Kamailio running in Fedora 19 box. The client (Jitsi) can only connect over TCP. If connecting over UDP, the clients connect, but cannot send/receive messages. Cannot connect over TLS at all. Ultimately I will need to run with TLS over 5065 port or higher.
Tried using different listen directives, different port directive, but kamailio either does not start, or only listening on one TCP port.
I've set up two SRV records, one for _sip on port 5065 and another for _sips on port 5066. Both pointing to the Fedora box.
In Jitsi I have to specify port # and when I set it to 5065 over TCP it works, but 5066 over TLS never connects.
What am I doing wrong?
Thank you.
On Wed, Feb 12, 2014 at 8:11 PM, info@vintageelectronics.ca wrote:
Kamailio running in Fedora 19 box. The client (Jitsi) can only connect over TCP. If connecting over UDP, the clients connect, but cannot send/receive messages. Cannot connect over TLS at all. Ultimately I will need to run with TLS over 5065 port or higher.
Tried using different listen directives, different port directive, but kamailio either does not start, or only listening on one TCP port.
Post your listen directives and we'll take a look. Should be something like this:
listen=tls:192.0.2.1:5061
You'll also need a tls.cfg. Have you defined one?
enable_tls=yes modparam("tls", "config", "/etc/kamailio/tls.cfg")
Sounds like you may have some crazy firewall issues going on, which might be causing your issues. You might try Sipsak from the local host.
http://developer.berlios.de/projects/sipsak/
Corey
Corey:
listen=tls:127.0.0.1:5066 port=5066
tls.cfg is the same as installed from rpm. I did not change anything in it. Only defined WITH_TLS.
Thanks!
On 02/13/2014 10:24 AM, Corey Edwards wrote:
On Wed, Feb 12, 2014 at 8:11 PM, <info@vintageelectronics.ca mailto:info@vintageelectronics.ca> wrote:
Kamailio running in Fedora 19 box. The client (Jitsi) can only connect over TCP. If connecting over UDP, the clients connect, but cannot send/receive messages. Cannot connect over TLS at all. Ultimately I will need to run with TLS over 5065 port or higher. Tried using different listen directives, different port directive, but kamailio either does not start, or only listening on one TCP port.Post your listen directives and we'll take a look. Should be something like this:
listen=tls:192.0.2.1:5061 <http://192.0.2.1:5061>You'll also need a tls.cfg. Have you defined one?
enable_tls=yes modparam("tls", "config", "/etc/kamailio/tls.cfg")Sounds like you may have some crazy firewall issues going on, which might be causing your issues. You might try Sipsak from the local host.
http://developer.berlios.de/projects/sipsak/
Corey
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Thu, Feb 13, 2014 at 4:35 PM, info@vintageelectronics.ca wrote:
Corey:
listen=tls:127.0.0.1:5066
Make sure in your config that 127.0.0.1 is replaced by your real IP address, or 0.0.0.0, otherwise it will only listen on the local host and won't be open over the network.
port=5066
This is unnecessary.
tls.cfg is the same as installed from rpm. I did not change anything in it. Only defined WITH_TLS.
Make sure you have a valid key and certificate file.
Have you tried starting up with debug=4? The debug messages are usually pretty good at pointing toward the problem.
Corey
Testing in the same box for now with the goal to at least get it working within one machine. Do you mean that TLS will not work with the cert/key shipped with kamailio? I am starting with debug=6 and log to stderr and getting neither output to /var/log/messages nor to console.
Thank you
On 02/14/2014 10:21 AM, Corey Edwards wrote:
On Thu, Feb 13, 2014 at 4:35 PM, <info@vintageelectronics.ca mailto:info@vintageelectronics.ca> wrote:
Corey: listen=tls:127.0.0.1:5066 <http://127.0.0.1:5066>Make sure in your config that 127.0.0.1 is replaced by your real IP address, or 0.0.0.0, otherwise it will only listen on the local host and won't be open over the network.
port=5066This is unnecessary.
tls.cfg is the same as installed from rpm. I did not change anything in it. Only defined WITH_TLS.Make sure you have a valid key and certificate file.
Have you tried starting up with debug=4? The debug messages are usually pretty good at pointing toward the problem.
Corey
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On Fri, Feb 14, 2014 at 7:35 PM, info@vintageelectronics.ca wrote:
Testing in the same box for now with the goal to at least get it working within one machine. Do you mean that TLS will not work with the cert/key shipped with kamailio?
