[SR-Users] forced tls over tcp

Colin Morelli colin.morelli at gmail.com
Mon May 15 15:25:58 CEST 2017 

Hi David,

This isn't an answer to your question - I'm not sure I have one for you
right now.

However, I've seen a few messages from you now about trying to get this
sips/sip stuff working, and I'm curious to know why you're jumping through
these hoops to make this work? The entire purpose of sips is that it should
be encrypted end to end. Is there a point in pretending to the client as
though they're using sips when they're actually using an insecure
connection in the middle? Is there a particular client you're trying to
cooperate with that needs this? You can still get TLS working over the
public side of the connection (using ;transport=tls in the SIP URI), while
allowing for insecure transports in your private network. This seems to be
ultimately what you want.

I'm sure you can get this to work, and I'm sure there's an answer - it just
seems like you're going to end up with something fairly fragile. It seems
like something you'd want to avoid unless you absolutely can't.

Best,
Colin

On Mon, May 15, 2017 at 9:20 AM, David Villasmil <
david.villasmil.work at gmail.com> wrote:

> Hello guys,
>
> I'm listening on port 443 for tls and 5111 for tcp.
>
> Client registers on 443 and makes a call over tls which kamailio forwards
> over tcp.
>
> Because freeswitch doesn't support "sips" yet, when replies come back from
> freeswitch (which contact set as "sip:" i manually change that tp "sips:"
> for the client to not die with "SIPS Required".
>
> Call is established and the client responds with ACK. At this point i need
> to change back the contact "sips:" to "sip:".
>
> This is the route that changes it:
>
> route[FIXCONTACT] {
>
>     # This is freeswitch sending a message, so we change "sip:" to "sips:"
>     xlog("L_ERR","[FIXCONTACT]: User-Agent is: $ua\n");
>
>     if( $ua =~ "^FreeSWITCH" ) {
>         if( subst('/^(Contact:.*)sip:/\1sips:/') ) {
>             xlog("L_ERR","[FIXCONTACT]: Method $rm Status $rs Changed
> contact coming from freeSWITCH from sip to sips [$ct]!\n");
>         }
>     # Else it is the client, when change it back from "sips:" to "sip:"
>     } else {
>         if( subst("/^(Contact:.*)sips:/\1sip:/") ) {
>             xlog("L_ERR","[FIXCONTACT]: Method $rm Status $rs Changed
> contact coming from CLIENT from sips to sip [$ct]!\n");
>         }
>     }
>     return;
> }
>
> When kamailio is preparing to send out the ACK via TCP I'm seeing:
>
> [forward.c:268]: get_send_socket2(): protocol/port mismatch
>
> And I really don't know why it's doing this...
>
> Help is appreciated!
>
>
> Regards,
>
> David Villasmil
> email: david.villasmil.work at gmail.com
> phone: +34669448337 <+34%20669%2044%2083%2037>
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20170515/176d36e2/attachment.html>

More information about the sr-users mailing list