[Users] Allow only TLS connections
Daniel-Constantin Mierla
daniel at voice-system.ro
Thu Apr 13 11:52:54 CEST 2006
Hello,
could you send a network trace (ngrep)? Another case when the request is
forwarded in your script, is for the messages outside of your domain
(not matching uri==myself).
Cheers,
Daniel
On 04/13/06 12:32, Christoph Fürstaller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> The contact and socket in the location table is only TLS. No entry for UDP.
>
> And I don't have any entries in alias table.
>
> chris...
>
> Daniel-Constantin Mierla wrote:
>
>> Hello,
>>
>> maybe the clients register non-TLS contacts, take a look in the location
>> table. Also, in aliases, you may have some addresses that point to
>> external domains.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 04/13/06 12:05, Christoph Fürstaller wrote:
>>
>> Hi Daniel,
>>
>> Daniel-Constantin Mierla wrote:
>>
>>
>>
>>>>> Hello,
>>>>>
>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I tried that out. I check if proto is TLS:
>>>>> if (proto != TLS) {
>>>>> sl_send_reply("403", "Forbidden");
>>>>> exit;
>>>>> };
>>>>>
>>>>> But I get this error:
>>>>> 3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1 (no
>>>>> corresponding listening socket)
>>>>> 3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>> 3(28893) ERROR:tm:t_relay_to: t_forward_nonack returned error
>>>>>
>>>>> What does it mean? What I'm doing wrong?
>>>>> My SER is only listening on tls port 5061. Do I still have to open udp
>>>>> 5060 ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> it seems that you try to forward on UDP.
>>>>>>
>>>>>>
>> I figured that out too. But I don't know which part forwardes something
>> on UDP? I attached my conf. Can you give it a quick look?
>>
>>
>>
>>
>>>>>> You can configure openser to
>>>>>> listen on UDP as well, and drop messages coming on UDP, if you want to
>>>>>> accept only TLS. (as you have in above snippet). If all peers you
>>>>>> connect to support TLS, then you can forse sending over TLS all the
>>>>>> time.
>>>>>> Cheers,
>>>>>> Daniel
>>>>>>
>>>>>>
>> chris...
>>
>>
>>
>>>>> Cesc wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> I searched for this function, but I didn't found it :-(
>>>>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>>>>
>>>>>>>>> Torsten
>>>>>>>>>
>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>>> An: Haupt, Thorsten
>>>>>>>>> Cc: users at openser.org
>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>>>>
>>>>>>>>> I think in openser there is a function to check what transport the
>>>>>>>>> message came in ... you can do something like:
>>>>>>>>> if ( transport != TLS ) {
>>>>>>>>> send error to UA
>>>>>>>>> break;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> Cesc
>>>>>>>>>
>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My
>>>>>>>>>> clients
>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it doesn't
>>>>>>>>>> work correct.
>>>>>>>>>> Some Clients can't connect and others can't establish calls. I
>>>>>>>>>> read in
>>>>>>>>>> another thread, that UDP is mandatory for SIP and that the server
>>>>>>>>>> need it.
>>>>>>>>>>
>>>>>>>>>> But how can I prevent users from connecting via UDP and force
>>>>>>>>>> them to
>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port 5060.
>>>>>>>>>> But is
>>>>>>>>>> this the correct way? Are there any parameters server-side to force
>>>>>>>>>> users to connect via TLS?
>>>>>>>>>>
>>>>>>>>>> Thanks for response.
>>>>>>>>>> Torsten
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at openser.org
>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at openser.org
>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Users mailing list
>>>>>>>> Users at openser.org
>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>
>>>>>>>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFEPhq7R0exH8dhr/YRAl59AKCX48Li98lcSElrrbtDTOdl1QeJIwCgkcnQ
> IH4j1N1grf2PVLeEYJ0Nvfs=
> =tsRB
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
>
More information about the sr-users
mailing list