Hello. I'm trying to use TLS with openser. I've made the steps from the tutorial:http://openser.org/docs/tls.html. I have "tls_verify = 1" and "tls_require_certificate = 1". I have a phone without TLS support, but it registers in openser. I think, this shouldn't happend. Anybody has ideas?
Second question: I used netstat to verify if somebody is listening on 5060 and 5061, but if I put ip_openser:5061 in the phone, I have an icmp message with "destination unreachable". What's happening?
Thanks
Hi,
see inline ...
On 1/10/06, David david.castro@adianta.net wrote:
Hello. I'm trying to use TLS with openser. I've made the steps from the tutorial:http://openser.org/docs/tls.html. I have "tls_verify = 1" and "tls_require_certificate = 1". I have a phone without TLS support, but it registers in openser. I think, this shouldn't happend. Anybody has ideas?
a few ;) your phone does support udp (and probably tcp) ... and your ser is mostly sure listening to udp (and almost tcp for sure), as well as tls (if you have configured it properly to do so). So ... the phone uses either of them ... that is why you can register.
Second question: I used netstat to verify if somebody is listening on 5060 and 5061, but if I put ip_openser:5061 in the phone, I have an icmp message with "destination unreachable". What's happening?
probably the phone tries to use udp on port 5061 (to connect to ip_openser) ... but in that ip, openser is not listening on port 5061 ...
Cesc
Thanks for answering. I think you're rigth. I'm using the snom 320 and others phones without tls. The snom's manual sais that suport tls as a client. I don't know how to ask a tls sesion to ser, because if I put port=5061 in snom, I don't have answer, perhaps the petition is udp. Ideas?
Do you know how to forbid non-tls connections?
I guess you have to configure NAPTR and SRV records for your SIP domain (RFC3263). Then, the SNOM should behave according to the preferences in DNS.
regards klaus
David wrote:
Thanks for answering. I think you're rigth. I'm using the snom 320 and others phones without tls. The snom's manual sais that suport tls as a client. I don't know how to ask a tls sesion to ser, because if I put port=5061 in snom, I don't have answer, perhaps the petition is udp. Ideas?
Do you know how to forbid non-tls connections?
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Exactly, NAPTR and SRV is the way to force TLS on the snom.
Snom only can act as a client, so also careful with SERs 2 minute timeout for all TCP/TLS connections.
Cesc
On 1/10/06, Klaus Darilion klaus.mailinglists@pernau.at wrote:
I guess you have to configure NAPTR and SRV records for your SIP domain (RFC3263). Then, the SNOM should behave according to the preferences in DNS.
regards klaus
David wrote:
Thanks for answering. I think you're rigth. I'm using the snom 320 and others phones without tls. The snom's manual sais that suport tls as a client. I don't know how to ask a tls sesion to ser, because if I put port=5061 in snom, I don't have answer, perhaps the petition is udp. Ideas?
Do you know how to forbid non-tls connections?
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-
Cesc -
David -
Klaus Darilion