12 Feb
2014
12 Feb
'14
10:11 p.m.
Kamailio running in Fedora 19 box. The client (Jitsi) can only connect
over TCP.
If connecting over UDP, the clients connect, but cannot send/receive
messages.
Cannot connect over TLS at all. Ultimately I will need to run with TLS
over 5065 port or higher.
Tried using different listen directives, different port directive, but
kamailio either does not start, or only listening on one TCP port.
I've set up two SRV records, one for _sip on port 5065 and another for
_sips on port 5066. Both pointing to the Fedora box.
In Jitsi I have to specify port # and when I set it to 5065 over TCP it
works, but 5066 over TLS never connects.
What am I doing wrong?
Thank you.
13 Feb
13 Feb
10:24 a.m.
On Wed, Feb 12, 2014 at 8:11 PM, <info(a)vintageelectronics.ca> wrote:
Kamailio running in Fedora 19 box. The client (Jitsi)
can only connect
over TCP.
If connecting over UDP, the clients connect, but cannot send/receive
messages.
Cannot connect over TLS at all. Ultimately I will need to run with TLS
over 5065 port or higher.
Tried using different listen directives, different port directive, but
kamailio either does not start, or only listening on one TCP port.
Post your listen directives and we'll take a look. Should be something like
this:
listen=tls:192.0.2.1:5061
You'll also need a tls.cfg. Have you defined one?
enable_tls=yes
modparam("tls", "config", "/etc/kamailio/tls.cfg")
Sounds like you may have some crazy firewall issues going on, which might be
causing your issues. You might try Sipsak from the local host.
http://developer.berlios.de/projects/sipsak/
Corey
6:35 p.m.
Corey:
listen=tls:127.0.0.1:5066
port=5066
tls.cfg is the same as installed from rpm. I did not change anything in
it. Only defined WITH_TLS.
Thanks!
On 02/13/2014 10:24 AM, Corey Edwards wrote:
On Wed, Feb 12, 2014 at 8:11 PM,
<info(a)vintageelectronics.ca
<mailto:info@vintageelectronics.ca>> wrote:
Kamailio running in Fedora 19 box. The client (Jitsi) can only
connect over TCP.
If connecting over UDP, the clients connect, but cannot
send/receive messages.
Cannot connect over TLS at all. Ultimately I will need to run with
TLS over 5065 port or higher.
Tried using different listen directives, different port directive,
but kamailio either does not start, or only listening on one TCP port.
Post your listen directives and we'll take a look. Should be something
like this:
listen=tls:192.0.2.1:5061 <http://192.0.2.1:5061>
You'll also need a tls.cfg. Have you defined one?
enable_tls=yes
modparam("tls", "config", "/etc/kamailio/tls.cfg")
Sounds like you may have some crazy firewall issues going on, which
might be
causing your issues. You might try Sipsak from the local host.
http://developer.berlios.de/projects/sipsak/
Corey
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
14 Feb
14 Feb
10:21 a.m.
On Thu, Feb 13, 2014 at 4:35 PM, <info(a)vintageelectronics.ca> wrote:
Corey:
listen=tls:127.0.0.1:5066
Make sure in your config that 127.0.0.1 is replaced by your real IP address,
or 0.0.0.0, otherwise it will only listen on the local host and won't be
open over the network.
port=5066
This is unnecessary.
tls.cfg is the same as installed from rpm. I did not
change anything in
it. Only defined WITH_TLS.
Make sure you have a valid key and certificate file.
Have you tried starting up with debug=4? The debug messages are usually
pretty good at pointing toward the problem.
Corey
9:35 p.m.
Testing in the same box for now with the goal to at least get it working
within one machine.
Do you mean that TLS will not work with the cert/key shipped with kamailio?
I am starting with debug=6 and log to stderr and getting neither output
to /var/log/messages nor to console.
Thank you
On 02/14/2014 10:21 AM, Corey Edwards wrote:
On Thu, Feb 13, 2014 at 4:35 PM,
<info(a)vintageelectronics.ca
<mailto:info@vintageelectronics.ca>> wrote:
Corey:
listen=tls:127.0.0.1:5066 <http://127.0.0.1:5066>
Make sure in your config that 127.0.0.1 is replaced by your real IP
address,
or 0.0.0.0, otherwise it will only listen on the local host and won't be
open over the network.
port=5066
This is unnecessary.
tls.cfg is the same as installed from rpm. I did not change
anything in it. Only defined WITH_TLS.
Make sure you have a valid key and certificate file.
Have you tried starting up with debug=4? The debug messages are usually
pretty good at pointing toward the problem.
Corey
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
15 Feb
15 Feb
7:34 p.m.
On Fri, Feb 14, 2014 at 7:35 PM, <info(a)vintageelectronics.ca> wrote:
Testing in the same box for now with the goal to at
least get it working
within one machine.
