[Users] Allow only TLS connections
Daniel-Constantin Mierla
daniel at voice-system.ro
Thu Apr 13 11:55:53 CEST 2006
On 04/13/06 12:52, Daniel-Constantin Mierla wrote:
> Hello,
>
> could you send a network trace (ngrep)?
actually, ssldump to sniff tls connections.
Cheers,
Daniel
> Another case when the request is forwarded in your script, is for the
> messages outside of your domain (not matching uri==myself).
>
> Cheers,
> Daniel
>
>
> On 04/13/06 12:32, Christoph Fürstaller wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> The contact and socket in the location table is only TLS. No entry
>> for UDP.
>>
>> And I don't have any entries in alias table.
>>
>> chris...
>>
>> Daniel-Constantin Mierla wrote:
>>
>>> Hello,
>>>
>>> maybe the clients register non-TLS contacts, take a look in the
>>> location
>>> table. Also, in aliases, you may have some addresses that point to
>>> external domains.
>>>
>>> Cheers,
>>> Daniel
>>>
>>>
>>> On 04/13/06 12:05, Christoph Fürstaller wrote:
>>>
>>> Hi Daniel,
>>>
>>> Daniel-Constantin Mierla wrote:
>>>
>>>
>>>
>>>>>> Hello,
>>>>>>
>>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I tried that out. I check if proto is TLS:
>>>>>> if (proto != TLS) {
>>>>>> sl_send_reply("403", "Forbidden");
>>>>>> exit;
>>>>>> };
>>>>>>
>>>>>> But I get this error:
>>>>>> 3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1 (no
>>>>>> corresponding listening socket)
>>>>>> 3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>>> 3(28893) ERROR:tm:t_relay_to: t_forward_nonack returned error
>>>>>>
>>>>>> What does it mean? What I'm doing wrong?
>>>>>> My SER is only listening on tls port 5061. Do I still have to
>>>>>> open udp
>>>>>> 5060 ?
>>>>>>
>>>>>>
>>>>>>
>>>>>>> it seems that you try to forward on UDP.
>>>>>>>
>>> I figured that out too. But I don't know which part forwardes something
>>> on UDP? I attached my conf. Can you give it a quick look?
>>>
>>>
>>>
>>>
>>>>>>> You can configure openser to
>>>>>>> listen on UDP as well, and drop messages coming on UDP, if you
>>>>>>> want to
>>>>>>> accept only TLS. (as you have in above snippet). If all peers you
>>>>>>> connect to support TLS, then you can forse sending over TLS all the
>>>>>>> time.
>>>>>>> Cheers,
>>>>>>> Daniel
>>>>>>>
>>> chris...
>>>
>>>
>>>
>>>>>> Cesc wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I searched for this function, but I didn't found it :-(
>>>>>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>>>>>
>>>>>>>>>> Torsten
>>>>>>>>>>
>>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>>>> An: Haupt, Thorsten
>>>>>>>>>> Cc: users at openser.org
>>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>>>>>
>>>>>>>>>> I think in openser there is a function to check what
>>>>>>>>>> transport the
>>>>>>>>>> message came in ... you can do something like:
>>>>>>>>>> if ( transport != TLS ) {
>>>>>>>>>> send error to UA
>>>>>>>>>> break;
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> Cesc
>>>>>>>>>>
>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> Hello,
>>>>>>>>>>>
>>>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My
>>>>>>>>>>> clients
>>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it
>>>>>>>>>>> doesn't
>>>>>>>>>>> work correct.
>>>>>>>>>>> Some Clients can't connect and others can't establish calls. I
>>>>>>>>>>> read in
>>>>>>>>>>> another thread, that UDP is mandatory for SIP and that the
>>>>>>>>>>> server
>>>>>>>>>>> need it.
>>>>>>>>>>>
>>>>>>>>>>> But how can I prevent users from connecting via UDP and force
>>>>>>>>>>> them to
>>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port 5060.
>>>>>>>>>>> But is
>>>>>>>>>>> this the correct way? Are there any parameters server-side
>>>>>>>>>>> to force
>>>>>>>>>>> users to connect via TLS?
>>>>>>>>>>>
>>>>>>>>>>> Thanks for response.
>>>>>>>>>>> Torsten
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users at openser.org
>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at openser.org
>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users at openser.org
>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>>
>> iD8DBQFEPhq7R0exH8dhr/YRAl59AKCX48Li98lcSElrrbtDTOdl1QeJIwCgkcnQ
>> IH4j1N1grf2PVLeEYJ0Nvfs=
>> =tsRB
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>
More information about the sr-users
mailing list