: 10.11.57.197:5060 <http://10.11.57.197:5060> <http://10.11.57.197:5060> > <http://10.11.57.197:5060> > > > > > > tls_verify_client = 1 > > tls_method = TLSv1 > > tls_certificate = "/usr/local/etc/openser//tls/user/user- > cert.pem" > > tls_private_key = > "/usr/local/etc/openser//tls/user/user- privkey.pem" > > tls_ca_list = "/usr/local/etc/openser//tls/user/user- calist.pem" > > tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA" > > ...... > > > > When I set "tls:10.11.57.197:5061 <http://10.11.57.197:5061> <http://10.11.57.197:5061> < > http://10.11.57.197:5061>" the > > registration never succeed. But if I set it to 5060 the registration > > over TLS is OK. > > I compared the log of two scenarioes and found the TLS session > both are > > OK,but the difference is that: > > when the port is 5061 there is an error of forwarding. but the > > forwarding is because openser think it's not the destination of > > the registration request. See bellow: > > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI found > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> > <http://10.11.57.197 <http://10.11.57.197>>] == > > [10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> <http://10.11.57.197>] > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if port > > 5061 matches port 5060 > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on > entrance=0xffffffff > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78 > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start searching: > > hash=58073, isACK=0 > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261 transaction > > matching failed > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no > transaction found > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS lookup... > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed to fwd > to af > > 2, proto 1 (no corresponding listening socket) > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack: failure to add > > branches > > > > > > > > With comparition to that when the port is set to 5060 the trace is : > > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next Route > HF found > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI found > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> > <http://10.11.57.197>] == > > [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> <http://10.11.57.197>] > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port > > 5060 matches port 5060 > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> > <http://10.11.57.197>] == > > [10.11.57.197 <http://10.11.57.197> < http://10.11.57.197> <http://10.11.57.197>] > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port > > 5060 matches port 5060 > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: flags=8000000 > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact: created > Contact > > HF: Contact: > <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000 > > > > > > > > And there is no fwd needed then.So the error didnt occur. > > > > Its a little bit strange that when I set the port to 5061,why did > > openser check the port 5060????? > > Can anyone help me to figure it out? > > THX > > BR > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Fengbin > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Users mailing list > > Users@lists.openser.org <mailto:Users@lists.openser.org> <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>> > > http://lists.openser.org/cgi-bin/mailman/listinfo/users > > > > > -- > Fengbin >-- Fengbin
11 Jan
11 Jan
8:20 a.m.
New subject: [OpenSER-Users] TLS problem.
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
Hi,Klaus,
How to use NULL cipher? Only setting in Openser is ok? I mean do I need to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have to enable it on both sides, the server and the client. But if you use the following approach you do not need it.
And where to put xlog("L_ERR","message buffer: $mb"); anywhere in openser.cfg ?
Put it just in the beginning of the route block.
regards klaus
THX BR
On 1/11/08, *Klaus Darilion* <klaus.mailinglists@pernau.at <mailto: klaus.mailinglists@pernau.at>> wrote:
The capture file is not helpful, as it is encrypted. You could useNULL
cipher to have plaintext inside the TLS connection to inspect the incoming SIP message, or add xlog("L_ERR","message buffer: $mb"); tosee
the whole incoming SIP request. regards klaus fengbin schrieb: > Hi,Klaus > Thank you for your reply. > The enclosed is the config file ,the pcap between client and server and > the log on the openser 's console. > Could you please take a look at them for me? > > THX > BR > > > On 1/10/08, *Klaus Darilion* < klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> >> wrote: > > Can you show us the REGISTER request? (both, port 5060 and port 5061). > > Further show use your openser config > > regards > klaus > > fengbin schrieb: > > > > Hi,all > > I met a strange problem while I am testing TLS connection between > > minisip and openser. > > The following is my openser.cfg (part of that) > > > > ......... > > fork=no > > log_stderror=yes > > > > # Uncomment this to prevent the blacklisting of temporary not > > available destinations > > #disable_dns_blacklist=yes > > > > # # Uncomment this to prevent the IPv6 lookup after v4 dns lookup > > failures > > #dns_try_ipv6=no > > > > # uncomment the following lines for TLS support > > disable_tls = 0 > > listen = tls: 10.11.57.197:5060 <http://10.11.57.197:5060> <http://10.11.57.197:5060> > < http://10.11.57.197:5060> > > > > > > tls_verify_client = 1 > > tls_method = TLSv1 > > tls_certificate ="/usr/local/etc/openser//tls/user/user-
