[SR-Users] TLS problems

Andreas Rehbein rehbein at e-technik.org
Mon Jan 25 10:38:50 CET 2010 

Hi,

this is the phone->proxy case (traced on Proxy 192.168.0.89). 

I also traced the successful case (Phoner Lite Register - phone->proxy):

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
New TCP connection #1: 192.168.0.176(1723) <-> 192.168.0.89(5061)
1 1  0.5784 (0.5784)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0x35
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0x2f
        TLS_RSA_WITH_IDEA_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.5811 (0.0027)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[0]=

        cipherSuite         Unknown value 0x35
        compressionMethod                   NULL
1 3  0.5811 (0.0000)  S>C  Handshake
      Certificate
1 4  0.5811 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.5830 (0.0019)  C>S  Handshake
      ClientKeyExchange
1 6  0.5830 (0.0000)  C>S  ChangeCipherSpec
1 7  0.5830 (0.0000)  C>S  Handshake
1 8  0.5870 (0.0040)  S>C  ChangeCipherSpec
1 9  0.5870 (0.0000)  S>C  Handshake
1 10 0.5908 (0.0037)  C>S  application_data
1 11 0.6204 (0.0296)  S>C  application_data
1 12 0.6241 (0.0037)  C>S  application_data
1 13 0.6848 (0.0606)  S>C  application_data
1 14 0.6884 (0.0035)  C>S  application_data
1 15 0.6890 (0.0006)  S>C  application_data
1 16 0.6934 (0.0043)  C>S  application_data
1 17 0.6947 (0.0013)  S>C  application_data
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
 

 

-----Ursprüngliche Nachricht-----
Von: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
Gesendet: Montag, 25. Januar 2010 09:59
An: Andreas Rehbein
Cc: sr-users at lists.sip-router.org
Betreff: Re: AW: AW: AW: AW: AW: [SR-Users] TLS problems

Is this proxy->phone or phone->proxy?

klaus

Andreas Rehbein schrieb:
> Hi Klaus,
> 
> this are the ssldump results:
> 
> <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
> New TCP connection #1: 192.168.0.222(1619) <-> 192.168.0.89(5061)
> 1 1  0.2578 (0.2578)  C>S  Handshake
>       ClientHello
>         Version 3.1
>         cipher suites
>         TLS_RSA_WITH_RC4_128_MD5
>         TLS_RSA_WITH_RC4_128_SHA
>         TLS_RSA_WITH_NULL_MD5
>         TLS_RSA_WITH_NULL_SHA
>         TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
>         TLS_DH_anon_WITH_RC4_128_MD5
>         TLS_RSA_WITH_DES_CBC_SHA
>         TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>         TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>         TLS_DH_anon_WITH_DES_CBC_SHA
>         compression methods
>                   NULL
> 1    0.4212 (0.1633)  S>C  TCP FIN
> 1    0.4225 (0.0013)  C>S  TCP FIN
> 
> Seems like snom doesn't offer compression methods...
> 
> regards 
> Andreas
> 
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
> Gesendet: Freitag, 22. Januar 2010 16:07
> An: Andreas Rehbein
> Cc: sr-users at lists.sip-router.org
> Betreff: Re: AW: AW: AW: AW: [SR-Users] TLS problems
> 
> I managed to have SNOM 320 registering at kamailio-3.0 via TLS. But I do 
> not have any crashes (openssl 0.9.8g-15+lenny6).
> 
> Andreas, when does the crash happen exactly: during TLS handshake or 
> afterwards (you can for example use "ssldump port 5061" to debug the TLS 
> connection)?
> 
> regards
> klaus
> 
> Andreas Rehbein schrieb:
>> Hi Klaus,
>>
>> until now (OpenSER 1.3.x without client verification) it was not
necessary
>> to import certs into snom. 
>> To force the snom to send Messages via tls, you need to insert something
>> like "192.168.0.89:5061;transport=tls" in the outbound proxy field (but
> I'm
>> sure you already knew)
>>
>> regards
>> Andreas
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
>> Gesendet: Freitag, 22. Januar 2010 13:17
>> An: Andreas Rehbein
>> Cc: sr-users at lists.sip-router.org
>> Betreff: Re: AW: AW: AW: [SR-Users] TLS problems
>>
>>
>>
>> Andreas Rehbein schrieb:
>>> Hello Klaus,
>>>
>>> Linux: Red Hat Enterprise Linux 5; Kernel: 2.6.18-92.1.10.el5
>>> OpenSSL: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>> Hi Andreas!
>>
>> I fail to configure SNOM to accept the certificate. I imported the CA 
>> cert as trusted certificates, but TLS handshake is not successful. Is 
>> there something else I need to take care of?
>>
>> I'm quite sure my certificates are OK as it works with eyebeam and
> QjSimple.
>> regards
>> Klaus
>>
>

More information about the sr-users mailing list