[Users] Allow only TLS connections

Christoph Fürstaller christoph.fuerstaller at kurtkrenn.com
Thu Apr 13 12:04:30 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Here is the ssl-dump. ngrep doesn't show anything useful. Connection
between the server and the telephone is only on port 5061 and via tls.
There are no udp connections.
have you found anything in the config what would explain why udp is
required?

chris...

Daniel-Constantin Mierla wrote:
> 
> 
> On 04/13/06 12:52, Daniel-Constantin Mierla wrote:
> 
>> Hello,
>>
>> could you send a network trace (ngrep)?
> 
> actually, ssldump to sniff tls connections.
> 
> Cheers,
> Daniel
> 
>> Another case when the request is forwarded in your script, is for the
>> messages outside of your domain (not matching uri==myself).
>>
>> Cheers,
>> Daniel
>>
>>
>> On 04/13/06 12:32, Christoph Fürstaller wrote:
>>
> Hi,
> 
> The contact and socket in the location table is only TLS. No entry
> for UDP.
> 
> And I don't have any entries in alias table.
> 
> chris...
> 
> Daniel-Constantin Mierla wrote:
>  
> 
>>>>> Hello,
>>>>>
>>>>> maybe the clients register non-TLS contacts, take a look in the
>>>>> location
>>>>> table. Also, in aliases, you may have some addresses that point to
>>>>> external domains.
>>>>>
>>>>> Cheers,
>>>>> Daniel
>>>>>
>>>>>
>>>>> On 04/13/06 12:05, Christoph Fürstaller wrote:
>>>>>
>>>>> Hi Daniel,
>>>>>
>>>>> Daniel-Constantin Mierla wrote:
>>>>>  
>>>>>
>>>>>   
>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I tried that out. I check if proto is TLS:
>>>>>>>> if (proto != TLS) {
>>>>>>>>     sl_send_reply("403", "Forbidden");
>>>>>>>>     exit;
>>>>>>>> };
>>>>>>>>
>>>>>>>> But I get this error:
>>>>>>>>  3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1  (no
>>>>>>>> corresponding listening socket)
>>>>>>>>  3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>>>>>  3(28893) ERROR:tm:t_relay_to:  t_forward_nonack returned error
>>>>>>>>
>>>>>>>> What does it mean? What I'm doing wrong?
>>>>>>>> My SER is only listening on tls port 5061. Do I still have to
>>>>>>>> open udp
>>>>>>>> 5060 ?
>>>>>>>>  
>>>>>>>>           
>>>>>>>>
>>>>>>>>> it seems that you try to forward on UDP.
>>>>>>>>>                   
>>>>>
>>>>> I figured that out too. But I don't know which part forwardes something
>>>>> on UDP? I attached my conf. Can you give it a quick look?
>>>>>
>>>>>  
>>>>>
>>>>>   
>>>>>
>>>>>>>>> You can configure openser to
>>>>>>>>> listen on UDP as well, and drop messages coming on UDP, if you
>>>>>>>>> want to
>>>>>>>>> accept only TLS. (as you have in above snippet). If all peers you
>>>>>>>>> connect to support TLS, then you can forse sending over TLS all the
>>>>>>>>> time.
>>>>>>>>>       Cheers,
>>>>>>>>> Daniel
>>>>>>>>>                   
>>>>>
>>>>> chris...
>>>>>  
>>>>>
>>>>>   
>>>>>
>>>>>>>> Cesc wrote:
>>>>>>>>  
>>>>>>>>
>>>>>>>>           
>>>>>>>>
>>>>>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>                         
>>>>>>>>>>>
>>>>>>>>>>>> I searched for this function, but I didn't found it :-(
>>>>>>>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>>>>>>>
>>>>>>>>>>>> Torsten
>>>>>>>>>>>>
>>>>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>>>>>> An: Haupt, Thorsten
>>>>>>>>>>>> Cc: users at openser.org
>>>>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>>>>>>>
>>>>>>>>>>>> I think in openser there is a function to check what
>>>>>>>>>>>> transport the
>>>>>>>>>>>> message came in ... you can do something like:
>>>>>>>>>>>> if ( transport != TLS ) {
>>>>>>>>>>>>          send error to UA
>>>>>>>>>>>>          break;
>>>>>>>>>>>> }
>>>>>>>>>>>>
>>>>>>>>>>>> Cesc
>>>>>>>>>>>>
>>>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>                               
>>>>>>>>>>>>
>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My
>>>>>>>>>>>>> clients
>>>>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it
>>>>>>>>>>>>> doesn't
>>>>>>>>>>>>> work correct.
>>>>>>>>>>>>> Some Clients can't connect and others can't establish calls. I
>>>>>>>>>>>>> read in
>>>>>>>>>>>>> another thread, that UDP is mandatory for SIP and that the
>>>>>>>>>>>>> server
>>>>>>>>>>>>> need it.
>>>>>>>>>>>>>
>>>>>>>>>>>>> But how can I prevent users from connecting via UDP and force
>>>>>>>>>>>>> them to
>>>>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port 5060.
>>>>>>>>>>>>> But is
>>>>>>>>>>>>> this the correct way? Are there any parameters server-side
>>>>>>>>>>>>> to force
>>>>>>>>>>>>> users to connect via TLS?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thanks for response.
>>>>>>>>>>>>> Torsten
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>>> Users at openser.org
>>>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>                                           
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>> Users at openser.org
>>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>>
>>>>>>>>>>>>                                     
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users at openser.org
>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>                               
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>  
>>>>>     
> 
>>>
_______________________________________________
Users mailing list
Users at openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
>>>

>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPiIuR0exH8dhr/YRAjmJAKCUvF0mB57NgxmaeQiIc2ZqgNzkkgCgrvNJ
IGUA6tHQVBqkaiTg7nXGx0s=
=lgtf
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ssl-dump
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20060413/89fc00f0/attachment.asc>


More information about the sr-users mailing list