Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

problem with creating TLS call

Zvi Balas
2010-05-23
2013-05-09
  • Zvi Balas
    Zvi Balas
    2010-05-23

    Hi there,
    i'm new to opensips,
    i installed it with TLS enabled, and i'm trying to make a TLS call.
    The certificates are installed correctly, and both of my clients were able to register to the SIP Server.
    my clients cannot functions as TLS server (certificates cannot be installed on them).

    well, when i call from one client to another using the proxy, i see using wireshark that the INVITE reached the server, and then the server sent CLIENT HELLO to the other client.
    the client reject it, and the TLS handshake failed.

    I don't understand how to configure the opensips to reuse the TLS session that was opened during the registration.

    here is the opensips config file:

    ####### Global Parameters #########
    debug=4
    log_stderror=no
    log_facility=LOG_LOCAL0
    fork=yes
    children=4
    tcp_children=6
    /* uncomment the following lines to enable debugging */
    #debug=6
    #fork=no
    #log_stderror=yes
    /* uncomment the next line to disable TCP (default on) */
    #disable_tcp=yes
    /* uncomment the next line to enable the auto temporary blacklisting of 
       not available destinations (default disabled) */
    #disable_dns_blacklist=no
    /* uncomment the next line to enable IPv6 lookup after IPv4 dns 
       lookup failures (default disabled) */
    #dns_try_ipv6=yes
    /* uncomment the next line to disable the auto discovery of local aliases
       based on revers DNS on IPs (default on) */
    #auto_aliases=no
    alias=172.26.31.48
    /* uncomment the following lines to enable TLS support  (default off) */
    disable_tls = no
    listen = tls:172.26.31.48:5061
    tls_verify_server = 0
    tls_verify_client = 0
    tls_require_client_certificate = 0
    tls_method = TLSv1
    #tls_method = SSLv23
    tls_certificate = "/usr/local/etc/opensips/tls/server/cert.pem"
    tls_private_key = "/usr/local/etc/opensips/tls/server/privkey.pem"
    tls_ca_list = "/usr/local/etc/opensips/tls/server/calist.pem"
    port=5060
    /* uncomment and configure the following line if you want opensips to 
       bind on a specific interface/port/proto (default bind on all available) */
    #listen=udp:192.168.1.2:5060
    ####### Modules Section ########
    #set module path
    mpath="/usr/local/lib64/opensips/modules/"
    /* uncomment next line for MySQL DB support */
    loadmodule "db_mysql.so"
    loadmodule "signaling.so"
    loadmodule "sl.so"
    loadmodule "tm.so"
    loadmodule "rr.so"
    loadmodule "maxfwd.so"
    loadmodule "usrloc.so"
    loadmodule "registrar.so"
    loadmodule "textops.so"
    loadmodule "mi_fifo.so"
    loadmodule "uri.so"
    loadmodule "xlog.so"
    loadmodule "acc.so"
    /* uncomment next lines for MySQL based authentication support 
       NOTE: a DB (like db_mysql) module must be also loaded */
    loadmodule "auth.so"
    loadmodule "auth_db.so"
    /* uncomment next line for aliases support
       NOTE: a DB (like db_mysql) module must be also loaded */
    #loadmodule "alias_db.so"
    /* uncomment next line for multi-domain support
       NOTE: a DB (like db_mysql) module must be also loaded
       NOTE: be sure and enable multi-domain support in all used modules
             (see "multi-module params" section ) */
    #loadmodule "domain.so"
    /* uncomment the next two lines for presence server support
       NOTE: a DB (like db_mysql) module must be also loaded */
    #loadmodule "presence.so"
    #loadmodule "presence_xml.so"
    # ----------------- setting module-specific parameters ---------------
    # ----- mi_fifo params -----
    modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
    # ----- rr params -----
    # add value to ;lr param to cope with most of the UAs
    modparam("rr", "enable_full_lr", 1)
    # do not append from tag to the RR (no need for this script)
    modparam("rr", "append_fromtag", 0)
    # ----- registrar params -----
    /* uncomment the next line not to allow more than 10 contacts per AOR */
    #modparam("registrar", "max_contacts", 10)
    modparam("registrar", "tcp_persistent_flag", 2)
    # ----- usrloc params -----
    modparam("usrloc", "db_mode",   0)
    /* uncomment the following lines if you want to enable DB persistency
       for location entries */
    modparam("usrloc", "db_mode",   2)
    #modparam("usrloc", "db_url",
    #       "mysql://opensips:opensipsrw@localhost/opensips")
    # ----- uri params -----
    modparam("uri", "use_uri_table", 0)
    # ----- acc params -----
    /* what sepcial events should be accounted ? */
    modparam("acc", "early_media", 1)
    modparam("acc", "report_ack", 1)
    modparam("acc", "report_cancels", 1)
    /* by default ww do not adjust the direct of the sequential requests.
       if you enable this parameter, be sure the enable "append_fromtag"
       in "rr" module */
    modparam("acc", "detect_direction", 0)
    /* account triggers (flags) */
    modparam("acc", "failed_transaction_flag", 3)
    modparam("acc", "log_flag", 1)
    modparam("acc", "log_missed_flag", 2)
    /* uncomment the following lines to enable DB accounting also */
    modparam("acc", "db_flag", 1)
    modparam("acc", "db_missed_flag", 2)
    # ----- auth_db params -----
    /* uncomment the following lines if you want to enable the DB based
       authentication */
