[OpenSER-Users] TLS problem.

Klaus Darilion klaus.mailinglists at pernau.at
Fri Jan 11 10:29:47 CET 2008


you have to load the xlog module

fengbin schrieb:
> Dear,Klaus,
>  
> There is an error of " <xlog> not found" while I put that phrase
> 
>  
> On 1/11/08, *Klaus Darilion* <klaus.mailinglists at pernau.at 
> <mailto:klaus.mailinglists at pernau.at>> wrote:
> 
>     Hi Fengbin!
> 
>     Cc'ed to the openser list ...
> 
>     fengbin schrieb:
>      > Hi,Klaus,
>      >
>      > How to use NULL cipher? Only setting in Openser is ok? I mean do
>     I need
>      > to set NULL cipher at client site?
> 
>     Usually the NULL cipher is not enabled (for security reasons). You have
>     to enable it on both sides, the server and the client. But if you use
>     the following approach you do not need it.
> 
>      > And where to put xlog("L_ERR","message buffer: $mb"); anywhere in
>      > openser.cfg ?
> 
>     Put it just in the beginning of the route block.
> 
>     regards
>     klaus
> 
>      > THX
>      > BR
>      >
>      >
>      > On 1/11/08, *Klaus Darilion* < klaus.mailinglists at pernau.at
>     <mailto:klaus.mailinglists at pernau.at>
>      > <mailto: klaus.mailinglists at pernau.at
>     <mailto:klaus.mailinglists at pernau.at>>> wrote:
>      >
>      >     The capture file is not helpful, as it is encrypted. You
>     could use NULL
>      >     cipher to have plaintext inside the TLS connection to inspect the
>      >     incoming SIP message, or add xlog("L_ERR","message buffer:
>     $mb"); to see
>      >     the whole incoming SIP request.
>      >
>      >     regards
>      >     klaus
>      >
>      >     fengbin schrieb:
>      >      > Hi,Klaus
>      >      > Thank you for your reply.
>      >      > The enclosed is the config file ,the pcap between client and
>      >     server and
>      >      > the log on the openser 's console.
>      >      > Could you please take a look at them for me?
>      >      >
>      >      > THX
>      >      > BR
>      >      >
>      >      >
>      >      > On 1/10/08, *Klaus Darilion* <
>     klaus.mailinglists at pernau.at <mailto:klaus.mailinglists at pernau.at>
>      >     <mailto:klaus.mailinglists at pernau.at
>     <mailto:klaus.mailinglists at pernau.at>>
>      >      > <mailto: klaus.mailinglists at pernau.at
>     <mailto:klaus.mailinglists at pernau.at>
>      >     <mailto:klaus.mailinglists at pernau.at
>     <mailto:klaus.mailinglists at pernau.at>> >> wrote:
>      >      >
>      >      >     Can you show us the REGISTER request? (both, port 5060
>     and
>      >     port 5061).
>      >      >
>      >      >     Further show use your openser config
>      >      >
>      >      >     regards
>      >      >     klaus
>      >      >
>      >      >     fengbin schrieb:
>      >      >      >
>      >      >      > Hi,all
>      >      >      > I met a strange problem while I am testing TLS
>     connection
>      >     between
>      >      >      > minisip and openser.
>      >      >      > The following is my openser.cfg (part of that)
>      >      >      >
>      >      >      >     .........
>      >      >      >     fork=no
>      >      >      >     log_stderror=yes
>      >      >      >
>      >      >      >     # Uncomment this to prevent the blacklisting of
>      >     temporary not
>      >      >      >     available destinations
>      >      >      >     #disable_dns_blacklist=yes
>      >      >      >
>      >      >      >     # # Uncomment this to prevent the IPv6 lookup
>     after v4
>      >     dns lookup
>      >      >      >     failures
>      >      >      >     #dns_try_ipv6=no
>      >      >      >
>      >      >      >     # uncomment the following lines for TLS support
>      >      >      >     disable_tls = 0
>      >      >      >     listen = tls: 10.11.57.197:5060
>     <http://10.11.57.197:5060/>
>      >     < http://10.11.57.197:5060 <http://10.11.57.197:5060/>>
>     <http://10.11.57.197:5060 <http://10.11.57.197:5060/>>
>      >      >     < http://10.11.57.197:5060 <http://10.11.57.197:5060/>>
>      >      >      >
>      >      >      >
>      >      >      >     tls_verify_client = 1
>      >      >      >     tls_method = TLSv1
>      >      >      >     tls_certificate =
>     "/usr/local/etc/openser//tls/user/user-
>      >      >     cert.pem"
>      >      >      >     tls_private_key =
>      >      >     "/usr/local/etc/openser//tls/user/user- privkey.pem"
>      >      >      >     tls_ca_list =
>     "/usr/local/etc/openser//tls/user/user-
>      >     calist.pem"
>      >      >      >    
>     tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
>      >      >      >     ......
>      >      >      >
>      >      >      > When I set "tls: 10.11.57.197:5061
>     <http://10.11.57.197:5061/>
>      >     < http://10.11.57.197:5061 <http://10.11.57.197:5061/>>
>     <http://10.11.57.197:5061 <http://10.11.57.197:5061/>> <
>      >      >     http://10.11.57.197:5061 <http://10.11.57.197:5061/>>" the
>      >      >      > registration never succeed. But if I set it to 5060 the
>      >     registration
>      >      >      > over TLS is OK.
>      >      >      > I compared the log of two scenarioes and found the TLS
>      >     session
>      >      >     both are
>      >      >      > OK,but the difference is that:
>      >      >      > when the port is 5061 there is an error of
>     forwarding. but the
>      >      >      > forwarding is because openser think it's not the
>      >     destination of
>      >      >      > the registration request. See bellow:
>      >      >      >
>      >      >      >     Jan 10 16:46:56 [9199] DBG:rr:after_loose: No
>     next URI
>      >     found
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
>      >     checking if
>      >      >      >     host==us: 12==12 && [ 10.11.57.197
>     <http://10.11.57.197/>
