13 Apr
2006
13 Apr
'06
6:04 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Here is the ssl-dump. ngrep doesn't show anything useful. Connection
between the server and the telephone is only on port 5061 and via tls.
There are no udp connections.
have you found anything in the config what would explain why udp is
required?
chris...
Daniel-Constantin Mierla wrote:
On 04/13/06 12:52, Daniel-Constantin Mierla wrote:
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
Hello,
could you send a network trace (ngrep)?
actually, ssldump to sniff tls connections.
Cheers,
Daniel
Another case when the request is forwarded in
your script, is for the
messages outside of your domain (not matching uri==myself).
Cheers,
Daniel
On 04/13/06 12:32, Christoph Fürstaller wrote:
Hi,
The contact and socket in the location table is only TLS. No entry
for UDP.
And I don't have any entries in alias table.
chris...
Daniel-Constantin Mierla wrote:
>>> Hello,
>> >>
>>> maybe the clients register
non-TLS contacts, take a look in the
>>> location
>>> table. Also, in aliases, you may have some addresses that point to
>>> external domains.
>>
>>> Cheers,
>>> Daniel
>>
>>
>>> On 04/13/06 12:05, Christoph Fürstaller wrote:
>>
>>> Hi Daniel,
>>
>>> Daniel-Constantin Mierla
wrote:
>>>
>>
>>>
>>
>>>>>> Hello,
>>> >>
>>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>> >>
>>>>>> Hi,
>>> >>
>>>>>> I tried that out. I check if proto is TLS:
>>>>>> if (proto != TLS) {
>>>>>> sl_send_reply("403", "Forbidden");
>>>>>> exit;
>>>>>> };
>>> >>
>>>>>> But I get this error:
>>>>>> 3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1 (no
>>>>>> corresponding listening socket)
>>>>>> 3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>>> 3(28893) ERROR:tm:t_relay_to: t_forward_nonack returned error
>>> >>
>>>>>> What does it mean? What I'm doing wrong?
>>>>>> My SER is only listening on tls port 5061. Do I still have to
>>>>>> open udp
>>>>>> 5060 ?
>>>>>>
>>>>>>
>>> >>
>>>>>>> it seems that you try to forward on UDP.
>>>>>>>
>>
>>> I figured that out too. But
I don't know which part forwardes something
>>> on UDP? I attached my conf. Can you give it a quick look?
>>
>>>
>>
>>>
>>
>>>>>>> You can
configure openser to
>>>>>>> listen on UDP as well, and drop messages coming on UDP, if
you
>>>>>>> want to
>>>>>>> accept only TLS. (as you have in above snippet). If all peers
you
>>>>>>> connect to support TLS, then you can forse sending over TLS
all the
>>>>>>> time.
>>>>>>> Cheers,
>>>>>>> Daniel
>>>>>>>
>>
>>> chris...
>>>
>>
>>>
>>
>>>>>> Cesc wrote:
>>>>>>
>>> >>
>>>>>>
>>> >>
>>>>>>>>>
http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=…
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>> >>
>>>>>>>>> On 4/11/06, Thorsten.Haupt(a)t-systems.com
>>>>>>>>> <Thorsten.Haupt(a)t-systems.com> wrote:
>>>>>> >>
>>>>>>>>>
>>>>>> >>
>>>>>>>>>> I searched for this function, but I
didn't found it :-(
>>>>>>>>>> Knows anyone the correct code, not only
pseudo-code?
>>>>>>> >>
>>>>>>>>>> Torsten
>>>>>>> >>
>>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>>> Von: Cesc [mailto:cesc.santa@gmail.com]
>>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>>>> An: Haupt, Thorsten
>>>>>>>>>> Cc: users(a)openser.org
>>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>> >>
>>>>>>>>>> I think in openser there is a function to
check what
>>>>>>>>>> transport the
>>>>>>>>>> message came in ... you can do something like:
>>>>>>>>>> if ( transport != TLS ) {
>>>>>>>>>> send error to UA
>>>>>>>>>> break;
>>>>>>>>>> }
>>>>>>> >>
>>>>>>>>>> Cesc
>>>>>>> >>
>>>>>>>>>> On 4/11/06, Thorsten.Haupt(a)t-systems.com
>>>>>>>>>> <Thorsten.Haupt(a)t-systems.com> wrote:
>>>>>>> >>
>>>>>>>>>>
>>>>>>> >>
>>>>>>>>>>> Hello,
>>>>>>>> >>
>>>>>>>>>>> I use OpenSER in a testing environment
for VoIP security. My
>>>>>>>>>>> clients
>>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on
the server, it
>>>>>>>>>>> doesn't
>>>>>>>>>>> work correct.
