[Users] Allow only TLS connections

Daniel-Constantin Mierla daniel at voice-system.ro
Thu Apr 13 11:28:17 CEST 2006


Hello,

maybe the clients register non-TLS contacts, take a look in the location 
table. Also, in aliases, you may have some addresses that point to 
external domains.

Cheers,
Daniel


On 04/13/06 12:05, Christoph Fürstaller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Daniel,
>
> Daniel-Constantin Mierla wrote:
>   
>> Hello,
>>
>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>
>> Hi,
>>
>> I tried that out. I check if proto is TLS:
>> if (proto != TLS) {
>>     sl_send_reply("403", "Forbidden");
>>     exit;
>> };
>>
>> But I get this error:
>>  3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1  (no
>> corresponding listening socket)
>>  3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>  3(28893) ERROR:tm:t_relay_to:  t_forward_nonack returned error
>>
>> What does it mean? What I'm doing wrong?
>> My SER is only listening on tls port 5061. Do I still have to open udp
>> 5060 ?
>>   
>>
>>     
>>> it seems that you try to forward on UDP.
>>>       
> I figured that out too. But I don't know which part forwardes something
> on UDP? I attached my conf. Can you give it a quick look?
>
>   
>>> You can configure openser to
>>> listen on UDP as well, and drop messages coming on UDP, if you want to
>>> accept only TLS. (as you have in above snippet). If all peers you
>>> connect to support TLS, then you can forse sending over TLS all the time.
>>>       
>>> Cheers,
>>> Daniel
>>>       
>
> chris...
>   
>> Cesc wrote:
>>  
>>
>>     
>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>
>>>>>    
>>>>>
>>>>>           
>>>>>> I searched for this function, but I didn't found it :-(
>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>
>>>>>> Torsten
>>>>>>
>>>>>> -----Ursprüngliche Nachricht-----
>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>> An: Haupt, Thorsten
>>>>>> Cc: users at openser.org
>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>
>>>>>> I think in openser there is a function to check what transport the
>>>>>> message came in ... you can do something like:
>>>>>> if ( transport != TLS ) {
>>>>>>          send error to UA
>>>>>>          break;
>>>>>> }
>>>>>>
>>>>>> Cesc
>>>>>>
>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>
>>>>>>      
>>>>>>
>>>>>>             
>>>>>>> Hello,
>>>>>>>
>>>>>>> I use OpenSER in a testing environment for VoIP security. My clients
>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it doesn't
>>>>>>> work correct.
>>>>>>> Some Clients can't connect and others can't establish calls. I read in
>>>>>>> another thread, that UDP is mandatory for SIP and that the server
>>>>>>> need it.
>>>>>>>
>>>>>>> But how can I prevent users from connecting via UDP and force them to
>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port 5060. But is
>>>>>>> this the correct way? Are there any parameters server-side to force
>>>>>>> users to connect via TLS?
>>>>>>>
>>>>>>> Thanks for response.
>>>>>>> Torsten
>>>>>>> _______________________________________________
>>>>>>> Users mailing list
>>>>>>> Users at openser.org
>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>         
>>>>>>>               
>>>>>> _______________________________________________
>>>>>> Users mailing list
>>>>>> Users at openser.org
>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>
>>>>>>       
>>>>>>             
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at openser.org
>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>     
>>>>>           
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>   
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFEPhRDR0exH8dhr/YRAkatAJ9Y1nNS7h3Y/TyrvxnPIgBUGe8UfwCcCBwZ
> grA83KOBRq5hOaEoK8mbaY4=
> =YrlR
> -----END PGP SIGNATURE-----
>   
>




More information about the Users mailing list