[SR-Users] dispatcher and TLS targets

Shaheryarkh shaheryarkh at gmail.com
Mon Jun 17 22:01:36 CEST 2019


      
  

 Many things can go wrong with tls setup, for example,
  

  
1. TLS server is listening on different port then you are trying to connect to.    Seems you are try to connect to defauly sip port for tls connection to destination where as it is usually 5061 port used for sip tls.
  

  
2. Your kamailio and remote sbc do not agree on TLS protocol. Check if remote accept TLSv1.0 commections and do not force old / obsolete SSLv23.
  

  
3. Remote only allows verifiable certificates but you seem to be using self-signed certificates.
  

  
If all of this does not work then run kamailio with debug logging enabled and see what errors kamailio prints out about connection. You can post those error logs here for further discussion.
  

  
Hope this helps.
  

  
Thank you.
  

  
  

  
  
>   
> On Jun 17, 2019 at 7:10 PM,  <Karsten Horsmann (mailto:khorsmann at gmail.com)>  wrote:
>   
>   
>   
>   
> Hi all,
>   
>
>   
> i try to configure an SBC OS config [1] based kamailio 5.2.3 [2] with dispatcher and rtpengine.
>   
> I used transport=tcp to see the plain traffic and then switched to TLS (with tls.cfg, valid certificate and stuff).
>   
>
>   
> After starting up, the Target is marked as "down".
>   
> Due the encryption its hard to debug that.     
>   
> Any hints? Did i made an mistake in the configuration?
>   
>
>   
> TLS calls from the target to my kamailio proxy works. So its "half broken" :) at the moment.
>   
>
>   
> [1]
>   
>  https://github.com/voiceboys/sbcOS/blob/master/SbcOS/configs/voice/kamailio/kamailio.cfg     
>     
>
>   
> [2]
>   
> kamailio -v
>   
> version: kamailio 5.2.3 (x86_64/linux) c36229
>  flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
>  ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
>  poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>  id: c36229
>  compiled on 11:28:11 May 22 2019 with gcc 4.8.5
>   
>   
>  -- %<  --------------------- kamctl dispatcher dump
>                  "SET":    {
>                      "ID": 1004,
>                      "TARGETS":    [{
>                              "DEST": {
>                                  "URI":    "sip:sip101.example.de (http://sip101.example.de);transport=tls",
>                                  "FLAGS":    "TP",
>                                  "PRIORITY": 0,
>                                  "ATTRS":    {
>                                      "BODY": "access=212.xx.xx.xx:5061;socket=tls:212.xx.xx.xx:5061;weight=100;ping_from=sip:mykamailio.example.de (http://mykamailio.example.de)",
>                                      "DUID": "",
>                                      "MAXLOAD":    0,
>                                      "WEIGHT": 100,
>                                      "RWEIGHT":    0,
>                                      "SOCKET": "tls:212.xx.xx.xx:5061"
>                                  },
>                                  "LATENCY":    {
>                                      "AVG":    30000,
>                                      "STD":    0,
>                                      "EST":    30000,
>                                      "MAX":    30000,
>                                      "TIMEOUT":    1
>                                  }
>                              }
>                          }]
>                  }
>              },
>  -- %<  --------------------- kamctl dispatcher dump     
>   
>           
>     WARNING:  <script>: Destination down: OPTIONS ru=sip101.example.de (http://sip101.example.de);transport=tls du=<null>   
>
>   
>
>   
> -- %<  --------------------- tls.cfg
>   
> [server:default]
>  method = TLSv1
>  verify_certificate = no
>  require_certificate = no
>  private_key = /etc/pki/tls/private/mykamailio.example.de.pem
>  certificate = /etc/pki/tls/private/mykamailio.example.de.pem
>  server_name =  mykamailio.example.de (http://mykamailio.example.de)
>   
>  [server:212.xx.xx.xx:5061]
>  method = TLSv1+
>  verify_certificate = no
>  require_certificate = no
>   
>  private_key = /etc/pki/tls/private/mykamailio.example.de.pem
>  certificate = /etc/pki/tls/private/mykamailio.example.de.pem
>  server_name =  mykamailio.example.de (http://mykamailio.example.de)
>   
>  # This is the default client domain, settings
>  # in this domain will be used for all outgoing
>  # TLS connections that do not match any other
>  # client domain in this configuration file.
>  # We require that servers present valid certificate.
>  #
>   
>  [client: 212.xx.xx.xx:5061]
>  method = TLSv1+
>  verify_certificate = no
>  require_certificate = no
>   
>  private_key = /etc/pki/tls/private/mykamailio.example.de.pem
>  certificate = /etc/pki/tls/private/mykamailio.example.de.pem
>  server_name =  mykamailio.example.de (http://mykamailio.example.de)
>   
>  [client:default]
>  verify_certificate = no
>  require_certificate = no
>   
>
>   
> -- %<  --------------------- tls.cfg     
>   
>
>   
> Cheers Karsten
>   
>
>  --
>   
> Mit freundlichen Grüßen
>  *Karsten Horsmann*
>        _______________________________________________ Kamailio (SER) - Users Mailing List sr-users at lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users            
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190617/c8a6a0ad/attachment.html>


More information about the sr-users mailing list