> cert.pem" > > tls_private_key = > "/usr/local/etc/openser//tls/user/user- privkey.pem" > > tls_ca_list = "/usr/local/etc/openser//tls/user/user- calist.pem" > >tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> > ...... > > > > When I set "tls: 10.11.57.197:5061 <http://10.11.57.197:5061> <http://10.11.57.197:5061> < > http://10.11.57.197:5061>" the > > registration never succeed. But if I set it to 5060 the registration > > over TLS is OK. > > I compared the log of two scenarioes and found the TLS session > both are > > OK,but the difference is that: > > when the port is 5061 there is an error of forwarding. butthe
> > forwarding is because openser think it's not the destination of > > the registration request. See bellow: > > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URIfound > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> > <http://10.11.57.197 < http://10.11.57.197>>] == > > [10.11.57.197 <http://10.11.57.197> < http://10.11.57.197> <http://10.11.57.197>] > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if port > > 5061 matches port 5060 > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on > entrance=0xffffffff > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 16:46:56 [9199] DBG:core:parse_headers:flags=78
> > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start searching: > > hash=58073, isACK=0 > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261 transaction > > matching failed > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no > transaction found > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS lookup... > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed to fwd > to af > > 2, proto 1 (no corresponding listening socket) > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack: failure to add > > branches > > > > > > > > With comparition to that when the port is set to 5060 the trace is : > > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next Route > HF found > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URIfound > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> > <http://10.11.57.197>] == > > [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197> < http://10.11.57.197>] > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port > > 5060 matches port 5060 > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [10.11.57.197 < http://10.11.57.197> <http://10.11.57.197> > <http://10.11.57.197>] == > > [ 10.11.57.197 <http://10.11.57.197> < http://10.11.57.197> <http://10.11.57.197 >] > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port > > 5060 matches port 5060 > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: flags=8000000 > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact: created > Contact > > HF: Contact: > <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000 > > > > > > > > And there is no fwd needed then.So the error didnt occur. > > > > Its a little bit strange that when I set the port to 5061,why did > > openser check the port 5060????? > > Can anyone help me to figure it out? > > THX > > BR > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Fengbin > > > > > > >
> > > > _______________________________________________ > > Users mailing list > > Users@lists.openser.org <mailto:Users@lists.openser.org> <mailto:Users@lists.openser.org <mailto: Users@lists.openser.org>> > > http://lists.openser.org/cgi-bin/mailman/listinfo/users > > > > > -- > Fengbin >-- Fengbin
--
Fengbin
9:29 a.m.
New subject: [OpenSER-Users] TLS problem.
you have to load the xlog module
fengbin schrieb:
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, *Klaus Darilion* <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:
Hi Fengbin! Cc'ed to the openser list ... fengbin schrieb: > Hi,Klaus, > > How to use NULL cipher? Only setting in Openser is ok? I mean do I need > to set NULL cipher at client site? Usually the NULL cipher is not enabled (for security reasons). You have to enable it on both sides, the server and the client. But if you use the following approach you do not need it. > And where to put xlog("L_ERR","message buffer: $mb"); anywhere in > openser.cfg ? Put it just in the beginning of the route block. regards klaus > THX > BR > > > On 1/11/08, *Klaus Darilion* < klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto: klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>>> wrote: > > The capture file is not helpful, as it is encrypted. You could use NULL > cipher to have plaintext inside the TLS connection to inspect the > incoming SIP message, or add xlog("L_ERR","message buffer: $mb"); to see > the whole incoming SIP request. > > regards > klaus > > fengbin schrieb: > > Hi,Klaus > > Thank you for your reply. > > The enclosed is the config file ,the pcap between client and > server and > > the log on the openser 's console. > > Could you please take a look at them for me? > > > > THX > > BR > > > > > > On 1/10/08, *Klaus Darilion* < klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> > > <mailto: klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> >> wrote: > > > > Can you show us the REGISTER request? (both, port 5060 and > port 5061). > > > > Further show use your openser config > > > > regards > > klaus > > > > fengbin schrieb: > > > > > > Hi,all > > > I met a strange problem while I am testing TLS connection > between > > > minisip and openser. > > > The following is my openser.cfg (part of that) > > > > > > ......... > > > fork=no > > > log_stderror=yes > > > > > > # Uncomment this to prevent the blacklisting of > temporary not > > > available destinations > > > #disable_dns_blacklist=yes > > > > > > # # Uncomment this to prevent the IPv6 lookup after v4 > dns lookup > > > failures > > > #dns_try_ipv6=no > > > > > > # uncomment the following lines for TLS support > > > disable_tls = 0 > > > listen = tls: 10.11.57.197:5060 <http://10.11.57.197:5060/> > < http://10.11.57.197:5060 <http://10.11.57.197:5060/>> <http://10.11.57.197:5060 <http://10.11.57.197:5060/>> > > < http://10.11.57.197:5060 <http://10.11.57.197:5060/>> > > > > > > > > > tls_verify_client = 1 > > > tls_method = TLSv1 > > > tls_certificate = "/usr/local/etc/openser//tls/user/user- > > cert.pem" > > > tls_private_key = > > "/usr/local/etc/openser//tls/user/user- privkey.pem" > > > tls_ca_list = "/usr/local/etc/openser//tls/user/user- > calist.pem" > > > tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA" > > > ...... > > > > > > When I set "tls: 10.11.57.197:5061 <http://10.11.57.197:5061/> > < http://10.11.57.197:5061 <http://10.11.57.197:5061/>> <http://10.11.57.197:5061 <http://10.11.57.197:5061/>> < > > http://10.11.57.197:5061 <http://10.11.57.197:5061/>>" the > > > registration never succeed. But if I set it to 5060 the > registration > > > over TLS is OK. > > > I compared the log of two scenarioes and found the TLS > session > > both are > > > OK,but the difference is that: > > > when the port is 5061 there is an error of forwarding. but the > > > forwarding is because openser think it's not the > destination of > > > the registration request. See bellow: > > > > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI > found > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: > checking if > > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197/> > <http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>>>] == > > > [10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>> > < http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>>] > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: > checking if port > > > 5061 matches port 5060 > > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on > > entrance=0xffffffff > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78 > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start > searching: > > > hash=58073, isACK=0 > > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261 > transaction > > > matching failed > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no > > transaction found > > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS > lookup... > > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed > to fwd > > to af > > > 2, proto 1 (no corresponding listening socket) > > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack: > failure to add > > > branches > > > > > > > > > > > > With comparition to that when the port is set to 5060 the > trace is : > > > > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next > Route > > HF found > > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI > found > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if > > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197/> > <http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>>] == > > > [ 10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>> > <http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>>] > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if port > > > 5060 matches port 5060 > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if > > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197/> > < http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>>] == > > > [ 10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>>] > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if port > > > 5060 matches port 5060 > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=8000000 > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact: > created > > Contact > > > HF: Contact: > > <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000 > > > > > > > > > > > > And there is no fwd needed then.So the error didnt occur. > > > > > > Its a little bit strange that when I set the port to > 5061,why did > > > openser check the port 5060????? > > > Can anyone help me to figure it out? > > > THX > > > BR > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Fengbin > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Users mailing list > > > Users@lists.openser.org <mailto:Users@lists.openser.org> <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>> > <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org> <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org>>> > > > http://lists.openser.org/cgi-bin/mailman/listinfo/users > > > > > > > > > > -- > > Fengbin > > > > > > > -- > Fengbin-- Fengbin
9:39 a.m.
New subject: [OpenSER-Users] TLS problem.
Hi,Klaus The following is the output of openser..... It seems that minsip send a correct REGISTER.....
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10 Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10 Jan 11 17:37:20 [11282] DBG:core:_tls_read: 377 bytes read Jan 11 17:37:20 [11282] DBG:core:tcp_read_req: content-length= 0 Jan 11 17:37:20 [11282] DBG:core:parse_msg: SIP Request: Jan 11 17:37:20 [11282] DBG:core:parse_msg: method: <REGISTER> Jan 11 17:37:20 [11282] DBG:core:parse_msg: uri: sip:10.11.57.197 Jan 11 17:37:20 [11282] DBG:core:parse_msg: version: <SIP/2.0> Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=2 Jan 11 17:37:20 [11282] DBG:core:parse_to: end of header reached, state=10 Jan 11 17:37:20 [11282] DBG:core:parse_to: display={}, ruri={ sip:888@10.11.57.197} Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: <To> [24]; uri=[ sip:888@10.11.57.197] Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: to body [< sip:888@10.11.57.197> ] Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: cseq <CSeq>: <901> <REGISTER> Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type 235, <rport> = <n/a>; state=6 Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type 232, <branch> = <z9hG4bK26500>; state=16 Jan 11 17:37:20 [11282] DBG:core:parse_via: end of header reached, state=5 Jan 11 17:37:20 [11282] DBG:core:parse_headers: via found, flags=2 Jan 11 17:37:20 [11282] DBG:core:parse_headers: this is the first via Jan 11 17:37:20 [11282] DBG:core:receive_msg: After parse_msg... Jan 11 17:37:20 [11282] DBG:core:receive_msg: preparing to run routing scripts... message buffer: REGISTER sip:10.11.57.197 SIP/2.0 Route: sip:10.11.57.197:5061;transport=TLS;lr From: sip:888@10.11.57.197 To: sip:888@10.11.57.197 Call-ID: 6334@10.11.57.192 CSeq: 901 REGISTER Max-Forwards: 70 Contact: sip:888@10.11.57.192:5061;transport=TLS;expires=1000 User-Agent: Minisip Via: SIP/2.0/TLS 10.11.57.192:5061;rport;branch=z9hG4bK26500 Content-Length: 0
