Re: [SR-Users] TLS problems

25 Jan 2010

Hi,

this is the phone->proxy case (traced on Proxy 192.168.0.89). 

I also traced the successful case (Phoner Lite Register - phone->proxy):

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
New TCP connection #1: 192.168.0.176(1723) <-> 192.168.0.89(5061)
1 1  0.5784 (0.5784)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        Unknown value 0x39
        Unknown value 0x38
        Unknown value 0x35
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x33
        Unknown value 0x32
        Unknown value 0x2f
        TLS_RSA_WITH_IDEA_CBC_SHA
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_RC4_128_MD5
        TLS_DHE_RSA_WITH_DES_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        compression methods
                  NULL
1 2  0.5811 (0.0027)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[0]=

        cipherSuite         Unknown value 0x35
        compressionMethod                   NULL
1 3  0.5811 (0.0000)  S>C  Handshake
      Certificate
1 4  0.5811 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.5830 (0.0019)  C>S  Handshake
      ClientKeyExchange
1 6  0.5830 (0.0000)  C>S  ChangeCipherSpec
1 7  0.5830 (0.0000)  C>S  Handshake
1 8  0.5870 (0.0040)  S>C  ChangeCipherSpec
1 9  0.5870 (0.0000)  S>C  Handshake
1 10 0.5908 (0.0037)  C>S  application_data
1 11 0.6204 (0.0296)  S>C  application_data
1 12 0.6241 (0.0037)  C>S  application_data
1 13 0.6848 (0.0606)  S>C  application_data
1 14 0.6884 (0.0035)  C>S  application_data
1 15 0.6890 (0.0006)  S>C  application_data
1 16 0.6934 (0.0043)  C>S  application_data
1 17 0.6947 (0.0013)  S>C  application_data
...

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

-----Ursprüngliche Nachricht-----
Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] 
Gesendet: Montag, 25. Januar 2010 09:59
An: Andreas Rehbein
Cc: sr-users(a)lists.sip-router.org
Betreff: Re: AW: AW: AW: AW: AW: [SR-Users] TLS problems

Is this proxy->phone or phone->proxy?

klaus

Andreas Rehbein schrieb:
...
  Hi Klaus,

 this are the ssldump results:

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
 New TCP connection #1: 192.168.0.222(1619) <-> 192.168.0.89(5061)
 1 1  0.2578 (0.2578)  C>S  Handshake
       ClientHello
         Version 3.1
         cipher suites
         TLS_RSA_WITH_RC4_128_MD5
         TLS_RSA_WITH_RC4_128_SHA
         TLS_RSA_WITH_NULL_MD5
         TLS_RSA_WITH_NULL_SHA
         TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
         TLS_DH_anon_WITH_RC4_128_MD5
         TLS_RSA_WITH_DES_CBC_SHA
         TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
         TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
         TLS_DH_anon_WITH_DES_CBC_SHA
         compression methods
                   NULL
 1    0.4212 (0.1633)  S>C  TCP FIN
 1    0.4225 (0.0013)  C>S  TCP FIN

 Seems like snom doesn't offer compression methods...

 regards 
 Andreas

 -----Ursprüngliche Nachricht-----
 Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] 
 Gesendet: Freitag, 22. Januar 2010 16:07
 An: Andreas Rehbein
 Cc: sr-users(a)lists.sip-router.org
 Betreff: Re: AW: AW: AW: AW: [SR-Users] TLS problems

 I managed to have SNOM 320 registering at kamailio-3.0 via TLS. But I do 
 not have any crashes (openssl 0.9.8g-15+lenny6).

 Andreas, when does the crash happen exactly: during TLS handshake or 
 afterwards (you can for example use "ssldump port 5061" to debug the TLS 
 connection)?

 regards
 klaus

 Andreas Rehbein schrieb:
> Hi Klaus,
>
> until now (OpenSER 1.3.x without client verification) it was not necessary
...
   to import
certs into snom. 
 To force the snom to send Messages via tls, you need to insert something
 like "192.168.0.89:5061;transport=tls" in the outbound proxy field (but 
I'm
  sure you already knew)

 regards
 Andreas

 -----Ursprüngliche Nachricht-----
 Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] 
 Gesendet: Freitag, 22. Januar 2010 13:17
 An: Andreas Rehbein
 Cc: sr-users(a)lists.sip-router.org
 Betreff: Re: AW: AW: AW: [SR-Users] TLS problems

 Andreas Rehbein schrieb:
  Hello Klaus,

 Linux: Red Hat Enterprise Linux 5; Kernel: 2.6.18-92.1.10.el5
 OpenSSL: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008  Hi Andreas!

 I fail to configure SNOM to accept the certificate. I imported the CA 
 cert as trusted certificates, but TLS handshake is not successful. Is 
 there something else I need to take care of?

 I'm quite sure my certificates are OK as it works with eyebeam and  QjSimple.
  regards
 Klaus

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Re: [SR-Users] TLS problems