8 Jan
2021
8 Jan
'21
7:16 p.m.
Dear Kamilio Community,
After doing several reads to our Kamailio configuration, the dispatcher
list is in AP:
URI: sip: sip.pstnhub.microsoft.com; transport = tls
FLAGS: AP
URI: sip: sip2.pstnhub.microsoft.com; transport = tls
FLAGS: AP
URI: sip: sip3.pstnhub.microsoft.com; transport = tls
FLAGS: AP
But in the MS Teams dashboard the SIP OPTIONS STATUS column is WARNING.
In the LOGs sent to OPTIONS, it gives us to understand that with sent to MS
TEAMS:
Jan 8 19:01:40 Kamailio-Server /usr/sbin/kamailio[1444]: INFO: <script>:
Sent out tm request: OPTIONS sip:sip.pstnhub.microsoft.com;transport=tls
SIP/2.0#015#012Via: SIP/2.0/TLS
161.35.44.66:5061;branch=z9hG4bKd25f.2835f676000000000000000000000000.0#015#012To:
<sip:sip.pstnhub.microsoft.com;transport=tls>#015#012From: <sip:
sbc.netvoiceperu.com>;tag=69ae0da9200ed8d142f2e4a69f531080-213e3c71#015#012CSeq:
10 OPTIONS#015#012Call-ID:
07561978687e60d0-1444(a)10.131.245.99#015#012Max-Forwards:
70#015#012Content-Length: 0#015#012User-Agent: kamailio (5.4.0
(x86_64/linux))
Jan 8 19:01:40 Kamailio-Server /usr/sbin/kamailio[1444]: INFO: <script>:
Sent out tm request: OPTIONS sip:sip2.pstnhub.microsoft.com;transport=tls
SIP/2.0#015#012Via: SIP/2.0/TLS
161.35.44.66:5061;branch=z9hG4bKe25f.b14dc514000000000000000000000000.0#015#012To:
<sip:sip2.pstnhub.microsoft.com;transport=tls>#015#012From: <sip:
sbc.netvoiceperu.com>;tag=69ae0da9200ed8d142f2e4a69f531080-44c3af70#015#012CSeq:
10 OPTIONS#015#012Call-ID:
07561978687e60d1-1444(a)10.131.245.99#015#012Max-Forwards:
70#015#012Content-Length: 0#015#012User-Agent: kamailio (5.4.0
(x86_64/linux))
Jan 8 19:01:40 Kamailio-Server /usr/sbin/kamailio[1444]: INFO: <script>:
Sent out tm request: OPTIONS sip:sip3.pstnhub.microsoft.com;transport=tls
SIP/2.0#015#012Via: SIP/2.0/TLS
161.35.44.66:5061;branch=z9hG4bKb25f.8442f914000000000000000000000000.0#015#012To:
<sip:sip3.pstnhub.microsoft.com;transport=tls>#015#012From: <sip:
sbc.netvoiceperu.com>;tag=69ae0da9200ed8d142f2e4a69f531080-fa555adb#015#012CSeq:
10 OPTIONS#015#012Call-ID:
07561978687e60d2-1444(a)10.131.245.99#015#012Max-Forwards:
70#015#012Content-Length: 0#015#012User-Agent: kamailio (5.4.0
(x86_64/linux))
Jan 8 19:01:42 Kamailio-Server journal: Suppressed 103 messages from
/system.slice/kamailio.service
In the kamailio.cfg configuration it is declared:
listen=tls:161.35.44.66:5061
listen=tcp:10.131.245.99:5061
modparam ("dispatcher", "list_file",
"/etc/kamailio/dispatcher.list")
modparam ("dispatcher", "ds_probing_mode", 1)
modparam ("dispatcher", "ds_ping_interval", 60)
And this fragment was also added:
event_route [tm: local-request] {
if (is_method ("OPTIONS") && $ ru = ~
"pstnhub.microsoft.com") {
append_hf ("Contact: <sip: sbc.netvoiceperu.com: 5061;
transport = tls> \ r \ n");
}
xlog ("L_INFO", "Sent out tm request: $ mb \ n");
}
There is something additional that has to be declared so that in the MS
Teams panel the SIP OPTIONS STATUS column is shown as ACTIVE and not as
WARNNING, in the MS TEAMS documentation it is a possible problem related to
OPTIONS events.
