Hi all,
We're hitting an issue while integrating secure websockets in our existing SIP infrastructure using Kamailio.
When the registration comes in, it causes an entry in our AOR table, with ";transport=ws" appended. When we want to send a message to this client (using t_relay), kamailio seems to take 'ws' as being *unsecure* websockets. In turn, this makes Kamailio try to send out the message using a TCP listener - while it should have picked the TLS listener.
There are some remarks in the sources about ws vs. wss, so i'm struggling to figure out where things go wrong. I've also created github issue #3340 with more details.
Any help would be appreciated. If this turns out to be a Kamailio bug, i'm happy to provide a patch.
Hi Nathan,
I use secure websocket and it works with out an issue. Can you provide a bit more Information? Kamailio version an a bit of your config would help the list to figure out why it's not working for you.
nathan.bruning@talksome.com schrieb am Fr., 27. Jan. 2023, 16:08:
Hi all,
We're hitting an issue while integrating secure websockets in our existing SIP infrastructure using Kamailio.
When the registration comes in, it causes an entry in our AOR table, with ";transport=ws" appended. When we want to send a message to this client (using t_relay), kamailio seems to take 'ws' as being *unsecure* websockets. In turn, this makes Kamailio try to send out the message using a TCP listener - while it should have picked the TLS listener.
There are some remarks in the sources about ws vs. wss, so i'm struggling to figure out where things go wrong. I've also created github issue #3340 with more details.
Any help would be appreciated. If this turns out to be a Kamailio bug, i'm happy to provide a patch. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Hello,
indeed Kamailio takes „ws“ as normal web socket, and “wss” as secure websockets. Compare e.g. to the pseudo-variables docs.
Maybe your Kamailio should insert the location entries with “;transport=wss”?
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Karsten Horsmann khorsmann@gmail.com Sent: Friday, January 27, 2023 6:45 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: [SR-Users] Re: transport=ws causing kamailio to use wrong listen socket
Hi Nathan,
I use secure websocket and it works with out an issue. Can you provide a bit more Information? Kamailio version an a bit of your config would help the list to figure out why it's not working for you.
<nathan.bruning@talksome.commailto:nathan.bruning@talksome.com> schrieb am Fr., 27. Jan. 2023, 16:08: Hi all,
We're hitting an issue while integrating secure websockets in our existing SIP infrastructure using Kamailio.
When the registration comes in, it causes an entry in our AOR table, with ";transport=ws" appended. When we want to send a message to this client (using t_relay), kamailio seems to take 'ws' as being *unsecure* websockets. In turn, this makes Kamailio try to send out the message using a TCP listener - while it should have picked the TLS listener.
There are some remarks in the sources about ws vs. wss, so i'm struggling to figure out where things go wrong. I've also created github issue #3340 with more details.
Any help would be appreciated. If this turns out to be a Kamailio bug, i'm happy to provide a patch. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.orgmailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Just curious, in most solutions using web sockets we reuse the existing client socket for outbound SIP messages and Kamailio never opens a web socket connection outbound, as most clients are just clients, not web servers. That’s propably why this was never a problem for anyone.
Is there even code in Kamailio to open an outbound web socket?
/O
On 28 Jan 2023, at 10:35, Henning Westerholt hw@gilawa.com wrote:
Hello,
indeed Kamailio takes „ws“ as normal web socket, and “wss” as secure websockets. Compare e.g. to the pseudo-variables docs.
Maybe your Kamailio should insert the location entries with “;transport=wss”?
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com https://gilawa.com/
From: Karsten Horsmann <khorsmann@gmail.com mailto:khorsmann@gmail.com> Sent: Friday, January 27, 2023 6:45 PM To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org> Subject: [SR-Users] Re: transport=ws causing kamailio to use wrong listen socket
Hi Nathan,
I use secure websocket and it works with out an issue. Can you provide a bit more Information? Kamailio version an a bit of your config would help the list to figure out why it's not working for you.
