[SR-Users] relay sip-tls vs sips-tcp

Thu Oct 20 09:22:07 CEST 2022

Hi James

Thanks , You confirm my idea .

I will write to the UAC developers and check this problem asking to fix it.

Is safer use sip-tls or sips-tcp ?

Best Regards
Leo

On Wed, Oct 19, 2022 at 2:07 PM James Browne <james at frideo.com> wrote:

> You make calls using SIP over TLS and it's OK.
> You make calls using SIPS and it's not OK.
>
> The 200-OK Contact is this
> - Contact: <sip:172.16.0.2:5060>
>
> The RURI in the ACK is this.
> - sips:172.16.0.2:5060;transport=tcp SIP/2.0
>
> The client should be using _exactly_ the same URI in the ACK as was in the
> Contact in the 200-OK response. The client is getting it wrong (
> https://datatracker.ietf.org/doc/html/rfc3261#section-12.2.1.1).
>
> With the ACK, the Routeset is this.
> - ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0
> - Route: <sip:80.0.0.2:5061
> ;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
> - Route: <sip:172.16.0.1:5060
> ;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>
> This is asking kamailio to send the ACK to 172.16.0.2 over TLS on port
> 5060 (from the RURI), but use a UDP socket to do it (the second Route
> header field). This can't work. The client should be fixed.
> (Else you may try getting asterisk to use sips, but maybe that's not going
> to be easy.)
>
> James
>
> On Thu, 13 Oct 2022 at 06:30, beer Ll <llcfhllml at gmail.com> wrote:
>
>> Hi everyone,
>> I'm using Kamailio as TLS gateway/filter for an internal Asterisk server
>>
>> the network schema is  :
>>
>> UAC (tls) --- INTERNET  --- (tls) KAMAILIO (sip udp) --- LAN --- (sip
>> udp) ASTERISK
>>
>> with kamailio in multi-homed mode
>>
>> WAN network interface for sip tls
>> LAN network interface for sip udp  to asterisk server
>>
>>
>> UAC address 80.0.0.1
>> KAMAILIO Wan address 80.0.0.2
>>
>> KAMAILIO Lan address 172.16.0.2
>> ASTERISK Lan address 172.16.0.3
>>
>>
>>
>> SIP-TLS call example
>> If the UAC use tls(sip) all works good
>>
>> [image: sip-ok-small.jpeg]
>>
>> SIPS call example
>> If the same UAC use his default settings tls(sips)  , there are problems
>> with ACK and BYE packet
>>
>> [image: sip-ko-small.jpeg]
>> the SIP OK SDP packet from kamailio to UAC  is
>>
>> 2022/10/10 09:28:47.854721 80.0.0.2:5061 -> 80.0.0.1:49992
>> SIP/2.0 200 OK
>> Via: SIP/2.0/TLS 192.168.0.1:49992
>> ;rport=49992;received=80.0.0.1;branch=z9hG4bKM01j360VrBdH5VSV
>> Record-Route: <sip:172.16.0.1:5060
>> ;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>> Record-Route: <sip:80.0.0.2:5061
>> ;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>> Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7
>> From: <sips:200 at pbx.voip.com>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F
>> To: <sips:*43 at pbx.voip.com>;tag=961d0e22-a4f0-453c-9870-6a41578afc96
>> CSeq: 2 INVITE
>> Contact: <sip:172.16.0.2:5060>
>> P-Asserted-Identity: "xxxxxxxxx" <sips:*43 at pbx.voip.com>
>> Content-Type: application/sdp
>>
>>
>> and the UAC send the ACK and BYE from a different tcp port and to:
>> sips:172.16.0.2:5060;transport=tcp
>>
>>
>> 2022/10/10 09:28:48.495365 80.0.0.1:49996 -> 80.0.0.2:5061
>> ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0
>> Via: SIP/2.0/TLS 192.168.0.1:49996;branch=z9hG4bKppftdQze20lnwT41;rport
>> Route: <sip:80.0.0.2:5061
>> ;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>> Route: <sip:172.16.0.1:5060
>> ;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>> Max-Forwards: 70
>> To: <sips:*43 at pbx.voip.com>;tag=961d0e22-a4f0-453c-9870-6a41578afc96
>> From: <sips:200 at pbx.voip.com>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F
>> Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7
>> CSeq: 2 ACK
>>
>>
>> kamailio error log
>> WARNING:  <core> [core/forward.c:229]: get_send_socket2(): protocol/port
>> mismatch (forced udp:172.16.0.2:5060, to tls:172.16.0.3:5060)
>>
>>
>>
>>
>> How can I solve this ?
>>
>> Best Regards
>>
>> Leo
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221020/fcd0a0ef/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sip-ok-small.jpeg
Type: image/jpeg
Size: 77945 bytes
Desc: not available
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221020/fcd0a0ef/attachment.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sip-ko-small.jpeg
Type: image/jpeg
Size: 112908 bytes
Desc: not available
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221020/fcd0a0ef/attachment-0001.jpeg>