Yes you can, it’s totally doable. But you must have one socket for unencrypted and one for encrypted. So you need 2 “listen” one TLS and one TCP.
On Sun, 10 Nov 2019 at 02:16, sthustfo sthustfo@gmail.com wrote:
Well, I was hoping there was a way to proxy from non secure (WS) to secure one (TLS) upstream.
On Sun, Nov 10, 2019 at 6:12 AM David Villasmil < david.villasmil.work@gmail.com> wrote:
You need to have a TLS listen like
https://kamailio.org/docs/tls-1.3.x.html#AEN192
On Sun, 10 Nov 2019 at 00:32, David Villasmil < david.villasmil.work@gmail.com> wrote:
From what you paste, 8080 is not TLS
On Sat, 9 Nov 2019 at 23:29, sthustfo sthustfo@gmail.com wrote:
Kamailio listening on WS only as seen from below log snippet. As I mentioned earlier, talks pure WS (no WSS) with the clients, and TLS towards the SIP server.
0(3268) INFO: <core> [core/sctp_core.c:74]: sctp_core_check_support(): SCTP API not enabled - if you want to use it, load sctp module Listening on tcp: 10.0.0.14 [10.0.0.14]:8080 Aliases: *: test.example.com:*
And here is the relevant portion from config file. listen=tcp:10.0.0.14:8080
With the above, I modified dispatcher.list as below # setid(integer) destination(sip uri) flags (integer, optional), priority(int,opt), attrs (str,optional) 1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tcp:10.0.0.14:8080 ;ping_from=sip:10.0.0.14
With the above change, I see following in the logs
1(3271) WARNING: <core> [core/forward.c:228]: get_send_socket2(): protocol/port mismatch (forced tcp:10.0.0.14:8080, to tls: 10.0.0.100:5061) 1(3271) ERROR: tm [ut.h:315]: uri2dst2(): no corresponding socket found for "10.0.0.100" af 2 (tls:10.0.0.100:5061) 1(3271) ERROR: tm [uac.c:449]: t_uac_prepare(): no socket found 1(3271) ERROR: dispatcher [dispatch.c:3107]: ds_ping_set(): unable to ping [sip:10.0.0.100:5061;transport=tls] 1(3271) WARNING: <core> [core/forward.c:228]: get_send_socket2(): protocol/port mismatch (forced tcp:10.0.0.14:8080, to tls: 10.0.0.100:5061)
But not attempts to connect to the SIP server.
On Sat, Nov 9, 2019 at 11:48 PM David Villasmil < david.villasmil.work@gmail.com> wrote:
Please paste the “listen” parameters from the config.
On Sat, 9 Nov 2019 at 18:04, David Villasmil < david.villasmil.work@gmail.com> wrote:
Is kamailio listening in that socket?
On Sat, 9 Nov 2019 at 17:34, sthustfo sthustfo@gmail.com wrote:
> Thanks Karsten. Instead of SIP server, I ran a simple socket > listener program to see if dispatcher is attempting to connect to it or > not. But it did not receive any client connection attempts. So after > looking at the logs, I found below log statements. Any idea why this might > have happened? > > 0(3004) ERROR: dispatcher [dispatch.c:411]: pack_dest(): non-local > socket tls:10.0.0.14:5061 > 0(3004) WARNING: dispatcher [dispatch.c:816]: ds_load_list(): > unable to add destination sip:10.0.0.100:5061;transport=tls to set > 1007 -- skipping > > dispatcher.list file pasted below contains the address. Why would > this be an error? > > # setid(integer) destination(sip uri) flags (integer, optional), > priority(int,opt), attrs (str,optional) > 1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tls:10.0.0.14:5061 > ;ping_from=sip:10.0.0.14 > > > On Sat, Nov 9, 2019 at 9:35 PM Karsten Horsmann khorsmann@gmail.com > wrote: > >> Hi, >> >> I guess the dispatcher is not able to get an 200 okay from your >> upstream tls / sipserver. And so the dispatcher did his job. Find no active >> dispatcher targets, then told you that. >> >> You find more about the dispatcher state with kamctl dispatcher >> dump or kamcmd dispatcher.list >> >> And read the module docu of dispatcher, they explain you the states >> of the commands above. >> >> Hints here: >> >> Reading dispatcher docu, understand the states, read tls (maybe >> that's your root cause). >> >> >> Cheers >> Karsten >> >> sthustfo sthustfo@gmail.com schrieb am Sa., 9. Nov. 2019, 14:56: >> >>> Thanks David. You are right, ds_select_dst() is failing and error >>> log is shown. >>> >>> 9(2528) ERROR: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} >>> dispatcher [dispatch.c:2032]: ds_manage_routes(): no destination sets >>> 9(2528) exec: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} *** >>> cfgtrace:request_route=[DISPATCH] c=[/etc/kamailio/kamailio.cfg] l=970 a=25 >>> n=xdbg >>> 9(2528) DEBUG: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} <script>: >>> --- DISPATCH: Dispatcher could not find any destination >>> 9(2528) exec: {1 9733 REGISTER e4rvba563tlnj0i3a906qa} *** >>> cfgtrace:request_route=[DISPATCH] c=[/etc/kamailio/kamailio.cfg] l=971 a=26 >>> n=send_reply >>> >>> Here is the config around ds_select_dst() >>> >>> # Dispatch requests >>> route[DISPATCH] { >>> # round robin dispatching on gateways group '1' >>> if(!ds_select_dst("1007", "4")) { >>> xdbg("--- DISPATCH: Dispatcher could not find any >>> destination\n"); >>> send_reply("404", "No destination"); >>> exit; >>> } >>> t_on_failure("RTF_DISPATCH"); >>> route(RELAY); >>> exit; >>> } >>> >>> Is there any way to see the logs for communication that happens >>> with the destination? As you said, that also could be one of points of >>> failure. >>> >>> BTW, I have set following config for pinging destination. >>> >>> modparam("dispatcher", "list_file", >>> "/etc/kamailio/dispatcher.list") >>> #modparam("dispatcher", "db_url", DBURL) >>> #Use DBURL variable for database parameters >>> modparam("dispatcher", "ds_ping_interval", 10) #How often >>> to ping destinations to check status >>> modparam("dispatcher", "ds_ping_method", "OPTIONS") #Send SIP >>> Options ping >>> modparam("dispatcher", "ds_probing_threshold", 10) #How many >>> failed pings in a row do we need before we consider it down >>> modparam("dispatcher", "ds_inactive_threshold", 10) #How many >>> sucessful pings in a row do we need before considering it up >>> modparam("dispatcher", "ds_ping_latency_stats", 1) #Enables >>> stats on latency >>> modparam("dispatcher", "ds_probing_mode", 1) #Keeps >>> pinging gateways when state is known (to detect change in state) >>> >>> Best Regards. >>> >>> On Sat, Nov 9, 2019 at 6:32 PM David Villasmil < >>> david.villasmil.work@gmail.com> wrote: >>> >>>> Please post the config around the ds_select >>>> >>>> What that’s saying is basically it could not find a destination >>>> for the set you are asking for. >>>> >>>> Either because the setid you provide with the function doesn’t >>>> exist, or the destination is not responding to the pings. >>>> >>>> >>>> On Sat, 9 Nov 2019 at 10:33, sthustfo sthustfo@gmail.com wrote: >>>> >>>>> Thanks Karsten. The setup consists of client connecting to >>>>> kamailio over WS (10.0.0.14). Kamailio needs to proxy the requests to SIP >>>>> server (10.0.0.100) over TLS. As per your suggestion, I modified the >>>>> dispatch list as below >>>>> >>>>> # setid(integer) destination(sip uri) flags (integer, optional), >>>>> priority(int,opt), attrs (str,optional) >>>>> 1007 sip:10.0.0.100:5061;transport=tls 0 3 >>>>> socket=tls:10.0.0.14:5061;ping_from=sip:10.0.0.14 >>>>> >>>>> With above, kamailio replies to REGISTER with "SIP/2.0 404 No >>>>> destination". And in the logs, I see following statement. >>>>> >>>>> 1(2281) DEBUG: dispatcher [dispatch.c:3125]: ds_check_timer(): >>>>> no destination sets >>>>> >>>>> What does this mean? Is kamailio not able to talk to SIP server >>>>> for some reason? >>>>> >>>>> Regards >>>>> >>>>> On Fri, Nov 8, 2019 at 11:55 PM Karsten Horsmann < >>>>> khorsmann@gmail.com> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> >>>>>> Your config line for the dispatcher makes no sense for me. >>>>>> >>>>>> 1007 sip:10.0.0.100:5061;transport=tls 0 3 socket=tls: >>>>>> 10.0.0.100:5061;ping_from=sip:10.0.0.14 >>>>>> >>>>>> >>>>>> Means setid 1007 (like an group to arrange multiple targets) >>>>>> okay. >>>>>> But sip:10.0.0.100:5061;transport=tls is the dispatcher target >>>>>> Uri. Where your calls are placed when you call the dispatcher function with >>>>>> setid 1007. >>>>>> >>>>>> In combination with socket=10.0.0.100:5061 (that indicates >>>>>> your Kamailio socket, the proxy ip) >>>>>> That you talking with yourself. >>>>>> >>>>>> You should read the module documentations