Jan 11 17:37:20 [11282] DBG:maxfwd:is_maxfwd_present: value = 70 Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200 Jan 11 17:37:20 [11282] DBG:rr:is_preloaded: is_preloaded: Yes Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if host==us: 12==12 && [10.11.57.197] == [10.11.57.197] Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port 5061 matches port 5061 Jan 11 17:37:20 [11282] DBG:rr:after_loose: Topmost route URI: 'sip: 10.11.57.197:5061;transport=TLS;lr' is me Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200 Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: content_length=0 Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: found end of header Jan 11 17:37:20 [11282] DBG:rr:find_next_route: No next Route HF found Jan 11 17:37:20 [11282] DBG:rr:after_loose: No next URI found Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if host==us: 12==12 && [10.11.57.197] == [10.11.57.197] Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port 5061 matches port 5060 Jan 11 17:37:20 [11282] DBG:core:check_self: host != me Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff Jan 11 17:37:20 [11282] DBG:tm:t_newtran: T on entrance=0xffffffff Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=78 Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: start searching: hash=58073, isACK=0 Jan 11 17:37:20 [11282] DBG:tm:matching_3261: RFC3261 transaction matching failed Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: no transaction found Jan 11 17:37:20 [11282] DBG:core:mk_proxy: doing DNS lookup... Jan 11 17:37:20 [11282] ERROR:tm:update_uac_dst: failed to fwd to af 2, proto 1 (no corresponding listening socket) Jan 11 17:37:20 [11282] ERROR:tm:t_forward_nonack: failure to add branches Jan 11 17:37:20 [11282] DBG:tm:t_relay_to: t_forward_nonack returned error Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff Jan 11 17:37:20 [11282] DBG:core:check_via_address: params 10.11.57.192, 10.11.57.192, 0 Jan 11 17:37:20 [11282] DBG:core:_shm_resize: resize(0) called Jan 11 17:37:20 [11282] DBG:tm:cleanup_uac_timers: RETR/FR timers reset Jan 11 17:37:20 [11282] DBG:tm:insert_timer_unsafe: [2]: 0xb5d06518 (20) Jan 11 17:37:20 [11282] DBG:core:tcp_send: tcp connection found (0xb5ce24f8), acquiring fd Jan 11 17:37:20 [11282] DBG:core:tcp_send: c= 0xb5ce24f8, n=8 Jan 11 17:37:20 [11286] DBG:core:handle_ser_child: read response= b5ce24f8, 1, fd -1 from 2 (11282) Jan 11 17:37:20 [11282] DBG:core:tcp_send: after receive_fd: c= 0xb5ce24f8 n=4 fd=11 Jan 11 17:37:20 [11282] DBG:core:tcp_send: sending... Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 11 Jan 11 17:37:20 [11282] DBG:core:tls_write: write was successful (325 bytes) Jan 11 17:37:20 [11282] DBG:core:tcp_send: after write: c= 0xb5ce24f8 n=325 fd=11 Jan 11 17:37:20 [11282] DBG:core:tcp_send: buf= SIP/2.0 500 Server error occurred (7/TM) From: sip:888@10.11.57.197 To: sip:888@10.11.57.197;tag=6de70244a9439b1a95183831634130e2-feb6 Call-ID: 6334@10.11.57.192 CSeq: 901 REGISTER Via: SIP/2.0/TLS 10.11.57.192:5061;rport=1613;branch=z9hG4bK26500 Server: OpenSER (1.3.0-pre1-tls (i386/linux)) Content-Length: 0
On 1/11/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:
you have to load the xlog module
fengbin schrieb:
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, *Klaus Darilion* <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:
Hi Fengbin! Cc'ed to the openser list ... fengbin schrieb: > Hi,Klaus, > > How to use NULL cipher? Only setting in Openser is ok? I mean do I need > to set NULL cipher at client site? Usually the NULL cipher is not enabled (for security reasons). Youhave
to enable it on both sides, the server and the client. But if youuse
the following approach you do not need it. > And where to put xlog("L_ERR","message buffer: $mb"); anywhere in > openser.cfg ? Put it just in the beginning of the route block. regards klaus > THX > BR > > > On 1/11/08, *Klaus Darilion* < klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto: klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>>> wrote: > > The capture file is not helpful, as it is encrypted. You could use NULL > cipher to have plaintext inside the TLS connection to inspectthe
> incoming SIP message, or add xlog("L_ERR","message buffer: $mb"); to see > the whole incoming SIP request. > > regards > klaus > > fengbin schrieb: > > Hi,Klaus > > Thank you for your reply. > > The enclosed is the config file ,the pcap between clientand
