[SR-Users] relay sip-tls vs sips-tcp
Henning Westerholt
hw at gilawa.com
Fri Oct 21 11:49:06 CEST 2022
Hello,
the „sips“ URI scheme is not really useful nowadays and IMHO should not be used. You probably find in the archives some old discussions about it.
Use “sip” and “transport=tls” if you want to have a secure connection.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com<https://gilawa.com/>
From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of beer Ll
Sent: Thursday, October 20, 2022 9:22 AM
To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
Subject: Re: [SR-Users] relay sip-tls vs sips-tcp
Hi James
Thanks , You confirm my idea .
I will write to the UAC developers and check this problem asking to fix it.
Is safer use sip-tls or sips-tcp ?
Best Regards
Leo
On Wed, Oct 19, 2022 at 2:07 PM James Browne <james at frideo.com<mailto:james at frideo.com>> wrote:
You make calls using SIP over TLS and it's OK.
You make calls using SIPS and it's not OK.
The 200-OK Contact is this
- Contact: <sip:172.16.0.2:5060<http://172.16.0.2:5060>>
The RURI in the ACK is this.
- sips:172.16.0.2:5060;transport=tcp SIP/2.0
The client should be using _exactly_ the same URI in the ACK as was in the Contact in the 200-OK response. The client is getting it wrong (https://datatracker.ietf.org/doc/html/rfc3261#section-12.2.1.1).
With the ACK, the Routeset is this.
- ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0
- Route: <sip:80.0.0.2:5061;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
- Route: <sip:172.16.0.1:5060;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
This is asking kamailio to send the ACK to 172.16.0.2 over TLS on port 5060 (from the RURI), but use a UDP socket to do it (the second Route header field). This can't work. The client should be fixed.
(Else you may try getting asterisk to use sips, but maybe that's not going to be easy.)
James
On Thu, 13 Oct 2022 at 06:30, beer Ll <llcfhllml at gmail.com<mailto:llcfhllml at gmail.com>> wrote:
Hi everyone,
I'm using Kamailio as TLS gateway/filter for an internal Asterisk server
the network schema is :
UAC (tls) --- INTERNET --- (tls) KAMAILIO (sip udp) --- LAN --- (sip udp) ASTERISK
with kamailio in multi-homed mode
WAN network interface for sip tls
LAN network interface for sip udp to asterisk server
UAC address 80.0.0.1
KAMAILIO Wan address 80.0.0.2
KAMAILIO Lan address 172.16.0.2
ASTERISK Lan address 172.16.0.3
SIP-TLS call example
If the UAC use tls(sip) all works good
[cid:image001.jpg at 01D8E543.1E954C20]
SIPS call example
If the same UAC use his default settings tls(sips) , there are problems with ACK and BYE packet
[cid:image002.jpg at 01D8E543.1E954C20]
the SIP OK SDP packet from kamailio to UAC is
2022/10/10 09:28:47.854721 80.0.0.2:5061<http://80.0.0.2:5061> -> 80.0.0.1:49992<http://80.0.0.1:49992>
SIP/2.0 200 OK
Via: SIP/2.0/TLS 192.168.0.1:49992;rport=49992;received=80.0.0.1;branch=z9hG4bKM01j360VrBdH5VSV
Record-Route: <sip:172.16.0.1:5060;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
Record-Route: <sip:80.0.0.2:5061;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7
From: <sips:200 at pbx.voip.com<mailto:sips%3A200 at pbx.voip.com>>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F
To: <sips:*43 at pbx.voip.com<mailto:43 at pbx.voip.com>>;tag=961d0e22-a4f0-453c-9870-6a41578afc96
CSeq: 2 INVITE
Contact: <sip:172.16.0.2:5060<http://172.16.0.2:5060>>
P-Asserted-Identity: "xxxxxxxxx" <sips:*43 at pbx.voip.com<mailto:43 at pbx.voip.com>>
Content-Type: application/sdp
and the UAC send the ACK and BYE from a different tcp port and to: sips:172.16.0.2:5060;transport=tcp
2022/10/10 09:28:48.495365 80.0.0.1:49996<http://80.0.0.1:49996> -> 80.0.0.2:5061<http://80.0.0.2:5061>
ACK sips:172.16.0.2:5060;transport=tcp SIP/2.0
Via: SIP/2.0/TLS 192.168.0.1:49996;branch=z9hG4bKppftdQze20lnwT41;rport
Route: <sip:80.0.0.2:5061;transport=tls;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
Route: <sip:172.16.0.1:5060;lr;r2=on;ftag=F798336AA08EF9FCFA89D3BDFE0C8C8F>
Max-Forwards: 70
To: <sips:*43 at pbx.voip.com<mailto:43 at pbx.voip.com>>;tag=961d0e22-a4f0-453c-9870-6a41578afc96
From: <sips:200 at pbx.voip.com<mailto:sips%3A200 at pbx.voip.com>>;tag=F798336AA08EF9FCFA89D3BDFE0C8C8F
Call-ID: 1EC2AB679C1EA1BAB60FD03B09F878020B12D3E7
CSeq: 2 ACK
kamailio error log
WARNING: <core> [core/forward.c:229]: get_send_socket2(): protocol/port mismatch (forced udp:172.16.0.2:5060<http://172.16.0.2:5060>, to tls:172.16.0.3:5060<http://172.16.0.3:5060>)
How can I solve this ?
Best Regards
Leo
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
sr-users at lists.kamailio.org<mailto:sr-users at lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221021/503d6121/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 77945 bytes
Desc: image001.jpg
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221021/503d6121/attachment.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 112908 bytes
Desc: image002.jpg
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20221021/503d6121/attachment-0001.jpg>
More information about the sr-users
mailing list