[Users] Allow only TLS connections

Christoph Fürstaller christoph.fuerstaller at kurtkrenn.com
Thu Apr 13 11:32:43 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The contact and socket in the location table is only TLS. No entry for UDP.

And I don't have any entries in alias table.

chris...

Daniel-Constantin Mierla wrote:
> Hello,
> 
> maybe the clients register non-TLS contacts, take a look in the location
> table. Also, in aliases, you may have some addresses that point to
> external domains.
> 
> Cheers,
> Daniel
> 
> 
> On 04/13/06 12:05, Christoph Fürstaller wrote:
> 
> Hi Daniel,
> 
> Daniel-Constantin Mierla wrote:
>  
> 
>>>> Hello,
>>>>
>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>>>
>>>> Hi,
>>>>
>>>> I tried that out. I check if proto is TLS:
>>>> if (proto != TLS) {
>>>>     sl_send_reply("403", "Forbidden");
>>>>     exit;
>>>> };
>>>>
>>>> But I get this error:
>>>>  3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1  (no
>>>> corresponding listening socket)
>>>>  3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>  3(28893) ERROR:tm:t_relay_to:  t_forward_nonack returned error
>>>>
>>>> What does it mean? What I'm doing wrong?
>>>> My SER is only listening on tls port 5061. Do I still have to open udp
>>>> 5060 ?
>>>>  
>>>>    
>>>>
>>>>> it seems that you try to forward on UDP.
>>>>>       
> 
> I figured that out too. But I don't know which part forwardes something
> on UDP? I attached my conf. Can you give it a quick look?
> 
>  
> 
>>>>> You can configure openser to
>>>>> listen on UDP as well, and drop messages coming on UDP, if you want to
>>>>> accept only TLS. (as you have in above snippet). If all peers you
>>>>> connect to support TLS, then you can forse sending over TLS all the
>>>>> time.
>>>>>       Cheers,
>>>>> Daniel
>>>>>       
> 
> 
> chris...
>  
> 
>>>> Cesc wrote:
>>>>  
>>>>
>>>>    
>>>>
>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>
>>>>>>>   
>>>>>>>          
>>>>>>>
>>>>>>>> I searched for this function, but I didn't found it :-(
>>>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>>>
>>>>>>>> Torsten
>>>>>>>>
>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>> An: Haupt, Thorsten
>>>>>>>> Cc: users at openser.org
>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>>>
>>>>>>>> I think in openser there is a function to check what transport the
>>>>>>>> message came in ... you can do something like:
>>>>>>>> if ( transport != TLS ) {
>>>>>>>>          send error to UA
>>>>>>>>          break;
>>>>>>>> }
>>>>>>>>
>>>>>>>> Cesc
>>>>>>>>
>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>
>>>>>>>>     
>>>>>>>>            
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My
>>>>>>>>> clients
>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it doesn't
>>>>>>>>> work correct.
>>>>>>>>> Some Clients can't connect and others can't establish calls. I
>>>>>>>>> read in
>>>>>>>>> another thread, that UDP is mandatory for SIP and that the server
>>>>>>>>> need it.
>>>>>>>>>
>>>>>>>>> But how can I prevent users from connecting via UDP and force
>>>>>>>>> them to
>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port 5060.
>>>>>>>>> But is
>>>>>>>>> this the correct way? Are there any parameters server-side to force
>>>>>>>>> users to connect via TLS?
>>>>>>>>>
>>>>>>>>> Thanks for response.
>>>>>>>>> Torsten
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at openser.org
>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>                       
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at openser.org
>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>
>>>>>>>>                   
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at openser.org
>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>               
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPhq7R0exH8dhr/YRAl59AKCX48Li98lcSElrrbtDTOdl1QeJIwCgkcnQ
IH4j1N1grf2PVLeEYJ0Nvfs=
=tsRB
-----END PGP SIGNATURE-----




More information about the sr-users mailing list