Re: [Users] Allow only TLS connections

On 04/13/06 12:52, Daniel-Constantin Mierla wrote: actually, ssldump to sniff tls connections. Cheers, Daniel > Another case when the request is forwarded in your script, is for the > messages outside of your domain (not matching uri==myself). > > Cheers, > Daniel > > > On 04/13/06 12:32, Christoph Fürstaller wrote: >

>>>> Hello, >>>> maybe the clients register non-TLS contacts, take a look in the >>>> location >>>> table. Also, in aliases, you may have some addresses that point to >>>> external domains. >>>> Cheers, >>>> Daniel >>>> On 04/13/06 12:05, Christoph Fürstaller wrote: >>>> Hi Daniel, >>>> Daniel-Constantin Mierla wrote: >>>> >>>> >>>>>>> Hello, >>>>>>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote: >>>>>>>>>> Hi, >>>>>>>>>> I tried that out. I check if proto is TLS: >>>>>>> if (proto != TLS) { >>>>>>> sl_send_reply("403", "Forbidden"); >>>>>>> exit; >>>>>>> }; >>>>>>>>>> But I get this error: >>>>>>> 3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1 (no >>>>>>> corresponding listening socket) >>>>>>> 3(28893) ERROR:tm:t_forward_nonack: failure to add branches >>>>>>> 3(28893) ERROR:tm:t_relay_to: t_forward_nonack returned error >>>>>>>>>> What does it mean? What I'm doing wrong? >>>>>>> My SER is only listening on tls port 5061. Do I still have to >>>>>>> open udp >>>>>>> 5060 ? >>>>>>> >>>>>>> >>>>>>>>>>> it seems that you try to forward on UDP. >>>>>>>> >>>> I figured that out too. But I don't know which part forwardes >>>> something >>>> on UDP? I attached my conf. Can you give it a quick look? >>>> >>>> >>>>>>>> You can configure openser to >>>>>>>> listen on UDP as well, and drop messages coming on UDP, if you >>>>>>>> want to >>>>>>>> accept only TLS. (as you have in above snippet). If all peers you >>>>>>>> connect to support TLS, then you can forse sending over TLS all >>>>>>>> the >>>>>>>> time. >>>>>>>> Cheers, >>>>>>>> Daniel >>>>>>>> >>>> chris... >>>> >>>> >>>>>>> Cesc wrote: >>>>>>> >>>>>>>>>> >>>>>>>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=… >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 4/11/06, Thorsten.Haupt(a)t-systems.com >>>>>>>>>> <Thorsten.Haupt(a)t-systems.com> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I searched for this function, but I didn't found it :-( >>>>>>>>>>> Knows anyone the correct code, not only pseudo-code? >>>>>>>>>>>>>>>>>> Torsten >>>>>>>>>>>>>>>>>> -----Ursprüngliche Nachricht----- >>>>>>>>>>> Von: Cesc [mailto:cesc.santa@gmail.com] >>>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03 >>>>>>>>>>> An: Haupt, Thorsten >>>>>>>>>>> Cc: users(a)openser.org >>>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections >>>>>>>>>>>>>>>>>> I think in openser there is a function to check what >>>>>>>>>>> transport the >>>>>>>>>>> message came in ... you can do something like: >>>>>>>>>>> if ( transport != TLS ) { >>>>>>>>>>> send error to UA >>>>>>>>>>> break; >>>>>>>>>>> } >>>>>>>>>>>>>>>>>> Cesc >>>>>>>>>>>>>>>>>> On 4/11/06, Thorsten.Haupt(a)t-systems.com >>>>>>>>>>> <Thorsten.Haupt(a)t-systems.com> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My >>>>>>>>>>>> clients >>>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it >>>>>>>>>>>> doesn't >>>>>>>>>>>> work correct. >>>>>>>>>>>> Some Clients can't connect and others can't establish calls. I >>>>>>>>>>>> read in >>>>>>>>>>>> another thread, that UDP is mandatory for SIP and that the >>>>>>>>>>>> server >>>>>>>>>>>> need it. >>>>>>>>>>>>>>>>>>>> But how can I prevent users from connecting via UDP and force >>>>>>>>>>>> them to >>>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port >>>>>>>>>>>> 5060. >>>>>>>>>>>> But is >>>>>>>>>>>> this the correct way? Are there any parameters server-side >>>>>>>>>>>> to force >>>>>>>>>>>> users to connect via TLS? >>>>>>>>>>>>>>>>>>>> Thanks for response. >>>>>>>>>>>> Torsten >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Users mailing list >>>>>>>>>>>> Users(a)openser.org >>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Users mailing list >>>>>>>>>>> Users(a)openser.org >>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>> Users mailing list >>>>>>>>>> Users(a)openser.org >>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>>>>>>>> >>>> _______________________________________________ >>>> Users mailing list >>>> Users(a)openser.org >>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>> >>>>