Atentamente
*Adalberto Carlos Mestanza T.*
El jue, 7 ene 2021 a las 21:54, Ovidiu Sas (<osas(a)voipembedded.com>)
escribió:
That certificate should already be present under the
OS's trusted
certificates directory (debian and ubuntu certs are stored under
/etc/ssl/certs), maybe under a different name, and is required for
remote endpoint's certificate validation.
One can load a particular certificate or a list of certificates.
Multiple certificates can be concatenated into one single file as
stated in the documentation:
https://kamailio.org/docs/modules/devel/modules/tls.html#tls.p.ca_list
Hope this helps a little bit in understanding of the ca_list param.
Regards,
Ovidiu Sas
On Thu, Jan 7, 2021 at 8:10 AM <rob.van.den.bulk(a)gmail.com> wrote:
I Used this tls.cfg
Use bc2025.pem as extra, Microsoft needs this…
And works fine on different Kamailio-msteams sbcs
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/privkey.pem
certificate =
/etc/letsencrypt/live/sbc.combivoipdom.nl-0001/fullchain.pem
ca_list = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/bc2025.pem
server_name = sbc.combivoipdom.nl
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/privkey.pem
certificate =
/etc/letsencrypt/live/sbc.combivoipdom.nl-0001/fullchain.pem
ca_list = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/bc2025.pem
Cheers Rob
Van: sr-users <sr-users-bounces(a)lists.kamailio.org> Namens
Daniel-Constantin
Mierla
Verzonden: donderdag 7 januari 2021 08:53
Aan: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>rg>;
Willy Valles Rios <willyvalles17(a)gmail.com>
CC: Carlos Mestanza T.
<mestacart(a)gmail.com>
Onderwerp: Re: [SR-Users] Problems establishing SIP signaling between
MsTeams and
Kamailio
Does this happen when Kamailio connects to MS Teams? The logs indicate
the
received TLS certificate is not trusted:
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
You can set debug=3 in kamailio.cfg and see if the DEBUG messages
provide more
hints. For me it worked fine with Letsencrypt certs in
Kamailio and accepting what ever MS sent back. I used Debian 10 and libssl
1.1.
Cheers,
Daniel
On 06.01.21 21:47, Willy Valles Rios wrote:
Hello community,
I am having trouble establishing SIP signaling between MsTeams and
Kamailio. I
currently have this configuration in my tls.cfg file
[server: default]
method = TLSv1.2 +
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certificates/private-key.pem
certificate = /etc/kamailio/certificates/certificate.pem
[client: default]
method = TLSv1.2 +
verify_certificate = yes
require_certificate = yes
private_key = /etc/kamailio/certificates/private-key.pem
certificate = /etc/kamailio/certificates/certificate.pem
My domain was certified with ssl through an authoritative certifier
(GoDaddy),
however I see these errors in the / var / log / messages of the
Kamailio server.
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_mod.c:389]: mod_init(): With ECDH-Support!