for dispatcher and >>>>>> tls. >>>>>> >>>>>> Or describe your ip setup and your config a bit more. >>>>>> >>>>>> Cheers >>>>>> Karsten >>>>>> >>>>>> sthustfo sthustfo@gmail.com schrieb am Fr., 8. Nov. 2019, >>>>>> 17:41: >>>>>> >>>>>>> Hi Karsten, David, >>>>>>> >>>>>>> Thanks for your pointers. Earlier I was using mysql backend >>>>>>> where the dispatch list was stored. Now following your suggestions, I have >>>>>>> switched to dispatcher list in a file (/etc/kamailio/dispatcher.list) and >>>>>>> put in the following >>>>>>> >>>>>>> # setid(integer) destination(sip uri) flags (integer, >>>>>>> optional), priority(int,opt), attrs (str,optional) >>>>>>> 1007 sip:10.0.0.100:5061;transport=tls 0 3 >>>>>>> socket=tls:10.0.0.100:5061;ping_from=sip:10.0.0.14 >>>>>>> >>>>>>> Even with this, when HTTP request in, the same is upgraded to >>>>>>> WS connection. But this gets closed after couple of seconds. Does the below >>>>>>> log indicate anything? >>>>>>> >>>>>>> 9(1784) exec: *** cfgtrace:request_route=[xhttp:request] >>>>>>> c=[/etc/kamailio/kamailio.cfg] l=1112 a=2 n=exit >>>>>>> 9(1784) DEBUG: <core> [core/usr_avp.c:636]: >>>>>>> destroy_avp_list(): destroying list (nil) >>>>>>> >>>>>>> Is there any way to understand what's happening? I do not see >>>>>>> any other error lin logs. >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Nov 7, 2019 at 2:34 PM Daniel-Constantin Mierla < >>>>>>> miconda@gmail.com> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> On 06.11.19 20:46, Karsten Horsmann wrote: >>>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> the sips Uri schemata is not used for tls with dispatcher. >>>>>>>> >>>>>>>> jumping in to clarify a bit about sips protocol schema. It >>>>>>>> doesn't imply TLS as one may think HTTPS does it for HTTP. The sips is >>>>>>>> mandating that the traffic goes over secure links, which can be IPSec/VPN >>>>>>>> or even just private network, so it is ok using UDP or TCP when sips is >>>>>>>> present. >>>>>>>> >>>>>>>> In SIP, if TLS is wanted, then transport=tls has to be added >>>>>>>> to the URI. >>>>>>>> >>>>>>>> As for dispatcher, one more clarification: trasport=tls in >>>>>>>> attrs has nothing to do with the destination address, so that has to be in >>>>>>>> the value of the destination field, as Karsten gave in his example. >>>>>>>> >>>>>>>> And, as general note: better do not use sips at all, it can >>>>>>>> mess up some nodes in the path, if you are not sure about the need of sips >>>>>>>> -- just do uri;trasport=tls. >>>>>>>> >>>>>>>> Cheers, >>>>>>>> Daniel >>>>>>>> >>>>>>>> >>>>>>>> Here an example for flatfile dispatcher.list (need corrected >>>>>>>> values). >>>>>>>> >>>>>>>> The socket line must match an listen directive in your >>>>>>>> Kamailio.cfg. >>>>>>>> >>>>>>>> >>>>>>>> root@sbc1:~# cat /etc/kamailio/dispatcher.list >>>>>>>> # setid(integer) destination(sip uri) flags (integer, >>>>>>>> optional), priority(int,opt), attrs (str,optional) >>>>>>>> 1007 sip:sip.pstnhub.microsoft.com;transport=tls 0 3 >>>>>>>> socket=tls:212.xx.xx.xx:5061;ping_from=sip:sbc-d01.yourdomain >>>>>>>> >>>>>>>> Cheers >>>>>>>> Karsten >>>>>>>> >>>>>>>> sthustfo sthustfo@gmail.com schrieb am Mi., 6. Nov. 2019, >>>>>>>> 20:32: >>>>>>>> >>>>>>>>> I have a basic setup where kamailio receives SIP over >>>>>>>>> websocket (no WSS) and forwards to SIP server over TLS. I have enabled TLS >>>>>>>>> in kamailio.cfg and added dispatcher node as sips:SIP_SERVER:5061 and >>>>>>>>> transport=tls. >>>>>>>>> >>>>>>>>> >>>>>>>>> +----+-------+------------------------+-------+----------+---------------+----------------+ >>>>>>>>> | id | setid | destination | flags | priority | >>>>>>>>> attrs | description | >>>>>>>>> >>>>>>>>> +----+-------+------------------------+-------+----------+---------------+----------------+ >>>>>>>>> | 4 | 1 | sips:10.0.0.100:5061 | 0 | 0 | >>>>>>>>> transport=tls | SIP SERVER | >>>>>>>>> >>>>>>>>> +----+-------+------------------------+-------+----------+---------------+----------------+ >>>>>>>>> >>>>>>>>> Now when REGISTER is received over websocket, kamailio is >>>>>>>>> responding with error code 500 and phrase "500 I'm terribly sorry, server >>>>>>>>> error occurred (7/SL)". And on the console I see the following error >>>>>>>>> messages. >>>>>>>>> >>>>>>>>> 12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} >>>>>>>>> <core> [core/md5utils.c:67]: MD5StringArray(): MD5 calculated: >>>>>>>>> f1ecf7bcb659b07fe81e332e100044e5 >>>>>>>>> 12(33858) ERROR: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm >>>>>>>>> [ut.h:315]: uri2dst2(): no corresponding socket found for "10.0.0.100" af 2 >>>>>>>>> (tls:10.0.0.100:5061) >>>>>>>>> 12(33858) ERROR: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm >>>>>>>>> [t_fwd.c:467]: prepare_new_uac(): can't fwd to af 2, proto 3 (no >>>>>>>>> corresponding listening socket) >>>>>>>>> 12(33858) ERROR: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm >>>>>>>>> [t_fwd.c:1735]: t_forward_nonack(): failure to add branches >>>>>>>>> 12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm >>>>>>>>> [t_funcs.c:334]: t_relay_to(): t_forward_nonack returned error -7 (-7) >>>>>>>>> 12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} tm >>>>>>>>> [t_funcs.c:352]: t_relay_to(): -7 error reply generation delayed >>>>>>>>> 12(33858) exec: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} *** >>>>>>>>> cfgtrace:request_route=[RELAY] c=[/etc/kamailio/kamailio.cfg] l=587 a=24 >>>>>>>>> n=sl_reply_error >>>>>>>>> 12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} >>>>>>>>> <core> [core/msg_translator.c:162]: check_via_address(): (10.0.0.14, >>>>>>>>> hsvmphm3ps12.invalid, 0) >>>>>>>>> 12(33858) DEBUG: {1 2521 REGISTER o9q7ujqgin33qgp00abijv} >>>>>>>>> websocket [ws_conn.c:452]: wsconn_get(): wsconn_get for id [3] >>>>>>>>> >>>>>>>>> *tls.cfg contents* >>>>>>>>> [client:default] >>>>>>>>> method = TLSv1 >>>>>>>>> verify_certificate = yes >>>>>>>>> require_certificate = yes >>>>>>>>> private_key = /home/test/kamailio/internal.key >>>>>>>>> certificate = /home/test/kamailio/internal.crt >>>>>>>>> ca_list = /home/test/kamailio/ca_list.pem >>>>>>>>> >>>>>>>>> Any reason why this error is seen? Any inputs appreciated. >>>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> _______________________________________________ >>>>>>>>> Kamailio (SER) - Users Mailing List >>>>>>>>> sr-users@lists.kamailio.org >>>>>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Kamailio (SER) - Users Mailing Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>> >>>>>>>> -- >>>>>>>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda >>>>>>>> Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Kamailio (SER) - Users Mailing List >>>>>>>> sr-users@lists.kamailio.org >>>>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Kamailio (SER) - Users Mailing List >>>>>>> sr-users@lists.kamailio.org >>>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>>>>> >>>>>> _______________________________________________ >>>>>> Kamailio (SER) - Users Mailing List >>>>>> sr-users@lists.kamailio.org >>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>>>> >>>>> _______________________________________________ >>>>> Kamailio (SER) - Users Mailing List >>>>> sr-users@lists.kamailio.org >>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>>> >>>> -- >>>> Regards, >>>> >>>> David Villasmil >>>> email: david.villasmil.work@gmail.com >>>> phone: +34669448337 >>>> _______________________________________________ >>>> Kamailio (SER) - Users Mailing List >>>> sr-users@lists.kamailio.org >>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>>> >>> _______________________________________________ >>> Kamailio (SER) - Users Mailing List >>> sr-users@lists.kamailio.org >>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >> _______________________________________________ >> Kamailio (SER) - Users Mailing List >> sr-users@lists.kamailio.org >> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users@lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337
-- Regards,
David Villasmil email: david.villasmil.work@gmail.com phone: +34669448337 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users