> server and > > the log on the openser 's console. > > Could you please take a look at them for me? > > > > THX > > BR > > > > > > On 1/10/08, *Klaus Darilion* < klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> > > <mailto: klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> >> wrote: > > > > Can you show us the REGISTER request? (both, port 5060 and > port 5061). > > > > Further show use your openser config > > > > regards > > klaus > > > > fengbin schrieb: > > > > > > Hi,all > > > I met a strange problem while I am testing TLS connection > between > > > minisip and openser. > > > The following is my openser.cfg (part of that) > > > > > > ......... > > > fork=no > > > log_stderror=yes > > > > > > # Uncomment this to prevent the blacklisting of > temporary not > > > available destinations > > > #disable_dns_blacklist=yes > > > > > > # # Uncomment this to prevent the IPv6 lookup after v4 > dns lookup > > > failures > > > #dns_try_ipv6=no > > > > > > # uncomment the following lines for TLS support > > > disable_tls = 0 > > > listen = tls: 10.11.57.197:5060 <http://10.11.57.197:5060/> > < http://10.11.57.197:5060 <http://10.11.57.197:5060/>> <http://10.11.57.197:5060 <http://10.11.57.197:5060/>> > > < http://10.11.57.197:5060 <http://10.11.57.197:5060/> > > > > > > > > tls_verify_client = 1 > > > tls_method = TLSv1 > > > tls_certificate = "/usr/local/etc/openser//tls/user/user- > > cert.pem" > > > tls_private_key = > > "/usr/local/etc/openser//tls/user/user- privkey.pem" > > > tls_ca_list = "/usr/local/etc/openser//tls/user/user- > calist.pem" > > > tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA" > > > ...... > > > > > > When I set "tls: 10.11.57.197:5061 <http://10.11.57.197:5061/> > < http://10.11.57.197:5061 <http://10.11.57.197:5061/>> <http://10.11.57.197:5061 <http://10.11.57.197:5061/>> < > > http://10.11.57.197:5061 <http://10.11.57.197:5061/>>"the
> > > registration never succeed. But if I set it to 5060the
> registration > > > over TLS is OK. > > > I compared the log of two scenarioes and found theTLS
> session > > both are > > > OK,but the difference is that: > > > when the port is 5061 there is an error of forwarding. but the > > > forwarding is because openser think it's not the > destination of > > > the registration request. See bellow: > > > > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI > found > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: > checking if > > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197/> > <http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>>>] == > > > [10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>> > < http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>>] > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: > checking if port > > > 5061 matches port 5060 > > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on > > entrance=0xffffffff > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78 > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start > searching: > > > hash=58073, isACK=0 > > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261 > transaction > > > matching failed > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request:no
> > transaction found > > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doingDNS
> lookup... > > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed > to fwd > > to af > > > 2, proto 1 (no corresponding listening socket) > > > Jan 10 16:46:56 [9199]ERROR:tm:t_forward_nonack:
> failure to add > > > branches > > > > > > > > > > > > With comparition to that when the port is set to 5060 the > trace is : > > > > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next > Route > > HF found > > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI > found > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if > > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197/> > <http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>>] == > > > [ 10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>> > <http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>>] > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if port > > > 5060 matches port 5060 > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if > > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197/> > < http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>>] == > > > [ 10.11.57.197 <http://10.11.57.197/> < http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 <http://10.11.57.197/>> < http://10.11.57.197 <http://10.11.57.197/>>] > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > checking if port > > > 5060 matches port 5060 > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=8000000 > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > flags=ffffffffffffffff > > > Jan 10 17:07:59 [9410]DBG:registrar:build_contact:
> created > > Contact > > > HF: Contact: > > <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000 > > > > > > > > > > > > And there is no fwd needed then.So the error didnt occur. > > > > > > Its a little bit strange that when I set the portto
> 5061,why did > > > openser check the port 5060????? > > > Can anyone help me to figure it out? > > > THX > > > BR > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > Fengbin > > > > > > > > > > > >
> > > > > > _______________________________________________ > > > Users mailing list > > > Users@lists.openser.org <mailto:Users@lists.openser.org> <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>> > <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org> <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org>>> > > >http://lists.openser.org/cgi-bin/mailman/listinfo/users
> > > > > > > > > > -- > > Fengbin > > > > > > > -- > Fengbin-- Fengbin
--
Fengbin
10:18 a.m.
New subject: [OpenSER-Users] TLS problem.
Maybe this is caused by only listening to TLS socket, but not UDP/TCP.
Workaround 1: try adding: alias=10.11.57.197 to the config
Workaround 2: try what happens if you listen to other ports to: listen = udp:10.11.57.197:5060 listen = tcp:10.11.57.197:5060 listen = tls:10.11.57.197:5061
regards klaus
fengbin schrieb:
Hi,Klaus The following is the output of openser..... It seems that minsip send a correct REGISTER.....
Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10 Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 10 Jan 11 17:37:20 [11282] DBG:core:_tls_read: 377 bytes read Jan 11 17:37:20 [11282] DBG:core:tcp_read_req: content-length= 0 Jan 11 17:37:20 [11282] DBG:core:parse_msg: SIP Request: Jan 11 17:37:20 [11282] DBG:core:parse_msg: method: <REGISTER> Jan 11 17:37:20 [11282] DBG:core:parse_msg: uri: <sip: 10.11.57.197 <http://10.11.57.197>> Jan 11 17:37:20 [11282] DBG:core:parse_msg: version: <SIP/2.0> Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=2 Jan 11 17:37:20 [11282] DBG:core:parse_to: end of header reached, state=10 Jan 11 17:37:20 [11282] DBG:core:parse_to: display={}, ruri={sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>} Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: <To> [24]; uri=[ sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>] Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: to body [<sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>> ] Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: cseq <CSeq>: <901> <REGISTER> Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type 235, <rport> = <n/a>; state=6 Jan 11 17:37:20 [11282] DBG:core:parse_via_param: found param type 232, <branch> = <z9hG4bK26500>; state=16 Jan 11 17:37:20 [11282] DBG:core:parse_via: end of header reached, state=5 Jan 11 17:37:20 [11282] DBG:core:parse_headers: via found, flags=2 Jan 11 17:37:20 [11282] DBG:core:parse_headers: this is the first via Jan 11 17:37:20 [11282] DBG:core:receive_msg: After parse_msg... Jan 11 17:37:20 [11282] DBG:core:receive_msg: preparing to run routing scripts... message buffer: REGISTER sip:10.11.57.197 <http://10.11.57.197> SIP/2.0 Route: <sip:10.11.57.197:5061 <http://10.11.57.197:5061>;transport=TLS;lr> From: <sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>> To: < sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>> Call-ID: 6334@10.11.57.192 <mailto:6334@10.11.57.192> CSeq: 901 REGISTER Max-Forwards: 70 Contact: <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000 User-Agent: Minisip Via: SIP/2.0/TLS 10.11.57.192:5061 <http://10.11.57.192:5061>;rport;branch=z9hG4bK26500 Content-Length: 0 Jan 11 17:37:20 [11282] DBG:maxfwd:is_maxfwd_present: value = 70 Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200 Jan 11 17:37:20 [11282] DBG:rr:is_preloaded: is_preloaded: Yes Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197>] == [10.11.57.197 <http://10.11.57.197>] Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port 5061 matches port 5061 Jan 11 17:37:20 [11282] DBG:rr:after_loose: Topmost route URI: 'sip: 10.11.57.197:5061 <http://10.11.57.197:5061>;transport=TLS;lr' is me Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=200 Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: content_length=0 Jan 11 17:37:20 [11282] DBG:core:get_hdr_field: found end of header Jan 11 17:37:20 [11282] DBG:rr:find_next_route: No next Route HF found Jan 11 17:37:20 [11282] DBG:rr:after_loose: No next URI found Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197>] == [10.11.57.197 <http://10.11.57.197>] Jan 11 17:37:20 [11282] DBG:core:grep_sock_info: checking if port 5061 matches port 5060 Jan 11 17:37:20 [11282] DBG:core:check_self: host != me Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff Jan 11 17:37:20 [11282] DBG:tm:t_newtran: T on entrance=0xffffffff Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=78 Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: start searching: hash=58073, isACK=0 Jan 11 17:37:20 [11282] DBG:tm:matching_3261: RFC3261 transaction matching failed Jan 11 17:37:20 [11282] DBG:tm:t_lookup_request: no transaction found Jan 11 17:37:20 [11282] DBG:core:mk_proxy: doing DNS lookup... Jan 11 17:37:20 [11282] ERROR:tm:update_uac_dst: failed to fwd to af 2, proto 1 (no corresponding listening socket) Jan 11 17:37:20 [11282] ERROR:tm:t_forward_nonack: failure to add branches Jan 11 17:37:20 [11282] DBG:tm:t_relay_to: t_forward_nonack returned error Jan 11 17:37:20 [11282] DBG:core:parse_headers: flags=ffffffffffffffff Jan 11 17:37:20 [11282] DBG:core:check_via_address: params 10.11.57.192 <http://10.11.57.192>, 10.11.57.192 <http://10.11.57.192>, 0 Jan 11 17:37:20 [11282] DBG:core:_shm_resize: resize(0) called Jan 11 17:37:20 [11282] DBG:tm:cleanup_uac_timers: RETR/FR timers reset Jan 11 17:37:20 [11282] DBG:tm:insert_timer_unsafe: [2]: 0xb5d06518 (20) Jan 11 17:37:20 [11282] DBG:core:tcp_send: tcp connection found (0xb5ce24f8), acquiring fd Jan 11 17:37:20 [11282] DBG:core:tcp_send: c= 0xb5ce24f8, n=8 Jan 11 17:37:20 [11286] DBG:core:handle_ser_child: read response= b5ce24f8, 1, fd -1 from 2 (11282) Jan 11 17:37:20 [11282] DBG:core:tcp_send: after receive_fd: c= 0xb5ce24f8 n=4 fd=11 Jan 11 17:37:20 [11282] DBG:core:tcp_send: sending... Jan 11 17:37:20 [11282] DBG:core:tls_update_fd: New fd is 11 Jan 11 17:37:20 [11282] DBG:core:tls_write: write was successful (325 bytes) Jan 11 17:37:20 [11282] DBG:core:tcp_send: after write: c= 0xb5ce24f8 n=325 fd=11 Jan 11 17:37:20 [11282] DBG:core:tcp_send: buf= SIP/2.0 500 Server error occurred (7/TM) From: <sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>> To: < sip:888@10.11.57.197 <mailto:sip:888@10.11.57.197>>;tag=6de70244a9439b1a95183831634130e2-feb6 Call-ID: 6334@10.11.57.192 <mailto:6334@10.11.57.192> CSeq: 901 REGISTER Via: SIP/2.0/TLS 10.11.57.192:5061 <http://10.11.57.192:5061>;rport=1613;branch=z9hG4bK26500 Server: OpenSER (1.3.0-pre1-tls (i386/linux)) Content-Length: 0On 1/11/08, *Klaus Darilion* <klaus.mailinglists@pernau.at mailto:klaus.mailinglists@pernau.at> wrote:
