[SR-Users] relay sip-tls vs sips-tcp

James Browne james at frideo.com
Fri Oct 21 10:36:20 CEST 2022


Hi Leo
I don't know for sure. I know that TLS can work over more protocols than
just TCP (SCTP, for example), so sips/tcp makes more sense than sip/tls.
Implementations differ; I tend to implement what "just works".

https://datatracker.ietf.org/doc/html/rfc3261#section-26.2.2
    *The use of "transport=tls" has consequently been deprecated...*

James

On Thu, 20 Oct 2022 at 20:42, beer Ll <llcfhllml at gmail.com> wrote:

> Hi James
>
> Thanks , You confirm my idea .
>
> I will write to the UAC developers and check this problem asking to fix it.
>
> Is safer use sip-tls or sips-tcp ?
>
> Best Regards
> Leo
>
> On Wed, Oct 19, 2022 at 2:07 PM James Browne <james at frideo.com> wrote:
>
>> You make calls using SIP over TLS and it's OK.
>> You make calls using SIPS and it's not OK.
>>
>> The 200-OK Contact is this
>> - Contact: <sip:172.16.0.2:5060>
>>
>> The RURI in the ACK is this.
>> - sips:172.16.0.2:5060;transport=tcp SIP/2.0
>>
>> The client should be using _exactly_ the same URI in the ACK as was in
>> the Contact in the 200-OK response. The client is getting it wrong (
>> https://datatracker.ietf.org/doc/html/rfc3261#section-12.2.1.1).
>>
>> With the ACK, the Routeset is this.
>> - ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0
>> - Route: <sip:80.0.0.2:5061
>> ;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>> - Route: <sip:172.16.0.1:5060
>> ;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>>
>> This is asking kamailio to send the ACK to 172.16.0.2 over TLS on port
>> 5060 (from the RURI), but use a UDP socket to do it (the second Route
>> header field). This can't work. The client should be fixed.
>> (Else you may try getting asterisk to use sips, but maybe that's not
>> going to be easy.)
>>
>> James
>>
>> On Thu, 13 Oct 2022 at 06:30, beer Ll <llcfhllml at gmail.com> wrote:
>>
>>> Hi everyone,
>>> I'm using Kamailio as TLS gateway/filter for an internal Asterisk server
>>>
>>> the network schema is  :
>>>
>>> UAC (tls) --- INTERNET  --- (tls) KAMAILIO (sip udp) --- LAN --- (sip
>>> udp) ASTERISK
>>>
>>> with kamailio in multi-homed mode
>>>
>>> WAN network interface for sip tls
>>> LAN network interface for sip udp  to asterisk server
>>>
>>>
>>> UAC address 80.0.0.1
>>> KAMAILIO Wan address 80.0.0.2
>>>
>>> KAMAILIO Lan address 172.16.0.2
>>> ASTERISK Lan address 172.16.0.3
>>>
>>>
>>>
>>> SIP-TLS call example
>>> If the UAC use tls(sip) all works good
>>>
>>> [image: sip-ok-small.jpeg]
>>>
>>> SIPS call example
>>> If the same UAC use his default settings tls(sips)  , there are problems
>>> with ACK and BYE packet
>>>
>>> [image: sip-ko-small.jpeg]
>>> the SIP OK SDP packet from kamailio to UAC  is
>>>
>>> 2022/10/10 09:28:47.854721 80.0.0.2:5061 -> 80.0.0.1:49992
>>> SIP/2.0 200 OK
>>> Via: SIP/2.0/TLS 192.168.0.1:49992
>>> ;rport=49992;received=80.0.0.1;branch=z9hG4bKM01j360VrBdH5VSV
>>> Record-Route: <sip:172.16.0.1:5060
>>> ;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>>> Record-Route: <sip:80.0.0.2:5061
>>> ;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>>> Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7
>>> From: <sips:200 at pbx.voip.com>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F
>>> To: <sips:*43 at pbx.voip.com>;tag=961d0e22-a4f0-453c-9870-6a41578afc96
>>> CSeq: 2 INVITE
>>> Contact: <sip:172.16.0.2:5060>
>>> P-Asserted-Identity: "xxxxxxxxx" <sips:*43 at pbx.voip.com>
>>> Content-Type: application/sdp
>>>
>>>
>>> and the UAC send the ACK and BYE from a different tcp port and to:
>>> sips:172.16.0.2:5060;transport=tcp
>>>
>>>
>>> 2022/10/10 09:28:48.495365 80.0.0.1:49996 -> 80.0.0.2:5061
>>> ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0
>>> Via: SIP/2.0/TLS 192.168.0.1:49996;branch=z9hG4bKppftdQze20lnwT41;rport
>>> Route: <sip:80.0.0.2:5061
>>> ;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>>> Route: <sip:172.16.0.1:5060
>>> ;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
>>> Max-Forwards: 70
>>> To: <sips:*43 at pbx.voip.com>;tag=961d0e22-a4f0-453c-9870-6a41578afc96
>>> From: <sips:200 at pbx.voip.com>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F
>>> Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7
>>> CSeq: 2 ACK
>>>
>>>
>>> kamailio error log
>>> WARNING:  <core> [core/forward.c:229]: get_send_socket2(): protocol/port
>>> mismatch (forced udp:172.16.0.2:5060, to tls:172.16.0.3:5060)
>>>
>>>
>>>
>>>
>>> How can I solve this ?
>>>
>>> Best Regards
>>>
>>> Leo
>>>
>>> __________________________________________________________
>>> Kamailio - Users Mailing List - Non Commercial Discussions
>>> sr-users at lists.kamailio.org
>>> Important: keep the mailing list in the recipients, do not reply only to
>>> the sender!
>>> Edit mailing list options or unsubscribe:
>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> sr-users at lists.kamailio.org
>> Important: keep the mailing list in the recipients, do not reply only to
>> the sender!
>> Edit mailing list options or unsubscribe:
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> sr-users at lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to
> the sender!
> Edit mailing list options or unsubscribe:
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221021/7244224f/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sip-ok-small.jpeg
Type: image/jpeg
Size: 77945 bytes
Desc: not available
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221021/7244224f/attachment.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sip-ko-small.jpeg
Type: image/jpeg
Size: 112908 bytes
Desc: not available
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221021/7244224f/attachment-0001.jpeg>


More information about the sr-users mailing list