[SR-Users] sip over tls is not working

Aft nix aftnix at gmail.com
Wed Jul 11 16:22:06 CEST 2012


On Wed, Jul 11, 2012 at 6:25 PM, Klaus Darilion
<klaus.mailinglists at pernau.at> wrote:
> Does it work with your web browser?
>
> https://ip.address.ofyour.proxy:5061/
>
> At least the TLS handshake should work.
>

Yes i've tested that way. It shows server not found. I think the
problem is not related to
tls. The TCP connection is not established in the first place. You
will get the a hint of this
by reading the debug log i gave in my initial mail.

> If you add the following snippet to your config you should also see the
> response in your browser:
>
> event_route[xhttp:request] {
>         xhttp_reply("200", "OK", "text/html","<html><body>OK - $hu -
> [$si:$sp]</body></html>");
> }
>
>
> regards
> Klaus
>
>
>
> On 10.07.2012 12:44, Aft nix wrote:
>>
>> On Mon, Jul 9, 2012 at 10:24 PM, Daniel-Constantin Mierla
>> <miconda at gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> also, can you provide more details about the case? Is it with the very
>>> first
>>> connection or you do some load testing and at some point you get this
>>> issue?
>>>
>>
>> No, its not a part of load testing. it happens on the first connection.
>>
>>> Can you reproduce it always?
>>
>>
>> Yes i can reproduce it.
>>
>>> Do you set different number of workers per
>>> socket? What is the output of 'kamctl ps'?
>>
>>
>> No. both are 4. (udp and tls )
>>
>> I have downgraded the lab machine to do some testing. so i can't give
>> kamctl ps of the faulty
>> installation at this moment. kamailio-3.2.x is deployed in our
>> production servers, and it worked flawlessly.
>>
>> this is the output of kamctl ps from a 3.2.x. it uses the same config
>> file as i was using with git master branch.
>>
>> [root at server kamailio-3.2.3]# kamctl ps
>> Process::  ID=0 PID=31109 Type=attendant
>> Process::  ID=1 PID=31110 Type=udp receiver child=0 sock=<IP>:<PORT>
>> Process::  ID=2 PID=31111 Type=udp receiver child=1 sock=<IP>:<PORT>
>> Process::  ID=3 PID=31112 Type=udp receiver child=2 sock=<IP>:<PORT>
>> Process::  ID=4 PID=31113 Type=udp receiver child=3 sock=<IP>:<PORT>
>> Process::  ID=5 PID=31114 Type=slow timer
>> Process::  ID=6 PID=31115 Type=timer
>> Process::  ID=7 PID=31116 Type=MI FIFO
>> Process::  ID=8 PID=31117 Type=ctl handler
>> Process::  ID=9 PID=31118 Type=TIMER NH
>> Process::  ID=10 PID=31119 Type=tcp receiver child=0
>> Process::  ID=11 PID=31120 Type=tcp receiver child=1
>> Process::  ID=12 PID=31121 Type=tcp receiver child=2
>> Process::  ID=13 PID=31122 Type=tcp receiver child=3
>> Process::  ID=14 PID=31123 Type=tcp main process
>>
>>>
>>> Have you tried with 3.3 branch as well or just master branch?
>>>
>>
>> I've got this in master branch. haven't tried it with 3.3 branch.
>>
>> On the side note similar issue was reported by a guy earlier this year
>> in this list which went
>> unnoticed. here is the link to that mail :
>>
>> http://lists.sip-router.org/pipermail/sr-users/2012-April/072683.html
>>
>> His issue seems similar to me.
>>
>> Cheers
>>>
>>> Cheers,
>>> Daniel
>>>
>>>
>>> On 7/9/12 3:04 PM, Klaus Darilion wrote:
>>>>
>>>>
>>>> Use wireshark to analyze the TLS handshake
>>>>
>>>> regards
>>>> klaus
>>>>
>>>> On 09.07.2012 13:27, Aft nix wrote:
>>>>>
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have enabled tls parameters as follows:
>>>>>
>>>>> in kamailio.cfg
>>>>>
>>>>> listen = tls:<IP>:<PORT>
>>>>>
>>>>> in tls.cfg
>>>>>
>>>>> [server:<IP>:<PORT>]
>>>>> method = TLSv1
>>>>> verify_certificate = no
>>>>> require_certificate = no
>>>>> private_key = /usr/local/etc/kamailio/kamailio-selfsigned.key
>>>>> certificate = /usr/local/etc/kamailio/kamailio-selfsigned.pem
>>>>>
>>>>> Now if i try to connect to this interface using openssl s_client, it
>>>>> does connects,
>>>>> but now server certificate is sent from kamailio.
>>>>>
>>>>> kamailio log shows this :
>>>>>
>>>>>     <core> [ip_addr.c:247]: tcpconn_new: new tcp connection: <CLIENT
>>>>> IP>
>>>>>     <core> [tcp_main.c:1089]: tcpconn_new: on port 40727, type 3
>>>>>     <core> [tcp_main.c:1400]: tcpconn_add: hashes: 2614:2652:2494, 2
>>>>>     <core> [io_wait.h:390]: DBG: io_watch_add(0x82535e0, 23, 2,
>>>>> 0xb5701580), fd_no=11
>>>>>     <core> [io_wait.h:617]: DBG: io_watch_del (0x82535e0, 23, -1, 0x0)
>>>>> fd_no=12 called
>>>>>     <core> [tcp_main.c:4296]: tcp: DBG: sending to child, events 1
>>>>>     <core> [tcp_main.c:3963]: WARNING: send2child: no free tcp
>>>>> receiver,
>>>>>    connection passed to the least busy one (3289651)
>>>>>     <core> [tcp_main.c:3967]: selected tcp worker 0 0(8) for activity
>>>>> on
>>>>> [tls:<IP>:<PORT>], 0xb5701580
>>>>>     <core> [tcp_main.c:3576]: BUG: handle_ser_child: fd -1 for 0 (pid
>>>>> 2491)
>>>>>
>>>>> I'm using kamailio from git. its updated to the latest.
>>>>> Thanks in advance.
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>>>> sr-users at lists.sip-router.org
>>>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>>
>>>
>>>
>>> --
>>> Daniel-Constantin Mierla - http://www.asipto.com
>>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>>> Kamailio Advanced Training, Seattle, USA, Sep 23-26, 2012 -
>>> http://asipto.com/u/katu
>>> Kamailio Practical Workshop, Netherlands, Sep 10-12, 2012 -
>>> http://asipto.com/u/kpw
>>>
>>
>>
>>
>



-- 
-aft



More information about the sr-users mailing list