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_mod.c:392]: mod_init(): With Diffie Hellman
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_init.c:722]: tls_h_mod_init_f(): compiled with openssl version
"OpenSSL 1.0.2k-fips 26 Jan 2017" (0x100020bf), kerberos support: on,
compression: on
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_init.c:730]: tls_h_mod_init_f(): installed openssl library version
"OpenSSL 1.0.2k-fips 26 Jan 2017" (0x100020bf), kerberos support: on, zlib
compression: on#012 compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC
-DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT
-m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: WARNING: tls
[tls_init.c:787]: tls_h_mod_init_f(): openssl bug #1491 (crash/mem leaks on
low memory) workaround enabled (on low memory tls operations will fail
preemptively) with free memory thresholds 13107200 and 6553600 bytes
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO:
[core/cfg/cfg_ctx.c:598]: cfg_set_now(): tls.low_mem_threshold1 has been
changed to 13107200
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO:
[core/cfg/cfg_ctx.c:598]: cfg_set_now(): tls.low_mem_threshold2 has been
changed to 6553600
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO:
[main.c:2834]:
main(): processes (at least): 25 - shm size: 67108864 - pkg
size: 4194304
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO:
[core/udp_server.c:154]: probe_max_receive_buffer(): SO_RCVBUF is initially
212992
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO:
[core/udp_server.c:206]: probe_max_receive_buffer(): SO_RCVBUF is finally
425984
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:305]: ksr_tls_fill_missing(): TLSs: tls_method=22
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:317]: ksr_tls_fill_missing(): TLSs:
certificate='/etc/kamailio/certificados/certificate.pem'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:324]: ksr_tls_fill_missing(): TLSs: ca_list='(null)'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:331]: ksr_tls_fill_missing(): TLSs: crl='(null)'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:335]: ksr_tls_fill_missing(): TLSs: require_certificate=1
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:342]: ksr_tls_fill_missing(): TLSs: cipher_list='(null)'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:349]: ksr_tls_fill_missing(): TLSs:
private_key='/etc/kamailio/certificados/private-key.pem'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:353]: ksr_tls_fill_missing(): TLSs: verify_certificate=1
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:356]: ksr_tls_fill_missing(): TLSs: verify_depth=9
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:359]: ksr_tls_fill_missing(): TLSs: verify_client=0
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: NOTICE: tls
[tls_domain.c:1107]: ksr_tls_fix_domain(): registered server_name callback
handler for socket [:0], server_name='' ...
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:697]: set_verification(): TLSs: Client MUST present valid
certificate
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:305]: ksr_tls_fill_missing(): TLSc: tls_method=22
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:317]: ksr_tls_fill_missing(): TLSc:
certificate='/etc/kamailio/certificados/certificate.pem'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:324]: ksr_tls_fill_missing(): TLSc: ca_list='(null)'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:331]: ksr_tls_fill_missing(): TLSc: crl='(null)'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:335]: ksr_tls_fill_missing(): TLSc: require_certificate=1
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:342]: ksr_tls_fill_missing(): TLSc: cipher_list='(null)'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:349]: ksr_tls_fill_missing(): TLSc:
private_key='/etc/kamailio/certificados/private-key.pem'
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:353]: ksr_tls_fill_missing(): TLSc: verify_certificate=1
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:356]: ksr_tls_fill_missing(): TLSc: verify_depth=9
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:359]: ksr_tls_fill_missing(): TLSc: verify_client=0
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls
[tls_domain.c:697]: set_verification(): TLSc: Server MUST present valid
certificate
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32422]: INFO: jsonrpcs
[jsonrpcs_sock.c:443]: jsonrpc_dgram_process(): a new child 0/32422
Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32424]: INFO: ctl
[io_listener.c:214]: io_listen_loop(): io_listen_loop: using epoll_lt io
watch method (config)
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.75.24
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR:
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f45242be028 r: 0x7f45242be150 (-1)
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.132.46
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR:
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f45242d9278 r: 0x7f45242d93a0 (-1)
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.14.70
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66
Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR:
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f45242be028 r: 0x7f45242be150 (-1)
Could you help me identify the problem please.
Cheers
Saludos Cordiales
--
Willy Valles Rios
Unified Communications Specialist
phone: +51955747343
em@il: willyvalles17(a)gmail.com
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
VoIP Embedded, Inc.
http://www.voipembedded.com