[SR-Users] dispatcher and TLS targets

Karsten Horsmann khorsmann at gmail.com
Mon Jun 17 22:25:46 CEST 2019


Hi,

The certificate is okay on Kamailio side (it's an valid one) and the remote
side is also mine (self generated ca).

For testing I found that setup better :) and remote side use tlsv1 in
freeswitch.

Tested both SIP server with an sipclient, works.

Tcpdump on both ends shows me that traffic is send / received due the
OPTION pings.

And the debug stuff don't show me the right hint at this moment.

Shaheryarkh <shaheryarkh at gmail.com> schrieb am Mo., 17. Juni 2019, 22:02:

> Many things can go wrong with tls setup, for example,
>
> 1. TLS server is listening on different port then you are trying to
> connect to.  Seems you are try to connect to defauly sip port for tls
> connection to destination where as it is usually 5061 port used for sip tls.
>
> 2. Your kamailio and remote sbc do not agree on TLS protocol. Check if
> remote accept TLSv1.0 commections and do not force old / obsolete SSLv23.
>
> 3. Remote only allows verifiable certificates but you seem to be using
> self-signed certificates.
>
> If all of this does not work then run kamailio with debug logging enabled
> and see what errors kamailio prints out about connection. You can post
> those error logs here for further discussion.
>
> Hope this helps.
>
> Thank you.
>
>
> On Jun 17, 2019 at 7:10 PM, <Karsten Horsmann <khorsmann at gmail.com>>
> wrote:
>
> Hi all,
>
> i try to configure an SBC OS config [1] based kamailio 5.2.3 [2] with
> dispatcher and rtpengine.
> I used transport=tcp to see the plain traffic and then switched to TLS
> (with tls.cfg, valid certificate and stuff).
>
> After starting up, the Target is marked as "down".
> Due the encryption its hard to debug that.
> Any hints? Did i made an mistake in the configuration?
>
> TLS calls from the target to my kamailio proxy works. So its "half broken"
> :) at the moment.
>
> [1]
>
> https://github.com/voiceboys/sbcOS/blob/master/SbcOS/configs/voice/kamailio/kamailio.cfg
>
>
> [2]
> kamailio -v
> version: kamailio 5.2.3 (x86_64/linux) c36229
> flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS,
> DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
> Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,
> FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR,
> USE_DST_BLACKLIST, HAVE_RESOLV_RES
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024,
> BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
> id: c36229
> compiled on 11:28:11 May 22 2019 with gcc 4.8.5
>
>
> -- %< --------------------- kamctl dispatcher dump
>         "SET":  {
>           "ID": 1004,
>           "TARGETS":  [{
>               "DEST": {
>                 "URI":  "sip:sip101.example.de;transport=tls",
>                 "FLAGS":  "TP",
>                 "PRIORITY": 0,
>                 "ATTRS":  {
>                   "BODY":
> "access=212.xx.xx.xx:5061;socket=tls:212.xx.xx.xx:5061;weight=100;ping_from=sip:
> mykamailio.example.de",
>                   "DUID": "",
>                   "MAXLOAD":  0,
>                   "WEIGHT": 100,
>                   "RWEIGHT":  0,
>                   "SOCKET": "tls:212.xx.xx.xx:5061"
>                 },
>                 "LATENCY":  {
>                   "AVG":  30000,
>                   "STD":  0,
>                   "EST":  30000,
>                   "MAX":  30000,
>                   "TIMEOUT":  1
>                 }
>               }
>             }]
>         }
>       },
> -- %< --------------------- kamctl dispatcher dump
>
>  WARNING: <script>: Destination down: OPTIONS ru=sip101.example.de;transport=tls
> du=<null>
>
>
> -- %< --------------------- tls.cfg
> [server:default]
> method = TLSv1
> verify_certificate = no
> require_certificate = no
> private_key = /etc/pki/tls/private/mykamailio.example.de.pem
> certificate = /etc/pki/tls/private/mykamailio.example.de.pem
> server_name = mykamailio.example.de
>
> [server:212.xx.xx.xx:5061]
> method = TLSv1+
> verify_certificate = no
> require_certificate = no
>
> private_key = /etc/pki/tls/private/mykamailio.example.de.pem
> certificate = /etc/pki/tls/private/mykamailio.example.de.pem
> server_name = mykamailio.example.de
>
> # This is the default client domain, settings
> # in this domain will be used for all outgoing
> # TLS connections that do not match any other
> # client domain in this configuration file.
> # We require that servers present valid certificate.
> #
>
> [client: 212.xx.xx.xx:5061]
> method = TLSv1+
> verify_certificate = no
> require_certificate = no
>
> private_key = /etc/pki/tls/private/mykamailio.example.de.pem
> certificate = /etc/pki/tls/private/mykamailio.example.de.pem
> server_name = mykamailio.example.de
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> -- %< --------------------- tls.cfg
>
> Cheers Karsten
>
> --
> Mit freundlichen Grüßen
> *Karsten Horsmann*
> _______________________________________________ Kamailio (SER) - Users
> Mailing List sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20190617/1d69200e/attachment.html>


More information about the sr-users mailing list