    modparam("auth_db", "calculate_ha1", yes)
    modparam("auth_db", "password_column", "password")
    #modparam("auth_db", "db_url",
    #       "mysql://opensips:opensipsrw@localhost/opensips")
    #modparam("auth_db", "load_credentials", "")
    # ----- alias_db params -----
    /* uncomment the following lines if you want to enable the DB based
       aliases */
    #modparam("alias_db", "db_url",
    #       "mysql://opensips:opensipsrw@localhost/opensips")
    # ----- domain params -----
    /* uncomment the following lines to enable multi-domain detection
       support */
    #modparam("domain", "db_url",
    #       "mysql://opensips:opensipsrw@localhost/opensips")
    #modparam("domain", "db_mode", 1)   # Use caching
    # ----- multi-module params -----
    /* uncomment the following line if you want to enable multi-domain support
       in the modules (dafault off) */
    #modparam("alias_db|auth_db|usrloc|uri", "use_domain", 1)
    # ----- presence params -----
    /* uncomment the following lines if you want to enable presence */
    #modparam("presence|presence_xml", "db_url",
    #       "mysql://opensips:opensipsrw@localhost/opensips")
    #modparam("presence_xml", "force_active", 1)
    #modparam("presence", "server_address", "sip:192.168.1.2:5060")
    ####### Routing Logic ########
    # main request routing logic
    route{
            if (!mf_process_maxfwd_header("10")) {
                    sl_send_reply("483","Too Many Hops");
                    exit;
            }
            if (has_totag()) {
                    # sequential request withing a dialog should
                    # take the path determined by record-routing
                    if (loose_route()) {
                            if (is_method("BYE")) {
                                    setflag(1); # do accounting ...
                                    setflag(3); # ... even if the transaction fails
                            } else if (is_method("INVITE")) {
                                    # even if in most of the cases is useless, do RR for
                                    # re-INVITEs alos, as some buggy clients do change route set
                                    # during the dialog.
                                    record_route();
                            }
                            # route it out to whatever destination was set by loose_route()
                            # in $du (destination URI).
                            route(1);
                    } else {
                            /* uncomment the following lines if you want to enable presence */
                            ##if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
                            ##      # in-dialog subscribe requests
                            ##      route(2);
                            ##      exit;
                            ##}
                            if ( is_method("ACK") ) {
                                    if ( t_check_trans() ) {
                                            # non loose-route, but stateful ACK; must be an ACK after 
                                            # a 487 or e.g. 404 from upstream server
                                            t_relay();
                                            exit;
                                    } else {
                                            # ACK without matching transaction ->
                                            # ignore and discard
                                            exit;
                                    }
                            }
                            sl_send_reply("404","Not here");
                    }
                    exit;
            }
            #initial requests
            # CANCEL processing
            if (is_method("CANCEL"))
            {
                    if (t_check_trans())
                            t_relay();
                    exit;
            }
            t_check_trans();
            # authenticate if from local subscriber (uncomment to enable auth)
            # authenticate all initial non-REGISTER request that pretend to be
            # generated by local subscriber (domain from FROM URI is local)
            if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
            ##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
            {
                    if (!proxy_authorize("", "subscriber")) {
                            proxy_challenge("", "0");
                            exit;
                    }
                    if (!db_check_from()) {
                            sl_send_reply("403","Forbidden auth ID");
                            exit;
                    }
                    consume_credentials();
                    # caller authenticated
            }
            # preloaded route checking
            if (loose_route()) {
                    xlog("L_ERR",
                    "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
                    if (!is_method("ACK"))
                            sl_send_reply("403","Preload Route denied");
                    exit;
            }
            # record routing
            if (!is_method("REGISTER|MESSAGE"))
                    record_route();
            # account only INVITEs
            if (is_method("INVITE")) {
                    setflag(1); # do accounting
            }
            if (!uri==myself)
            ## replace with following line if multi-domain support is used
