[Users] Re: [Serusers] Please help for software for testing TLS in openser

Klaus Darilion klaus.mailinglists at pernau.at
Thu Sep 21 11:15:10 CEST 2006 

Hi!

1. start openser on both servers

2. make sure openser is running (both servers)
# ps -Alf|grep openser

3. make sure openser is listening on port 5061 (both servers)
# netstat -anp|grep 5061

4. configure the opensers to call each other via TLS
e.g. configure 2 SIP clients. One registers at proxy A while the other 
registers at proxy B. Lets assume the Client A uses username a 
(sip:a at ip.address.of.proxyA) and client B uses username b 
(sip:b at ip.address.of.proxyB).

Now configure proxy A to route calls to B via TLS.

if (uri =~ "b@") {
# write new destination into an AVP
avp_printf("$avp(s:new_uri)","sip:b at ip.address.of.proxyB;transport=tls")
# push new uri into reuqest URI
avp_pushto("$ru","$avp(s:new_uri)");
t_relay();
}

5. call from a to b

6. use ssldump to watch TLS call setups

regards
klaus

Ferianto siregar wrote:
> Dear Klaus,
>  
> Thank you very much for your help and reply my message. Thank you very much.
> I am very happy to read the reply from you.
>  
> Klaus, maybe I am too stupid, may I ask you question anymore? Please...
> may I ask you about TLS again?
> Because I am not sure that the configuration that I have made before, is 
> good. Can I ask you? 
> 
> 1. Here is :
> 
> In my openser.cfg, for support TLS, I just uncomment the TLS support 
> (the certificate). Here is the part of my openser.cfg :
> 
> # uncomment the following lines for TLS support
> disable_tls = 0
> listen = tls:202.95.149.251:5061
> tls_verify_client = on
> tls_require_client_certificate = on
> tls_verify_server=on
> tls_method = TLSv1
> tls_certificate = "/usr/local/etc/openser/tls/user/user-cert.pem"
> tls_private_may I ask you about TLS again?
> 
> Is this way correct? or there is another configuration that I must make 
> or I have added in openser.cfg, in order the TLS can run successfully? 
> 2 . You said that I can test it by using 2 openser server. I have built 
> it. One using Fedora core 4 and the othe using Redhat 9. But I am 
> confused, how to connect this two openser server? What I have added in 
> openser.cfg in order both of the server can be used to communicate and 
> test TLS ? Would you mind tell me Klaus?
> Please give me a suggestion..Please
>  
> Thank you very much,
> Thank you
> Regards,
>  
>  
> Ferianto
> 
> 
> */Klaus Darilion <klaus.mailinglists at pernau.at>/* wrote:
> 
>     Ferianto siregar wrote:
>      > Dear all,
>      >
>      > Thank you very much for time to read my problem. Thank you very
>     much...
>      > All, I have built openser server and I can build it successfully. It
>      > means that the client can make call each other.
>      > The openser server that I build is support TLS (in openser.cfg, I
>     enable
>      > the TLS support).
>      > But, I need help for testing my TLS in voip communication.
>      > I have type command : # openser -V , and I can see that the TLS
>     is used.
>      >
>      > But,How can I test the openser that supported TLS? because in my
>      > mind, for testing the TLS, I must have a software that supported
>     TLS.
> 
>     xlite supports TLS, also minisip
> 
>     you can also use 2 openser's to talk TLS between the 2 openser's
> 
>      > So, if the client can communicate each other by using the
>     software phone
>      > that supported TLS, it means that the TLS have run successfully
>     (because
>      > TLS use port 5061 ).
>      > Is this opinion correct?
> 
>     yes. but make sure the connection is really routed via port 5061/TLS.
> 
>     Good tools for debugging:
> 
>     1. ssldump
>     2. ngrep (check the ports which are used)
>     3. you can configure openser TLS to use NULL cipher. This way it is TLS
>     but not encrypted and you can use a packet sniffer to watch the
>     signaling.
> 
>     regards
>     klaus
> 
>      >
>      > Or can anybody give a suggestion how to test my openser TLS? if I
>     have
>      > to use software phone that supported TLS.Please tell me..Pelase..
>      >
>      > Thank you very much for your help.
>      > Thank you
>      >
>      > Regards,
>      >
>      >
>      > Ferianto
>      >
>      >
>      >
>     ------------------------------------------------------------------------
>      > Stay in the know. Pulse on the new Yahoo.com. Check it out.
>      >
>      >
>      >
>      >
>     ------------------------------------------------------------------------
>      >
>      > _______________________________________________
>      > Serusers mailing list
>      > Serusers at lists.iptel.org
>      > http://lists.iptel.org/mailman/listinfo/serusers
> 
> 
> ------------------------------------------------------------------------
> Get your email and more, right on the new Yahoo.com 
> <http://us.rd.yahoo.com/evt=42973/*http://www.yahoo.com/preview>

More information about the sr-users mailing list