[SR-Users] Problem with TLS

Arik Halperin arik at mobilinq.io
Mon Jun 11 14:58:38 CEST 2018


Daniel Hello,

Pasted below, 200 OK  and Following ACK(Recorded at the client side via wireshark configured with private key)


BR,
Arik


Session Initiation Protocol (200)
    Status-Line: SIP/2.0 200 OK
    Message Header
        Via: SIP/2.0/TLS 192.168.2.2:48182;received=82.80.164.63;rport=33898;branch=z9hG4bKPjVppvYKQb4X5lJrYpod1wUN.j3KVLrEiT;alias
        Record-Route: <sips:10.168.10.227:5099;r2=on;lr=on;ftag=ZmXcXh6ReoLbMco46J0fCpKOHkUR1sWF;nat=yes>
        Record-Route: <sips:70.36.25.65:443;transport=tls;r2=on;lr=on;ftag=ZmXcXh6ReoLbMco46J0fCpKOHkUR1sWF;nat=yes>
        From: "number" <sips:17813000000 at XXXXXX.com<mailto:17813000000 at XXXXXX.com>>;tag=ZmXcXh6ReoLbMco46J0fCpKOHkUR1sWF
        To: <sips:1111111 at XXXXXX.com<mailto:1111111 at XXXXXX.com>>;tag=7t2StmvUeNpQD
        Call-ID: yekcL-0b2PhpgdQo52l921tjX1Z8wErH
        CSeq: 10885 INVITE
        Contact: <sip:1111111 at 10.168.10.200:5080;transport=tls>
        User-Agent: FreeSWITCH-mod_sofia/1.6.20+git~20180123T214909Z~987c9b9a2a~64bit
        Accept: application/sdp
        Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
        Require: timer
        Supported: timer, path, replaces
        Allow-Events: talk, hold, conference, refer
        Session-Expires: 1800;refresher=uac
        Content-Type: application/sdp
        Content-Disposition: session
        Content-Length: 1056
        Remote-Party-ID: "1111111" <sip:1111111 at XXXXXX.com>;party=calling;privacy=off;screen=no
    Message Body
        Session Description Protocol
            Session Description Protocol Version (v): 0
            Owner/Creator, Session Id (o): FreeSWITCH 1528683321 1528683322 IN IP4 70.36.25.66
            Session Name (s): FreeSWITCH
            Connection Information (c): IN IP4 70.36.25.66
            Time Description, active time (t): 0 0
            Session Attribute (a): msid-semantic: WMS V60mDk4CUtzxt4H5xDQPB48KjzMcYE1K
            Media Description, name and address (m): audio 37680 RTP/SAVP 107 96
            Media Attribute (a): ice-ufrag:b6TC1SdbiQd6k5GL
            Media Attribute (a): ice-pwd:NtGGa3jbPjvwRLASIklz2oAa
            Media Attribute (a): candidate:5807878115 1 udp 659136 10.168.10.200 38056 typ host generation 0
            Media Attribute (a): candidate:5807878115 2 udp 659135 10.168.10.200 38057 typ host generation 0
            Media Attribute (a): ssrc:3542382753 cname:ASW42RxMaWauQHpe
            Media Attribute (a): ssrc:3542382753 msid:V60mDk4CUtzxt4H5xDQPB48KjzMcYE1K a0
            Media Attribute (a): ssrc:3542382753 mslabel:V60mDk4CUtzxt4H5xDQPB48KjzMcYE1K
            Media Attribute (a): ssrc:3542382753 label:V60mDk4CUtzxt4H5xDQPB48KjzMcYE1Ka0
            Media Attribute (a): rtpmap:107 opus/48000/2
            Media Attribute (a): rtpmap:96 telephone-event/8000
            Media Attribute (a): fmtp:107 useinbandfec=1; minptime=10; maxptime=40
            Media Attribute (a): fmtp:96 0-16
            Media Attribute (a): sendrecv
            Media Attribute (a): rtcp:37681
            Media Attribute (a): crypto:1 AES_CM_128_HMAC_SHA1_80 inline:/KCNveJuRh5lQ+g3YWnyb2QwQhl0GgdmxtKAJ5G3
            Media Attribute (a): ptime:20
            Media Attribute (a): candidate:K6gXQsPK0KD4MsGa 1 UDP 2130706431 70.36.25.66 37680 typ host
            Media Attribute (a): candidate:K6gXQsPK0KD4MsGa 2 UDP 2130706430 70.36.25.66 37681 typ host
            Media Attribute (a): end-of-candidates




   1201 272.987349     192.168.2.2           70.36.25.65           SIP      695    Request: ACK sip:1111111 at 10.168.10.200:5080;transport=tls |     1201

