[SR-Users] forced tls over tcp

David Villasmil david.villasmil.work at gmail.com
Mon May 15 15:29:58 CEST 2017 

Hello Colin,

While I completely agree with you, this is what the client want, as he
already has this working with asterisk (which was patched to support this),
and he doesn't want to change the architecture... what can I say?

The tcp leg is on a private network, by the way.

David
On Mon, May 15, 2017 at 3:26 PM Colin Morelli <colin.morelli at gmail.com>
wrote:

> Hi David,
>
> This isn't an answer to your question - I'm not sure I have one for you
> right now.
>
> However, I've seen a few messages from you now about trying to get this
> sips/sip stuff working, and I'm curious to know why you're jumping through
> these hoops to make this work? The entire purpose of sips is that it should
> be encrypted end to end. Is there a point in pretending to the client as
> though they're using sips when they're actually using an insecure
> connection in the middle? Is there a particular client you're trying to
> cooperate with that needs this? You can still get TLS working over the
> public side of the connection (using ;transport=tls in the SIP URI), while
> allowing for insecure transports in your private network. This seems to be
> ultimately what you want.
>
> I'm sure you can get this to work, and I'm sure there's an answer - it
> just seems like you're going to end up with something fairly fragile. It
> seems like something you'd want to avoid unless you absolutely can't.
>
> Best,
> Colin
>
> On Mon, May 15, 2017 at 9:20 AM, David Villasmil <
> david.villasmil.work at gmail.com> wrote:
>
>> Hello guys,
>>
>> I'm listening on port 443 for tls and 5111 for tcp.
>>
>> Client registers on 443 and makes a call over tls which kamailio forwards
>> over tcp.
>>
>> Because freeswitch doesn't support "sips" yet, when replies come back
>> from freeswitch (which contact set as "sip:" i manually change that tp
>> "sips:" for the client to not die with "SIPS Required".
>>
>> Call is established and the client responds with ACK. At this point i
>> need to change back the contact "sips:" to "sip:".
>>
>> This is the route that changes it:
>>
>> route[FIXCONTACT] {
>>
>>     # This is freeswitch sending a message, so we change "sip:" to "sips:"
>>     xlog("L_ERR","[FIXCONTACT]: User-Agent is: $ua\n");
>>
>>     if( $ua =~ "^FreeSWITCH" ) {
>>         if( subst('/^(Contact:.*)sip:/\1sips:/') ) {
>>             xlog("L_ERR","[FIXCONTACT]: Method $rm Status $rs Changed
>> contact coming from freeSWITCH from sip to sips [$ct]!\n");
>>         }
>>     # Else it is the client, when change it back from "sips:" to "sip:"
>>     } else {
>>         if( subst("/^(Contact:.*)sips:/\1sip:/") ) {
>>             xlog("L_ERR","[FIXCONTACT]: Method $rm Status $rs Changed
>> contact coming from CLIENT from sips to sip [$ct]!\n");
>>         }
>>     }
>>     return;
>> }
>>
>> When kamailio is preparing to send out the ACK via TCP I'm seeing:
>>
>> [forward.c:268]: get_send_socket2(): protocol/port mismatch
>>
>> And I really don't know why it's doing this...
>>
>> Help is appreciated!
>>
>>
>> Regards,
>>
>> David Villasmil
>> email: david.villasmil.work at gmail.com
>> phone: +34669448337 <+34%20669%2044%2083%2037>
>>>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20170515/99567b6e/attachment.html>

More information about the sr-users mailing list