[OpenSER-Users] TLS problem.
fengbin
arithdon at gmail.com
Fri Jan 11 09:20:24 CET 2008
Dear,Klaus,
There is an error of " <xlog> not found" while I put that phrase
On 1/11/08, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>
> Hi Fengbin!
>
> Cc'ed to the openser list ...
>
> fengbin schrieb:
> > Hi,Klaus,
> >
> > How to use NULL cipher? Only setting in Openser is ok? I mean do I need
> > to set NULL cipher at client site?
>
> Usually the NULL cipher is not enabled (for security reasons). You have
> to enable it on both sides, the server and the client. But if you use
> the following approach you do not need it.
>
> > And where to put xlog("L_ERR","message buffer: $mb"); anywhere in
> > openser.cfg ?
>
> Put it just in the beginning of the route block.
>
> regards
> klaus
>
> > THX
> > BR
> >
> >
> > On 1/11/08, *Klaus Darilion* <klaus.mailinglists at pernau.at
> > <mailto: klaus.mailinglists at pernau.at>> wrote:
> >
> > The capture file is not helpful, as it is encrypted. You could use
> NULL
> > cipher to have plaintext inside the TLS connection to inspect the
> > incoming SIP message, or add xlog("L_ERR","message buffer: $mb"); to
> see
> > the whole incoming SIP request.
> >
> > regards
> > klaus
> >
> > fengbin schrieb:
> > > Hi,Klaus
> > > Thank you for your reply.
> > > The enclosed is the config file ,the pcap between client and
> > server and
> > > the log on the openser 's console.
> > > Could you please take a look at them for me?
> > >
> > > THX
> > > BR
> > >
> > >
> > > On 1/10/08, *Klaus Darilion* < klaus.mailinglists at pernau.at
> > <mailto:klaus.mailinglists at pernau.at>
> > > <mailto:klaus.mailinglists at pernau.at
> > <mailto:klaus.mailinglists at pernau.at> >> wrote:
> > >
> > > Can you show us the REGISTER request? (both, port 5060 and
> > port 5061).
> > >
> > > Further show use your openser config
> > >
> > > regards
> > > klaus
> > >
> > > fengbin schrieb:
> > > >
> > > > Hi,all
> > > > I met a strange problem while I am testing TLS connection
> > between
> > > > minisip and openser.
> > > > The following is my openser.cfg (part of that)
> > > >
> > > > .........
> > > > fork=no
> > > > log_stderror=yes
> > > >
> > > > # Uncomment this to prevent the blacklisting of
> > temporary not
> > > > available destinations
> > > > #disable_dns_blacklist=yes
> > > >
> > > > # # Uncomment this to prevent the IPv6 lookup after v4
> > dns lookup
> > > > failures
> > > > #dns_try_ipv6=no
> > > >
> > > > # uncomment the following lines for TLS support
> > > > disable_tls = 0
> > > > listen = tls: 10.11.57.197:5060
> > <http://10.11.57.197:5060> <http://10.11.57.197:5060>
> > > < http://10.11.57.197:5060>
> > > >
> > > >
> > > > tls_verify_client = 1
> > > > tls_method = TLSv1
> > > > tls_certificate =
> "/usr/local/etc/openser//tls/user/user-
> > > cert.pem"
> > > > tls_private_key =
> > > "/usr/local/etc/openser//tls/user/user- privkey.pem"
> > > > tls_ca_list = "/usr/local/etc/openser//tls/user/user-
> > calist.pem"
> > > >
> tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> > > > ......
> > > >
> > > > When I set "tls: 10.11.57.197:5061
> > <http://10.11.57.197:5061> <http://10.11.57.197:5061> <
> > > http://10.11.57.197:5061>" the
> > > > registration never succeed. But if I set it to 5060 the
> > registration
> > > > over TLS is OK.
> > > > I compared the log of two scenarioes and found the TLS
> > session
> > > both are
> > > > OK,but the difference is that:
> > > > when the port is 5061 there is an error of forwarding. but
> the
> > > > forwarding is because openser think it's not the
> > destination of
> > > > the registration request. See bellow:
> > > >
> > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI
>
> > found
> > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
> > checking if
> > > > host==us: 12==12 && [ 10.11.57.197
> > <http://10.11.57.197> <http://10.11.57.197>
> > > <http://10.11.57.197 < http://10.11.57.197>>] ==
> > > > [10.11.57.197 <http://10.11.57.197>
> > < http://10.11.57.197> <http://10.11.57.197>]
> > > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
> > checking if port
> > > > 5061 matches port 5060
> > > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me
> > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> > > flags=ffffffffffffffff
> > > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
> > > entrance=0xffffffff
> > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> > > flags=ffffffffffffffff
> > > > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> flags=78
> > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start
> > searching:
> > > > hash=58073, isACK=0
> > > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261
> > transaction
> > > > matching failed
> > > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
> > > transaction found
> > > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS
> > lookup...
> > > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed
> > to fwd
> > > to af
> > > > 2, proto 1 (no corresponding listening socket)
> > > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
> > failure to add
> > > > branches
> > > >
> > > >
> > > >
> > > > With comparition to that when the port is set to 5060 the
> > trace is :
> > > >
> > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next
> > Route
> > > HF found
> > > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI
>
> > found
> > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> > checking if
> > > > host==us: 12==12 && [ 10.11.57.197
> > <http://10.11.57.197> <http://10.11.57.197>
> > > <http://10.11.57.197>] ==
> > > > [ 10.11.57.197 <http://10.11.57.197>
> > <http://10.11.57.197> < http://10.11.57.197>]
> > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> > checking if port
> > > > 5060 matches port 5060
> > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> > checking if
> > > > host==us: 12==12 && [10.11.57.197
> > < http://10.11.57.197> <http://10.11.57.197>
> > > <http://10.11.57.197>] ==
> > > > [ 10.11.57.197 <http://10.11.57.197> <
> > http://10.11.57.197> <http://10.11.57.197 >]
> > > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> > checking if port
> > > > 5060 matches port 5060
> > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > > flags=ffffffffffffffff
> > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > flags=8000000
> > > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > > flags=ffffffffffffffff
> > > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact:
> > created
> > > Contact
> > > > HF: Contact:
> > > <sip:888 at 10.11.57.192:5061;transport=TLS>;expires=1000
> > > >
> > > >
> > > >
> > > > And there is no fwd needed then.So the error didnt occur.
> > > >
> > > > Its a little bit strange that when I set the port to
> > 5061,why did
> > > > openser check the port 5060?????
> > > > Can anyone help me to figure it out?
> > > > THX
> > > > BR
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Fengbin
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users at lists.openser.org <mailto:Users at lists.openser.org>
> > <mailto:Users at lists.openser.org <mailto: Users at lists.openser.org>>
> > > > http://lists.openser.org/cgi-bin/mailman/listinfo/users
> > >
> > >
> > >
> > >
> > > --
> > > Fengbin
> > >
> >
> >
> >
> >
> > --
> > Fengbin
>
--
Fengbin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20080111/624cb579/attachment.htm>
More information about the sr-users
mailing list