Frame 1201: 695 bytes on wire (5560 bits), 695 bytes captured (5560 bits) on interface 0
Ethernet II, Src: Htc_50:62:7b (ac:37:43:50:62:7b), Dst: 9a:01:a7:d9:66:64 (9a:01:a7:d9:66:64)
Internet Protocol Version 4, Src: 192.168.2.2, Dst: 70.36.25.65
Transmission Control Protocol, Src Port: 48182, Dst Port: 443, Seq: 8791, Ack: 10303, Len: 629
Secure Sockets Layer
Session Initiation Protocol (ACK)
    Request-Line: ACK sip:1111111 at 10.168.10.200:5080;transport=tls SIP/2.0
    Message Header
        Via: SIP/2.0/TLS 192.168.2.2:48182;rport;branch=z9hG4bKPjFpv1IqHt9ON8nS6zOYuUZ5HxhNTDTBq7;alias
        Max-Forwards: 70
        From: "number" <sips:17813000000 at XXXXXXXX.com<mailto:17813000000 at XXXXXXXX.com>>;tag=ZmXcXh6ReoLbMco46J0fCpKOHkUR1sWF
        To: sips:1111111 at XXXXXXX.com<mailto:1111111 at XXXXXXX.com>;tag=7t2StmvUeNpQD
        Call-ID: yekcL-0b2PhpgdQo52l921tjX1Z8wErH
        CSeq: 10885 ACK
        Route: <sips:70.36.25.65:443;transport=tls;lr;r2=on;ftag=ZmXcXh6ReoLbMco46J0fCpKOHkUR1sWF;nat=yes>
        Route: <sips:10.168.10.227:5099;lr;r2=on;ftag=ZmXcXh6ReoLbMco46J0fCpKOHkUR1sWF;nat=yes>
        Content-Length:  0


On 11 Jun 2018, at 13:32, Daniel-Constantin Mierla <miconda at gmail.com<mailto:miconda at gmail.com>> wrote:


Hello,

can you paste here the 200OK for INVITE sent out by kamailio and the ACK received by kamailio?

Cheers,
Daniel

On 11.06.18 09:51, Arik Halperin wrote:
Daniel, Thank you!

You are right about this.

I configured PJSIP not to check whether the contact contains SIPS.

This solved the problem on one of my setups where I have one NIC that has a public IP.

However on the original setup, the kamailio has one public IP and one private IP. In that setup, the ACK to the 200 OK is not forwarded over the private IP to the freeswitch. This only happens in TLS, when I work with TCP it works well. I believe it is somehow connected to the record route, and I’m looking into PJSIP to try to find the answer, but is there anything I could do in the kamailio?

I have the same problems with other SIP clients(Bria for example)


Thanks,
Arik Halperin

On 11 Jun 2018, at 9:43, Daniel-Constantin Mierla <miconda at gmail.com<mailto:miconda at gmail.com>> wrote:


Hello,

Kamailio is not involved in the issue reported here. Practically, pjsip expects sips: scheme in the contact URI, which was set by FreeSwitch in 200ok. Maybe there is an option that you have to turn on for FreeSwitch to use sips: scheme.

Otherwise, you can try to replace sip with sips in kamailio config and do the reverse the other way.

Cheers,
Daniel

On 05.06.18 06:56, Arik Halperin wrote:
Hello,

I’m using TLS

After receiving 200OK from kamailio:

r2voip.clear2voipdialer I/(NativeSdk_2_0) 1528174138320 PJSIP: (NativeSdk_2_0) 1528174138320 PJSIP:2018-05 07:48:58.319   pjsua_core.c RX 2203 bytes Response msg 200/INVITE/cseq=8107 (rdata0x7a2c56fb38) from TLS 70.36.25.65:443:
                                                                                                               SIP/2.0 200 OK
                                                                                                               Via: SIP/2.0/TLS 10.134.232.109:44097;received=109.253.173.146;rport=31373;branch=z9hG4bKPj4MV5llP9SW5ufk-OcFB-Qh78PmIQFrRk;alias
                                                                                                               Record-Route: <sips:10.168.10.227:5099;r2=on;lr=on;ftag=mgMLDFMLmCZGzcpASoODG8XgeFJVtcRO;nat=yes>
                                                                                                               Record-Route: <sips:70.36.25.65:443;transport=tls;r2=on;lr=on;ftag=mgMLDFMLmCZGzcpASoODG8XgeFJVtcRO;nat=yes>
                                                                                                               From: "number" <sips:972523391991 at XXXXXXX.com<mailto:972523391991 at kamprod.telemessage.com>>;tag=mgMLDFMLmCZGzcpASoODG8XgeFJVtcRO
                                                                                                               To: <sips:1111111 at XXXXXX.com<mailto:1111111 at kamprod.telemessage.com>>;tag=64H63g861ajHj
                                                                                                               Call-ID: Sq4jR85o3Caz2XTXo-71FKAdbJ1x9vz2
                                                                                                               CSeq: 8107 INVITE
                                                                                                               Contact: <sip:1111111 at 10.168.10.200:5080;transport=tls>
                                                                                                               User-Agent: FreeSWITCH-mod_sofia/1.6.20+git~20180123T214909Z~987c9b9a2a~64bit
                                                                                                               Accept: application/sdp
                                                                                                               Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
                                                                                                               Require: timer
                                                                                                               Supported: ti


PJSIP responds with:

Secure dialog requires SIPS scheme in Contact and Record-Route headers, ending the session

What is the reason for this? How can I fix this issue?

Thanks,
Arik Halperin



_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users



--
Daniel-Constantin Mierla -- www.asipto.com<http://www.asipto.com/>
www.twitter.com/miconda<http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda<http://www.linkedin.com/in/miconda>
Kamailio World Conference -- www.kamailioworld.com<http://www.kamailioworld.com/>



--
Daniel-Constantin Mierla -- www.asipto.com<http://www.asipto.com/>
www.twitter.com/miconda<http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda<http://www.linkedin.com/in/miconda>
Kamailio World Conference -- www.kamailioworld.com<http://www.kamailioworld.com/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180611/1fd9634d/attachment.html>


More information about the sr-users mailing list