[Users] Allow only TLS connections

Christoph Fürstaller christoph.fuerstaller at kurtkrenn.com
Thu Apr 13 12:14:03 CEST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Daniel-Constantin Mierla wrote:
> I got an idea, set
> 
> alias="your domain"
I set alias="192.168.20.156" (IP of my Srv) and it works now : )
> 
> in the config file. I guess the client does not set any port and
> protocol in the R-URI and since OpenSER listen only on 5061,
> "uri==myself" does not match.
> 
> Try this, and let me know if it works.
So, it works. Thank you.

chris...
> 
> Cheers,
> Daniel
> 
> 
> On 04/13/06 12:55, Daniel-Constantin Mierla wrote:
> 
>>
>>
>> On 04/13/06 12:52, Daniel-Constantin Mierla wrote:
>>
>>> Hello,
>>>
>>> could you send a network trace (ngrep)?
>>
>> actually, ssldump to sniff tls connections.
>>
>> Cheers,
>> Daniel
>>
>>> Another case when the request is forwarded in your script, is for the
>>> messages outside of your domain (not matching uri==myself).
>>>
>>> Cheers,
>>> Daniel
>>>
>>>
>>> On 04/13/06 12:32, Christoph Fürstaller wrote:
>>>
> Hi,
> 
> The contact and socket in the location table is only TLS. No entry
> for UDP.
> 
> And I don't have any entries in alias table.
> 
> chris...
> 
> Daniel-Constantin Mierla wrote:
>  
> 
>>>>>> Hello,
>>>>>>
>>>>>> maybe the clients register non-TLS contacts, take a look in the
>>>>>> location
>>>>>> table. Also, in aliases, you may have some addresses that point to
>>>>>> external domains.
>>>>>>
>>>>>> Cheers,
>>>>>> Daniel
>>>>>>
>>>>>>
>>>>>> On 04/13/06 12:05, Christoph Fürstaller wrote:
>>>>>>
>>>>>> Hi Daniel,
>>>>>>
>>>>>> Daniel-Constantin Mierla wrote:
>>>>>>  
>>>>>>
>>>>>>  
>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I tried that out. I check if proto is TLS:
>>>>>>>>> if (proto != TLS) {
>>>>>>>>>     sl_send_reply("403", "Forbidden");
>>>>>>>>>     exit;
>>>>>>>>> };
>>>>>>>>>
>>>>>>>>> But I get this error:
>>>>>>>>>  3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1  (no
>>>>>>>>> corresponding listening socket)
>>>>>>>>>  3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>>>>>>  3(28893) ERROR:tm:t_relay_to:  t_forward_nonack returned error
>>>>>>>>>
>>>>>>>>> What does it mean? What I'm doing wrong?
>>>>>>>>> My SER is only listening on tls port 5061. Do I still have to
>>>>>>>>> open udp
>>>>>>>>> 5060 ?
>>>>>>>>>  
>>>>>>>>>          
>>>>>>>>>
>>>>>>>>>> it seems that you try to forward on UDP.
>>>>>>>>>>                   
>>>>>>
>>>>>> I figured that out too. But I don't know which part forwardes
>>>>>> something
>>>>>> on UDP? I attached my conf. Can you give it a quick look?
>>>>>>
>>>>>>  
>>>>>>
>>>>>>  
>>>>>>
>>>>>>>>>> You can configure openser to
>>>>>>>>>> listen on UDP as well, and drop messages coming on UDP, if you
>>>>>>>>>> want to
>>>>>>>>>> accept only TLS. (as you have in above snippet). If all peers you
>>>>>>>>>> connect to support TLS, then you can forse sending over TLS all
>>>>>>>>>> the
>>>>>>>>>> time.
>>>>>>>>>>       Cheers,
>>>>>>>>>> Daniel
>>>>>>>>>>                   
>>>>>>
>>>>>> chris...
>>>>>>  
>>>>>>
>>>>>>  
>>>>>>
>>>>>>>>> Cesc wrote:
>>>>>>>>>  
>>>>>>>>>
>>>>>>>>>          
>>>>>>>>>
>>>>>>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>                        
>>>>>>>>>>>>
>>>>>>>>>>>>> I searched for this function, but I didn't found it :-(
>>>>>>>>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Torsten
>>>>>>>>>>>>>
>>>>>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>>>>>>> An: Haupt, Thorsten
>>>>>>>>>>>>> Cc: users at openser.org
>>>>>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>>>>>>>>
>>>>>>>>>>>>> I think in openser there is a function to check what
>>>>>>>>>>>>> transport the
>>>>>>>>>>>>> message came in ... you can do something like:
>>>>>>>>>>>>> if ( transport != TLS ) {
>>>>>>>>>>>>>          send error to UA
>>>>>>>>>>>>>          break;
>>>>>>>>>>>>> }
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cesc
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>                              
>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My
>>>>>>>>>>>>>> clients
>>>>>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it
>>>>>>>>>>>>>> doesn't
>>>>>>>>>>>>>> work correct.
>>>>>>>>>>>>>> Some Clients can't connect and others can't establish calls. I
>>>>>>>>>>>>>> read in
>>>>>>>>>>>>>> another thread, that UDP is mandatory for SIP and that the
>>>>>>>>>>>>>> server
>>>>>>>>>>>>>> need it.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> But how can I prevent users from connecting via UDP and force
>>>>>>>>>>>>>> them to
>>>>>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port
>>>>>>>>>>>>>> 5060.
>>>>>>>>>>>>>> But is
>>>>>>>>>>>>>> this the correct way? Are there any parameters server-side
>>>>>>>>>>>>>> to force
>>>>>>>>>>>>>> users to connect via TLS?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks for response.
>>>>>>>>>>>>>> Torsten
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>>>> Users at openser.org
>>>>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>                                           
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>>> Users at openser.org
>>>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>>>
>>>>>>>>>>>>>                                     
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>> Users at openser.org
>>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>>                               
>>>>>>
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at openser.org
>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>  
>>>>>>     
> 
>>>>
_______________________________________________
Users mailing list
Users at openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
>>>>

>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEPiRqR0exH8dhr/YRAuh4AJ4nPUj4+ijgva4KHi5jylY4OyMmHwCgxIqJ
GI8Jb+T3GnZ1zTedjnQPd7s=
=/0Jw
-----END PGP SIGNATURE-----

More information about the sr-users mailing list