you have to load the xlog module fengbin schrieb: > Dear,Klaus, > > There is an error of " <xlog> not found" while I put that phrase > > > On 1/11/08, *Klaus Darilion* <klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>>> wrote: > > Hi Fengbin! > > Cc'ed to the openser list ... > > fengbin schrieb: > > Hi,Klaus, > > > > How to use NULL cipher? Only setting in Openser is ok? I mean do > I need > > to set NULL cipher at client site? > > Usually the NULL cipher is not enabled (for security reasons). You have > to enable it on both sides, the server and the client. But if you use > the following approach you do not need it. > > > And where to put xlog("L_ERR","message buffer: $mb"); anywhere in > > openser.cfg ? > > Put it just in the beginning of the route block. > > regards > klaus > > > THX > > BR > > > > > > On 1/11/08, *Klaus Darilion* < klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> > > <mailto: klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>>>> wrote: > > > > The capture file is not helpful, as it is encrypted. You > could use NULL > > cipher to have plaintext inside the TLS connection to inspect the > > incoming SIP message, or add xlog("L_ERR","message buffer: > $mb"); to see > > the whole incoming SIP request. > > > > regards > > klaus > > > > fengbin schrieb: > > > Hi,Klaus > > > Thank you for your reply. > > > The enclosed is the config file ,the pcap between client and > > server and > > > the log on the openser 's console. > > > Could you please take a look at them for me? > > > > > > THX > > > BR > > > > > > > > > On 1/10/08, *Klaus Darilion* < > klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> > > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> >> > > > <mailto: klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at>> > > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> > <mailto:klaus.mailinglists@pernau.at <mailto:klaus.mailinglists@pernau.at> >> >> wrote: > > > > > > Can you show us the REGISTER request? (both, port 5060 > and > > port 5061). > > > > > > Further show use your openser config > > > > > > regards > > > klaus > > > > > > fengbin schrieb: > > > > > > > > Hi,all > > > > I met a strange problem while I am testing TLS > connection > > between > > > > minisip and openser. > > > > The following is my openser.cfg (part of that) > > > > > > > > ......... > > > > fork=no > > > > log_stderror=yes > > > > > > > > # Uncomment this to prevent the blacklisting of > > temporary not > > > > available destinations > > > > #disable_dns_blacklist=yes > > > > > > > > # # Uncomment this to prevent the IPv6 lookup > after v4 > > dns lookup > > > > failures > > > > #dns_try_ipv6=no > > > > > > > > # uncomment the following lines for TLS support > > > > disable_tls = 0 > > > > listen = tls: 10.11.57.197:5060 <http://10.11.57.197:5060> > < http://10.11.57.197:5060/> > > < http://10.11.57.197:5060 <http://10.11.57.197:5060/>> > < http://10.11.57.197:5060 <http://10.11.57.197:5060/>> > > > < http://10.11.57.197:5060 < http://10.11.57.197:5060/>> > > > > > > > > > > > > tls_verify_client = 1 > > > > tls_method = TLSv1 > > > > tls_certificate = > "/usr/local/etc/openser//tls/user/user- > > > cert.pem" > > > > tls_private_key = > > > "/usr/local/etc/openser//tls/user/user- privkey.pem" > > > > tls_ca_list = > "/usr/local/etc/openser//tls/user/user- > > calist.pem" > > > > > tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA" > > > > ...... > > > > > > > > When I set "tls: 10.11.57.197:5061 <http://10.11.57.197:5061> > <http://10.11.57.197:5061/> > > < http://10.11.57.197:5061 <http://10.11.57.197:5061/>> > <http://10.11.57.197:5061 <http://10.11.57.197:5061/>> < > > > http://10.11.57.197:5061 <http://10.11.57.197:5061/ <http://10.11.57.197:5061/>>>" the > > > > registration never succeed. But if I set it to 5060 the > > registration > > > > over TLS is OK. > > > > I compared the log of two scenarioes and found the TLS > > session > > > both are > > > > OK,but the difference is that: > > > > when the port is 5061 there is an error of > forwarding. but the > > > > forwarding is because openser think it's not the > > destination of > > > > the registration request. See bellow: > > > > > > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No > next URI > > found > > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: > > checking if > > > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197> > <http://10.11.57.197/ <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/>> > > > <http://10.11.57.197 <http://10.11.57.197/ > < > http://10.11.57.197 <http://10.11.57.197/>>>] == > > > > [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/> < > http://10.11.57.197 <http://10.11.57.197/>> > > < http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 < http://10.11.57.197/>>] > > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: > > checking if port > > > > 5061 matches port 5060 > > > > Jan 10 16:46:56 [9199] DBG:core:check_self: > host != me > > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > > > flags=ffffffffffffffff > > > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on > > > entrance=0xffffffff > > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > > > flags=ffffffffffffffff > > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=78 > > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: > start > > searching: > > > > hash=58073, isACK=0 > > > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: > RFC3261 > > transaction > > > > matching failed > > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no > > > transaction found > > > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS > > lookup... > > > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: > failed > > to fwd > > > to af > > > > 2, proto 1 (no corresponding listening socket) > > > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack: > > failure to add > > > > branches > > > > > > > > > > > > > > > > With comparition to that when the port is set to > 5060 the > > trace is : > > > > > > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: > No next > > Route > > > HF found > > > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No > next URI > > found > > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > > checking if > > > > host==us: 12==12 && [ 10.11.57.197 <http://10.11.57.197> > <http://10.11.57.197/ <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/>> > > > <http://10.11.57.197 <http://10.11.57.197/ >>] == > > > > [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/> < > http://10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/>> > > <http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 <http://10.11.57.197/>>] > > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > > checking if port > > > > 5060 matches port 5060 > > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > > checking if > > > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197> > <http://10.11.57.197/> > > < http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 < http://10.11.57.197/>> > > > <http://10.11.57.197 <http://10.11.57.197/>>] == > > > > [ 10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/> < > http://10.11.57.197 <http://10.11.57.197/ <http://10.11.57.197/>>> < > > http://10.11.57.197 <http://10.11.57.197/>> < > http://10.11.57.197 <http://10.11.57.197> <http://10.11.57.197/>>] > > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: > > checking if port > > > > 5060 matches port 5060 > > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > > flags=ffffffffffffffff > > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > flags=8000000 > > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > > > flags=ffffffffffffffff > > > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact: > > created > > > Contact > > > > HF: Contact: > > > <sip:888@10.11.57.192:5061;transport=TLS>;expires=1000 > > > > > > > > > > > > > > > > And there is no fwd needed then.So the error didnt > occur. > > > > > > > > Its a little bit strange that when I set the port to > > 5061,why did > > > > openser check the port 5060????? > > > > Can anyone help me to figure it out? > > > > THX > > > > BR > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Fengbin > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > > > > _______________________________________________ > > > > Users mailing list > > > > Users@lists.openser.org <mailto:Users@lists.openser.org> > <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>> <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org> > <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>>> > > <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org> > <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org>> <mailto: Users@lists.openser.org <mailto:Users@lists.openser.org> > <mailto:Users@lists.openser.org <mailto:Users@lists.openser.org>>>> > > > > http://lists.openser.org/cgi-bin/mailman/listinfo/users > > > > > > > > > > > > > > > -- > > > Fengbin > > > > > > > > > > > > > -- > > Fengbin > > > > > -- > Fengbin-- Fengbin
14 Jan
14 Jan
3:03 a.m.
New subject: [OpenSER-Users] TLS problem.
Dear Klaus, Its working when I set alias=10.11.57.197! Thank you very much. BR -fengbin
On 1/11/08, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Maybe this is caused by only listening to TLS socket, but not UDP/TCP.
Workaround 1: try adding: alias=10.11.57.197 to the config
Workaround 2: try what happens if you listen to other ports to: listen = udp:10.11.57.197:5060 listen = tcp:10.11.57.197:5060 listen = tls:10.11.57.197:5061
regards klaus
6307
Age (days ago)
6310
Last active (days ago)
5 comments
2 participants
participants (2)
-
fengbin -
Klaus Darilion