>      >     <http://10.11.57.197 <http://10.11.57.197/>> <
>     http://10.11.57.197 <http://10.11.57.197/>>
>      >      >     <http://10.11.57.197 <http://10.11.57.197/> <
>     http://10.11.57.197 <http://10.11.57.197/>>>] ==
>      >      >      >     [10.11.57.197 <http://10.11.57.197/> <
>     http://10.11.57.197 <http://10.11.57.197/>>
>      >     < http://10.11.57.197 <http://10.11.57.197/>> <
>     http://10.11.57.197 <http://10.11.57.197/>>]
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
>      >     checking if port
>      >      >      >     5061 matches port 5060
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:check_self:
>     host != me
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:parse_headers:
>      >      >     flags=ffffffffffffffff
>      >      >      >     Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
>      >      >     entrance=0xffffffff
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:parse_headers:
>      >      >     flags=ffffffffffffffff
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:parse_headers:
>     flags=78
>      >      >      >     Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request:
>     start
>      >     searching:
>      >      >      >     hash=58073, isACK=0
>      >      >      >     Jan 10 16:46:56 [9199] DBG:tm:matching_3261:
>     RFC3261
>      >     transaction
>      >      >      >     matching failed
>      >      >      >     Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
>      >      >     transaction found
>      >      >      >     Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS
>      >     lookup...
>      >      >      >     Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst:
>     failed
>      >     to fwd
>      >      >     to af
>      >      >      >     2, proto 1 (no corresponding listening socket)
>      >      >      >     Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
>      >     failure to add
>      >      >      >     branches
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      > With comparition to that when the port is set to
>     5060 the
>      >     trace is :
>      >      >      >
>      >      >      >     Jan 10 17:07:59 [9410] DBG:rr:find_next_route:
>     No next
>      >     Route
>      >      >     HF found
>      >      >      >     Jan 10 17:07:59 [9410] DBG:rr:after_loose: No
>     next URI
>      >     found
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
>      >     checking if
>      >      >      >     host==us: 12==12 && [ 10.11.57.197
>     <http://10.11.57.197/>
>      >     <http://10.11.57.197 <http://10.11.57.197/>> <
>     http://10.11.57.197 <http://10.11.57.197/>>
>      >      >     <http://10.11.57.197 <http://10.11.57.197/>>] ==
>      >      >      >     [ 10.11.57.197 <http://10.11.57.197/> <
>     http://10.11.57.197 <http://10.11.57.197/>>
>      >     <http://10.11.57.197 <http://10.11.57.197/>> <
>     http://10.11.57.197 <http://10.11.57.197/>>]
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
>      >     checking if port
>      >      >      >     5060 matches port 5060
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
>      >     checking if
>      >      >      >     host==us: 12==12 && [10.11.57.197
>     <http://10.11.57.197/>
>      >     < http://10.11.57.197 <http://10.11.57.197/>> <
>     http://10.11.57.197 <http://10.11.57.197/>>
>      >      >     <http://10.11.57.197 <http://10.11.57.197/>>] ==
>      >      >      >     [ 10.11.57.197 <http://10.11.57.197/> <
>     http://10.11.57.197 <http://10.11.57.197/>> <
>      >     http://10.11.57.197 <http://10.11.57.197/>> <
>     http://10.11.57.197 <http://10.11.57.197/>>]
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
>      >     checking if port
>      >      >      >     5060 matches port 5060
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:parse_headers:
>      >      >     flags=ffffffffffffffff
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:parse_headers:
>      >     flags=8000000
>      >      >      >     Jan 10 17:07:59 [9410] DBG:core:parse_headers:
>      >      >     flags=ffffffffffffffff
>      >      >      >     Jan 10 17:07:59 [9410] DBG:registrar:build_contact:
>      >     created
>      >      >     Contact
>      >      >      >     HF: Contact:
>      >      >     <sip:888 at 10.11.57.192:5061;transport=TLS>;expires=1000
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      > And there is no fwd needed then.So the error didnt
>     occur.
>      >      >      >
>      >      >      > Its a little bit strange that when I set the port to
>      >     5061,why did
>      >      >      > openser check the port 5060?????
>      >      >      > Can anyone help me to figure it out?
>      >      >      > THX
>      >      >      > BR
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >      > --
>      >      >      > Fengbin
>      >      >      >
>      >      >      >
>      >      >      >
>      >      >
>      >    
>     ------------------------------------------------------------------------
> 
>      >      >      >
>      >      >      > _______________________________________________
>      >      >      > Users mailing list
>      >      >      > Users at lists.openser.org
>     <mailto:Users at lists.openser.org> <mailto:Users at lists.openser.org
>     <mailto:Users at lists.openser.org>>
>      >     <mailto: Users at lists.openser.org
>     <mailto:Users at lists.openser.org> <mailto: Users at lists.openser.org
>     <mailto:Users at lists.openser.org>>>
>      >      >      > http://lists.openser.org/cgi-bin/mailman/listinfo/users
>      >      >
>      >      >
>      >      >
>      >      >
>      >      > --
>      >      > Fengbin
>      >      >
>      >
>      >
>      >
>      >
>      > --
>      > Fengbin
> 
> 
> 
> 
> -- 
> Fengbin




More information about the sr-users mailing list