            ##if (!is_uri_host_local())
            {
                    append_hf("P-hint: outbound\r\n"); 
                    # if you have some interdomain connections via TLS
                    ##if($rd=="tls_domain1.net") {
                    ##      t_relay("tls:domain1.net");
                    ##      exit;
                    ##} else if($rd=="tls_domain2.net") {
                    ##      t_relay("tls:domain2.net");
                    ##      exit;
                    ##}
                    route(1);
            }
            # requests for my domain
            ## uncomment this if you want to enable presence server 
            ##   and comment the next 'if' block
            ##   NOTE: uncomment also the definition of route[2] from  below
            ##if( is_method("PUBLISH|SUBSCRIBE"))
            ##              route(2);
            if (is_method("PUBLISH"))
            {
                    sl_send_reply("503", "Service Unavailable");
                    exit;
            }
            if (is_method("REGISTER"))
            {
                    # authenticate the REGISTER requests (uncomment to enable auth)
                    if (!www_authorize("172.26.31.48", "subscriber"))
                    {
                            www_challenge("", "0");
                            exit;
                    }
                    if (!db_check_to()) 
                    {
                            sl_send_reply("403","Forbidden auth ID");
                            exit;
                    }
                            # Keep TCP/TLS connections open until the registration
                            # expires, by setting the tcp_persistent_flag
                            setflag(2);
                    if (!save("location"))
                            sl_reply_error();
                    exit;
            }
            if ($rU==NULL) {
                    # request with no Username in RURI
                    sl_send_reply("484","Address Incomplete");
                    exit;
            }
            # apply DB based aliases (uncomment to enable)
            ##alias_db_lookup("dbaliases");
            # do lookup with method filtering
            if (!lookup("location","m")) {
                    switch ($retcode) {
                            case -1:
                            case -3:
                                    t_newtran();
                                    t_reply("404", "Not Found");
                                    exit;
                            case -2:
                                    sl_send_reply("405", "Method Not Allowed");
                                    exit;
                    }
            }
            # when routing via usrloc, log the missed calls also
            setflag(2);
            route(1);
    }
    route[1] {
            # for INVITEs enable some additional helper routes
            if (is_method("INVITE")) {
                    t_on_branch("2");
                    t_on_reply("2");
                    t_on_failure("1");
            }
            if (!t_relay()) {
                    sl_reply_error();
            };
            exit;
    }
    # Presence route
    /* uncomment the whole following route for enabling presence
       NOTE: do not forget to enable the call of this route from the main
         route */
    ##route[2]
    ##{
    ##      if (!t_newtran())
    ##      {
    ##              sl_reply_error();
    ##              exit;
    ##      };
    ##
    ##      if(is_method("PUBLISH"))
    ##      {
    ##              handle_publish();
    ##              t_release();
    ##      }
    ##      else
    ##      if( is_method("SUBSCRIBE"))
    ##      {
    ##              handle_subscribe();
    ##              t_release();
    ##      }
    ##
    ##      exit;
    ##}
    branch_route[2] {
            xlog("new branch at $ru\n");
    }
    onreply_route[2] {
            xlog("incoming reply\n");
    }
    failure_route[1] {
            if (t_was_cancelled()) {
                    exit;
            }
            # uncomment the following lines if you want to block client 
            # redirect based on 3xx replies.
            ##if (t_check_status("3[0-9][0-9]")) {
            ##t_reply("404","Not found");
            ##      exit;
            ##}
            # uncomment the following lines if you want to redirect the failed 
            # calls to a different new destination
            ##if (t_check_status("486|408")) {
            ##      sethostport("192.168.2.100:5060");
            ##      # do not set the missed call flag again
            ##      t_relay();
            ##}
    }
    

    Thanks,
    Zvi

     
  • Anca Vamanu
    Anca Vamanu
    2010-05-23

    Hi Zvi,

    You must also set a script parameter : tcp_accept_aliases = 1'.
    If it still doesn't work, you must look at the Register message. The way to see it is to print it from the script: xlog("$mb\n");
    Look at the top most Via header. It must contain 'alias' parameter. If this is not the case, you can fix it from the server by calling force_tcp_alias();.
    If it still doesn't work, look at the Via ip and port and compare it with the ip and port in the Contact header. These two must match exactly for tcp reusage to work.

    Regards,

    Anca Vamanu
    www.voice-system.ro

     
  • Zvi Balas
    Zvi Balas
    2010-05-23

    after adding the alias + force_tcp,
    it starts to work.

    Thanks,
    Zvi