I've never tried. A default key would not be very secure, but if you have a valid certificate and key it should work.
I am starting with debug=6 and log to stderr and getting neither output to /var/log/messages nor to console.
You should see a lot of messages from the tls module, such as
INFO: tls [tls_init.c:549]: init_tls_h(): tls: _init_tls_h: compiled with openssl version "OpenSSL 1.0.1e 11 Feb 2013" off, compression: on
If you are not getting these, I would wonder if the TLS module is being loaded at all. Are you getting any startup messages from Kamailio?
Corey
I was going by this tutorial - it said that default certs should suffice: http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
On 02/15/2014 07:34 PM, Corey Edwards wrote:
On Fri, Feb 14, 2014 at 7:35 PM, <info@vintageelectronics.ca mailto:info@vintageelectronics.ca> wrote:
Testing in the same box for now with the goal to at least get it working within one machine. Do you mean that TLS will not work with the cert/key shipped with kamailio?I've never tried. A default key would not be very secure, but if you have a valid certificate and key it should work.
I am starting with debug=6 and log to stderr and getting neither output to /var/log/messages nor to console.You should see a lot of messages from the tls module, such as
INFO: tls [tls_init.c:549]: init_tls_h(): tls: _init_tls_h: compiled with openssl version "OpenSSL 1.0.1e 11 Feb 2013" off, compression: on
If you are not getting these, I would wonder if the TLS module is being loaded at all. Are you getting any startup messages from Kamailio?
Corey
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 16 Feb 2014, at 03:22, info@vintageelectronics.ca wrote:
I was going by this tutorial - it said that default certs should suffice: http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
On 02/15/2014 07:34 PM, Corey Edwards wrote:
On Fri, Feb 14, 2014 at 7:35 PM, info@vintageelectronics.ca wrote: Testing in the same box for now with the goal to at least get it working within one machine. Do you mean that TLS will not work with the cert/key shipped with kamailio?
I've never tried. A default key would not be very secure, but if you have a valid certificate and key it should work.
The default certificates are self-signed. A client may not recognize these as trustworthy, policy may claim that only certificates signed by a well-known CA that the client has root certificates for is trusted, so the TLS connection will not be completed.
If the client sets up a TLS connection anyway, that's fine. There will be encryption, but no authentication. The client should not show any lock in this case or in any way indicate a "secure" connection to the server. The connection should not be trusted for exchange of media encryption keys or any other confidential data.
/O
-- * Olle E. Johansson - oej@edvina.net * Kamailio & SIP Masterclass Miami FL, Oxford UK and Malaga, Spain this spring! * http://edvina.net/training/
That's fine as long as it is possible to connect via TLS and exchange voice/text. The linked tutorial, as I understand, was written by Kamailio developer and it should be trustworthy. Is there anything else that I could miss? It sounded so easy in that tutorial, but on practice nothing but TCP works.
On 02/16/2014 03:03 AM, Olle E. Johansson wrote:
On 16 Feb 2014, at 03:22, info@vintageelectronics.ca mailto:info@vintageelectronics.ca wrote:
I was going by this tutorial - it said that default certs should suffice: http://kb.asipto.com/kamailio:skype-like-service-in-less-than-one-hour
On 02/15/2014 07:34 PM, Corey Edwards wrote:
On Fri, Feb 14, 2014 at 7:35 PM, <info@vintageelectronics.ca mailto:info@vintageelectronics.ca> wrote:
Testing in the same box for now with the goal to at least get it working within one machine. Do you mean that TLS will not work with the cert/key shipped with kamailio?I've never tried. A default key would not be very secure, but if you have a valid certificate and key it should work.
The default certificates are self-signed. A client may not recognize these as trustworthy, policy may claim that only certificates signed by a well-known CA that the client has root certificates for is trusted, so the TLS connection will not be completed.
If the client sets up a TLS connection anyway, that's fine. There will be encryption, but no authentication. The client should not show any lock in this case or in any way indicate a "secure" connection to the server. The connection should not be trusted for exchange of media encryption keys or any other confidential data.
/O
--
- Olle E. Johansson - oej@edvina.net mailto:oej@edvina.net
- Kamailio & SIP Masterclass Miami FL, Oxford UK and Malaga, Spain
this spring!
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Corey Edwards -
info@vintageelectronics.ca -
Olle E. Johansson