[OpenSER-Users] TLS problem.
Klaus Darilion
klaus.mailinglists at pernau.at
Fri Jan 11 09:09:11 CET 2008
Hi Fengbin!
Cc'ed to the openser list ...
fengbin schrieb:
> Hi,Klaus,
>
> How to use NULL cipher? Only setting in Openser is ok? I mean do I need
> to set NULL cipher at client site?
Usually the NULL cipher is not enabled (for security reasons). You have
to enable it on both sides, the server and the client. But if you use
the following approach you do not need it.
> And where to put xlog("L_ERR","message buffer: $mb"); anywhere in
> openser.cfg ?
Put it just in the beginning of the route block.
regards
klaus
> THX
> BR
>
>
> On 1/11/08, *Klaus Darilion* <klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at>> wrote:
>
> The capture file is not helpful, as it is encrypted. You could use NULL
> cipher to have plaintext inside the TLS connection to inspect the
> incoming SIP message, or add xlog("L_ERR","message buffer: $mb"); to see
> the whole incoming SIP request.
>
> regards
> klaus
>
> fengbin schrieb:
> > Hi,Klaus
> > Thank you for your reply.
> > The enclosed is the config file ,the pcap between client and
> server and
> > the log on the openser 's console.
> > Could you please take a look at them for me?
> >
> > THX
> > BR
> >
> >
> > On 1/10/08, *Klaus Darilion* <klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at>
> > <mailto:klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at> >> wrote:
> >
> > Can you show us the REGISTER request? (both, port 5060 and
> port 5061).
> >
> > Further show use your openser config
> >
> > regards
> > klaus
> >
> > fengbin schrieb:
> > >
> > > Hi,all
> > > I met a strange problem while I am testing TLS connection
> between
> > > minisip and openser.
> > > The following is my openser.cfg (part of that)
> > >
> > > .........
> > > fork=no
> > > log_stderror=yes
> > >
> > > # Uncomment this to prevent the blacklisting of
> temporary not
> > > available destinations
> > > #disable_dns_blacklist=yes
> > >
> > > # # Uncomment this to prevent the IPv6 lookup after v4
> dns lookup
> > > failures
> > > #dns_try_ipv6=no
> > >
> > > # uncomment the following lines for TLS support
> > > disable_tls = 0
> > > listen = tls: 10.11.57.197:5060
> <http://10.11.57.197:5060> <http://10.11.57.197:5060>
> > <http://10.11.57.197:5060>
> > >
> > >
> > > tls_verify_client = 1
> > > tls_method = TLSv1
> > > tls_certificate = "/usr/local/etc/openser//tls/user/user-
> > cert.pem"
> > > tls_private_key =
> > "/usr/local/etc/openser//tls/user/user- privkey.pem"
> > > tls_ca_list = "/usr/local/etc/openser//tls/user/user-
> calist.pem"
> > > tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
> > > ......
> > >
> > > When I set "tls:10.11.57.197:5061
> <http://10.11.57.197:5061> <http://10.11.57.197:5061> <
> > http://10.11.57.197:5061>" the
> > > registration never succeed. But if I set it to 5060 the
> registration
> > > over TLS is OK.
> > > I compared the log of two scenarioes and found the TLS
> session
> > both are
> > > OK,but the difference is that:
> > > when the port is 5061 there is an error of forwarding. but the
> > > forwarding is because openser think it's not the
> destination of
> > > the registration request. See bellow:
> > >
> > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI
> found
> > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
> checking if
> > > host==us: 12==12 && [ 10.11.57.197
> <http://10.11.57.197> <http://10.11.57.197>
> > <http://10.11.57.197 <http://10.11.57.197>>] ==
> > > [10.11.57.197 <http://10.11.57.197>
> <http://10.11.57.197> <http://10.11.57.197>]
> > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info:
> checking if port
> > > 5061 matches port 5060
> > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me
> > > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on
> > entrance=0xffffffff
> > > Jan 10 16:46:56 [9199] DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78
> > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start
> searching:
> > > hash=58073, isACK=0
> > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261
> transaction
> > > matching failed
> > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no
> > transaction found
> > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS
> lookup...
> > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed
> to fwd
> > to af
> > > 2, proto 1 (no corresponding listening socket)
> > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack:
> failure to add
> > > branches
> > >
> > >
> > >
> > > With comparition to that when the port is set to 5060 the
> trace is :
> > >
> > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next
> Route
> > HF found
> > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI
> found
> > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> checking if
> > > host==us: 12==12 && [ 10.11.57.197
> <http://10.11.57.197> <http://10.11.57.197>
> > <http://10.11.57.197>] ==
> > > [ 10.11.57.197 <http://10.11.57.197>
> <http://10.11.57.197> <http://10.11.57.197>]
> > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> checking if port
> > > 5060 matches port 5060
> > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> checking if
> > > host==us: 12==12 && [10.11.57.197
> <http://10.11.57.197> <http://10.11.57.197>
> > <http://10.11.57.197>] ==
> > > [10.11.57.197 <http://10.11.57.197> <
> http://10.11.57.197> <http://10.11.57.197>]
> > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info:
> checking if port
> > > 5060 matches port 5060
> > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> flags=8000000
> > > Jan 10 17:07:59 [9410] DBG:core:parse_headers:
> > flags=ffffffffffffffff
> > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact:
> created
> > Contact
> > > HF: Contact:
> > <sip:888 at 10.11.57.192:5061;transport=TLS>;expires=1000
> > >
> > >
> > >
> > > And there is no fwd needed then.So the error didnt occur.
> > >
> > > Its a little bit strange that when I set the port to
> 5061,why did
> > > openser check the port 5060?????
> > > Can anyone help me to figure it out?
> > > THX
> > > BR
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Fengbin
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Users mailing list
> > > Users at lists.openser.org <mailto:Users at lists.openser.org>
> <mailto:Users at lists.openser.org <mailto:Users at lists.openser.org>>
> > > http://lists.openser.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
> >
> > --
> > Fengbin
> >
>
>
>
>
> --
> Fengbin
More information about the Users
mailing list