<nathan.bruning@talksome.com mailto:nathan.bruning@talksome.com> schrieb am Fr., 27. Jan. 2023, 16:08: Hi all,
We're hitting an issue while integrating secure websockets in our existing SIP infrastructure using Kamailio.
When the registration comes in, it causes an entry in our AOR table, with ";transport=ws" appended. When we want to send a message to this client (using t_relay), kamailio seems to take 'ws' as being *unsecure* websockets. In turn, this makes Kamailio try to send out the message using a TCP listener - while it should have picked the TLS listener.
There are some remarks in the sources about ws vs. wss, so i'm struggling to figure out where things go wrong. I've also created github issue #3340 with more details.
Any help would be appreciated. If this turns out to be a Kamailio bug, i'm happy to provide a patch. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org mailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org mailto:sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Thanks for all the pointers.
@Henning, it seems kamailio will always use 'transport=ws' because the RFC for SIP URI's does not allow for wss (see: https://github.com/kamailio/kamailio/blob/master/src/core/ip_addr.c#L690)
@Olle We also re-use the existing client sockets, no need for outbound connections.
Actually, my initial problem description wasn't completely correct. Our Kamailio *does* correctly forward the SIP messages to the client, which receives them well. The problem lies in the `Record-Route` header that Kamailio adds. In that header, Kamailio inserts the wrong ip/port combination, as it's using a tcp socket where it should use the tls socket.
I think the underlying problem is here: https://github.com/kamailio/kamailio/blob/master/src/core/forward.c#L293. This method will receive `proto = PROTO_WS` as described by the transport in the sip uri, but doesn't know it's really a wss connection.
Hi Nathan,
you are right about the ip_addr code that it add only ws for both ws and wss transport.
Cheers,
Henning
-----Original Message----- From: nathan.bruning@talksome.com nathan.bruning@talksome.com Sent: Monday, January 30, 2023 12:24 PM To: sr-users@lists.kamailio.org Subject: [SR-Users] Re: transport=ws causing kamailio to use wrong listen socket
Thanks for all the pointers.
@Henning, it seems kamailio will always use 'transport=ws' because the RFC for SIP URI's does not allow for wss (see: https://github.com/kamailio/kamailio/blob/master/src/core/ip_addr.c#L690)
@Olle We also re-use the existing client sockets, no need for outbound connections.
Actually, my initial problem description wasn't completely correct. Our Kamailio *does* correctly forward the SIP messages to the client, which receives them well. The problem lies in the `Record-Route` header that Kamailio adds. In that header, Kamailio inserts the wrong ip/port combination, as it's using a tcp socket where it should use the tls socket.
I think the underlying problem is here: https://github.com/kamailio/kamailio/blob/master/src/core/forward.c#L293. This method will receive `proto = PROTO_WS` as described by the transport in the sip uri, but doesn't know it's really a wss connection. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
On 30.01.23 08:45, Olle E. Johansson wrote:
Just curious, in most solutions using web sockets we reuse the existing client socket for outbound SIP messages and Kamailio never opens a web socket connection outbound, as most clients are just clients, not web servers. That’s propably why this was never a problem for anyone.
Indeed the websocket uri is useless for opening connections, the connection has to exists and matched based on peer ip/port, which should be discovered if proper request/reply handling (similar to nat traversal, with contact alias) is done.
Is there even code in Kamailio to open an outbound web socket?
Not for SIP traffic, in this case Kamailio can be only a server.
But there is a websocket client module for interacting with external apps, which can be also used by rtpengine module to connect to rtpengine app.