Do you mean that TLS will not work with the cert/key shipped with kamailio?
I've never tried. A default key would not be very secure, but if you have a
valid certificate and key it should work.
I am starting with debug=6 and log to stderr and
getting neither output to
/var/log/messages nor to console.
You should see a lot of messages from the tls module, such as
INFO: tls [tls_init.c:549]: init_tls_h(): tls: _init_tls_h: compiled
with openssl version "OpenSSL 1.0.1e 11 Feb 2013" off, compression: on
If you are not getting these, I would wonder if the TLS module is being
loaded at all. Are you getting any startup messages from Kamailio?
Corey
9:22 p.m.
I was going by this tutorial - it said that default certs should
suffice:
http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
On 02/15/2014 07:34 PM, Corey Edwards wrote:
On Fri, Feb 14, 2014 at 7:35 PM, <info(a)vintageelectronics.ca
<mailto:info@vintageelectronics.ca>> wrote:
Testing in the same box for now with the goal to at least get it
working within one machine.
Do you mean that TLS will not work with the cert/key shipped with
kamailio?
I've never tried. A default key would not be very secure, but if you
have a valid certificate and key it should work.
I am starting with debug=6 and log to stderr and getting neither
output to /var/log/messages nor to console.
You should see a lot of messages from the tls module, such as
INFO: tls [tls_init.c:549]: init_tls_h(): tls: _init_tls_h: compiled
with openssl version "OpenSSL 1.0.1e 11 Feb 2013" off, compression: on
If you are not getting these, I would wonder if the TLS module is
being loaded at all. Are you getting any startup messages from Kamailio?
Corey
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
16 Feb
16 Feb
3:03 a.m.
On 16 Feb 2014, at 03:22, info(a)vintageelectronics.ca wrote:
I was going by this tutorial - it said that default
certs should suffice:
http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
On 02/15/2014 07:34 PM, Corey Edwards wrote:
>
> On Fri, Feb 14, 2014 at 7:35 PM, <info(a)vintageelectronics.ca> wrote:
> Testing in the same box for now with the goal to at least get it working within one
machine.
> Do you mean that TLS will not work with the cert/key shipped with kamailio?
>
> I've never tried. A default key would not be very secure, but if you have a valid
certificate and key it should work.
>
The default certificates are self-signed. A client may not recognize these as trustworthy,
policy may claim that only certificates signed by a well-known CA that the client has root
certificates for is trusted, so the TLS connection will not be completed.
If the client sets up a TLS connection anyway, that's fine. There will be encryption,
but no authentication. The client should not show any lock in this case or in any way
indicate a "secure" connection to the server. The connection should not be
trusted for exchange of media encryption keys or any other confidential data.
/O
--
* Olle E. Johansson - oej(a)edvina.net
* Kamailio & SIP Masterclass Miami FL, Oxford UK and Malaga, Spain this spring!
* http://edvina.net/training/
28 Feb
28 Feb
7:07 p.m.
That's fine as long as it is possible to connect via TLS and exchange
voice/text.
The linked tutorial, as I understand, was written by Kamailio developer
and it should be trustworthy.
Is there anything else that I could miss? It sounded so easy in that
tutorial, but on practice nothing but TCP works.
On 02/16/2014 03:03 AM, Olle E. Johansson wrote:
On 16 Feb 2014, at 03:22, info(a)vintageelectronics.ca
<mailto:info@vintageelectronics.ca> wrote:
I was going by this tutorial - it said that
default certs should
suffice:
http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
On 02/15/2014 07:34 PM, Corey Edwards wrote:
>
> On Fri, Feb 14, 2014 at 7:35 PM, <info(a)vintageelectronics.ca
> <mailto:info@vintageelectronics.ca>> wrote:
>
> Testing in the same box for now with the goal to at least get it
> working within one machine.
> Do you mean that TLS will not work with the cert/key shipped
> with kamailio?
>
>
> I've never tried. A default key would not be very secure, but if you
> have a valid certificate and key it should work.
The default certificates are self-signed. A client may not recognize
these as trustworthy, policy may claim that only certificates signed
by a well-known CA that the client has root certificates for is
trusted, so the TLS connection will not be completed.
If the client sets up a TLS connection anyway, that's fine. There will
be encryption, but no authentication. The client should not show any
lock in this case or in any way indicate a "secure" connection to the
server. The connection should not be trusted for exchange of media
encryption keys or any other confidential data.
/O
--
* Olle E. Johansson - oej(a)edvina.net <mailto:oej@edvina.net>
* Kamailio & SIP Masterclass Miami FL, Oxford UK and Malaga, Spain
this spring!
* http://edvina.net/training/
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
3953
days inactive
3969
days old
8 comments
3 participants
participants (3)
-
Corey Edwards -
info@vintageelectronics.ca -
Olle E. Johansson