>>>>>>>>>>> Some Clients can't connect and others
can't establish calls. I
>>>>>>>>>>> read in
>>>>>>>>>>> another thread, that UDP is mandatory for SIP
and that the
>>>>>>>>>>> server
>>>>>>>>>>> need it.
>>>>>>>> >>
>>>>>>>>>>> But how can I prevent users from
connecting via UDP and force
>>>>>>>>>>> them to
>>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and
TCP on port 5060.
>>>>>>>>>>> But is
>>>>>>>>>>> this the correct way? Are there any
parameters server-side
>>>>>>>>>>> to force
>>>>>>>>>>> users to connect via TLS?
>>>>>>>> >>
>>>>>>>>>>> Thanks for response.
>>>>>>>>>>> Torsten
>>>>>>>>>>>
_______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users(a)openser.org
>>>>>>>>>>>
http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>> >>
>>>>>>>>
>>
>>>>>>>>
>>
>>>>>>>>>>>
>>>>>>> >>
>>>>>>>>>>
_______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users(a)openser.org
>>>>>>>>>>
http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>> >>
>>>>>>>>>>
>>>>>> >>
>>>>>>>>>
_______________________________________________
>>>>>>>>> Users mailing list
>>>>>>>>> Users(a)openser.org
>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>
>>
>>>
_______________________________________________
>>> Users mailing list
>>> Users(a)openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>> >>
>
>
> _______________________________________________
> Users mailing list
> Users(a)openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
New TCP connection #23: 192.168.20.143(4279) <-> 192.168.20.156(5061)
23 1 0.0004 (0.0004) C>SV3.1(63) Handshake
ClientHello
Version 3.1
random[32]=
44 3d ef 0d ac 3e c4 13 66 a2 21 c2 f8 74 94 4a
7e 1a d7 b7 67 35 ae ae d7 d3 bf b1 49 e7 a4 9f
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
compression methods
NULL
23 2 0.0016 (0.0011) S>CV3.1(74) Handshake
ServerHello
Version 3.1
random[32]=
44 3e 22 1b e2 5a 93 23 20 bd c1 8f 9f 6e 8c 4e
1e dc 72 2c 81 9a 82 8b 53 3e a1 64 21 07 6b 5b
session_id[32]=
54 93 57 4b 18 a1 9d 39 6f bb 69 e5 bf 89 25 cb
87 da 27 c2 f9 12 1c a1 7b 17 b6 1b 8f 5e a3 fa
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
23 3 0.0019 (0.0003) S>CV3.1(3164) Handshake
Certificate
23 4 0.0019 (0.0000) S>CV3.1(4) Handshake
ServerHelloDone
23 5 0.0386 (0.0367) C>SV3.1(134) Handshake
ClientKeyExchange
EncryptedPreMasterSecret[128]=
13 f3 ec 60 20 92 11 f5 4a d6 03 59 95 0d dd c5
17 97 e5 87 29 41 30 6d 3d 54 7f 83 fa 0d 48 d7
ee 44 ea 18 7c fc bc 39 c9 40 aa 1e 27 fe a8 c5
af ce 05 52 ba 4c d4 e1 54 ab 33 6b 39 51 39 35
b0 bd 04 87 4f c5 84 70 cd 50 0e c1 ae 0d 49 cf
d1 71 0c e0 7f dc f2 b4 a7 db d8 8b 1b ac 20 44
f2 49 82 d0 7e d4 5a be 1c d1 66 bc dc 7e a3 e2
c5 26 40 67 49 70 e0 d7 39 a6 80 7b 1d e8 49 d9
23 6 0.0386 (0.0000) C>SV3.1(1) ChangeCipherSpec
23 7 0.0386 (0.0000) C>SV3.1(36) Handshake
23 8 0.0441 (0.0054) S>CV3.1(1) ChangeCipherSpec
23 9 0.0441 (0.0000) S>CV3.1(36) Handshake
23 10 0.0468 (0.0026) C>SV3.1(1362) application_data
23 11 0.0480 (0.0012) S>CV3.1(544) application_data
23 12 0.0528 (0.0048) C>SV3.1(1043) application_data
23 13 10.0483 (9.9954) S>CV3.1(478) application_data
23 14 10.0500 (0.0016) S>CV3.1(596) application_data
23 15 17.2015 (7.1514) C>SV3.1(1135) application_data
23 16 17.2030 (0.0015) S>CV3.1(400) application_data
23 17 17.2037 (0.0006) S>CV3.1(452) application_data
23 18 17.3572 (0.1535) C>SV3.1(470) application_data
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEPiIuR0exH8dhr/YRAjmJAKCUvF0mB57NgxmaeQiIc2ZqgNzkkgCgrvNJ
IGUA6tHQVBqkaiTg7nXGx0s=
=lgtf
-----END PGP SIGNATURE-----