Cheers, Daniel
/O
On 28 Jan 2023, at 10:35, Henning Westerholt hw@gilawa.com wrote:
Hello, indeed Kamailio takes „ws“ as normal web socket, and “wss” as secure websockets. Compare e.g. to the pseudo-variables docs. Maybe your Kamailio should insert the location entries with “;transport=wss”? Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ https://skalatan.de/blog/ Kamailio services – https://gilawa.com https://gilawa.com/ *From:* Karsten Horsmann khorsmann@gmail.com *Sent:* Friday, January 27, 2023 6:45 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Re: transport=ws causing kamailio to use wrong listen socket Hi Nathan, I use secure websocket and it works with out an issue. Can you provide a bit more Information? Kamailio version an a bit of your config would help the list to figure out why it's not working for you. nathan.bruning@talksome.com schrieb am Fr., 27. Jan. 2023, 16:08:
Hi all, We're hitting an issue while integrating secure websockets in our existing SIP infrastructure using Kamailio. When the registration comes in, it causes an entry in our AOR table, with ";transport=ws" appended. When we want to send a message to this client (using t_relay), kamailio seems to take 'ws' as being *unsecure* websockets. In turn, this makes Kamailio try to send out the message using a TCP listener - while it should have picked the TLS listener. There are some remarks in the sources about ws vs. wss, so i'm struggling to figure out where things go wrong. I've also created github issue #3340 with more details. Any help would be appreciated. If this turns out to be a Kamailio bug, i'm happy to provide a patch. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
I think this maybe related. https://github.com/kamailio/kamailio/issues/2850
Try disable socket reuse.
On Mon, Jan 30, 2023, 10:39 PM Daniel-Constantin Mierla miconda@gmail.com wrote:
On 30.01.23 08:45, Olle E. Johansson wrote:
Just curious, in most solutions using web sockets we reuse the existing client socket for outbound SIP messages and Kamailio never opens a web socket connection outbound, as most clients are just clients, not web servers. That’s propably why this was never a problem for anyone.
Indeed the websocket uri is useless for opening connections, the connection has to exists and matched based on peer ip/port, which should be discovered if proper request/reply handling (similar to nat traversal, with contact alias) is done.
Is there even code in Kamailio to open an outbound web socket?
Not for SIP traffic, in this case Kamailio can be only a server.
But there is a websocket client module for interacting with external apps, which can be also used by rtpengine module to connect to rtpengine app.
Cheers, Daniel
/O
On 28 Jan 2023, at 10:35, Henning Westerholt hw@gilawa.com hw@gilawa.com wrote:
Hello,
indeed Kamailio takes „ws“ as normal web socket, and “wss” as secure websockets. Compare e.g. to the pseudo-variables docs.
Maybe your Kamailio should insert the location entries with “;transport=wss”?
Cheers,
Henning
-- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com
*From:* Karsten Horsmann khorsmann@gmail.com *Sent:* Friday, January 27, 2023 6:45 PM *To:* Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org *Subject:* [SR-Users] Re: transport=ws causing kamailio to use wrong listen socket
Hi Nathan,
I use secure websocket and it works with out an issue. Can you provide a bit more Information? Kamailio version an a bit of your config would help the list to figure out why it's not working for you.
nathan.bruning@talksome.com schrieb am Fr., 27. Jan. 2023, 16:08:
Hi all,
We're hitting an issue while integrating secure websockets in our existing SIP infrastructure using Kamailio.
When the registration comes in, it causes an entry in our AOR table, with ";transport=ws" appended. When we want to send a message to this client (using t_relay), kamailio seems to take 'ws' as being *unsecure* websockets. In turn, this makes Kamailio try to send out the message using a TCP listener - while it should have picked the TLS listener.
There are some remarks in the sources about ws vs. wss, so i'm struggling to figure out where things go wrong. I've also created github issue #3340 with more details.
Any help would be appreciated. If this turns out to be a Kamailio bug, i'm happy to provide a patch. __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-- Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio World Conference - June 5-7, 2023 - www.kamailioworld.com
Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to sr-users-leave@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
-
Daniel-Constantin Mierla -
Henning Westerholt -
Karsten Horsmann -
nathan.bruning@talksome.com -
Olle E. Johansson -
Sergey Safarov