Re: [Users] Allow only TLS connections

Hello, maybe the clients register non-TLS contacts, take a look in the location table. Also, in aliases, you may have some addresses that point to external domains. Cheers, Daniel On 04/13/06 12:05, Christoph Fürstaller wrote: Hi Daniel, Daniel-Constantin Mierla wrote: >>> Hello, >>> >>> On 04/13/06 11:52, Christoph Fürstaller wrote: >>> >>> Hi, >>> >>> I tried that out. I check if proto is TLS: >>> if (proto != TLS) { >>> sl_send_reply("403", "Forbidden"); >>> exit; >>> }; >>> >>> But I get this error: >>> 3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1 (no >>> corresponding listening socket) >>> 3(28893) ERROR:tm:t_forward_nonack: failure to add branches >>> 3(28893) ERROR:tm:t_relay_to: t_forward_nonack returned error >>> >>> What does it mean? What I'm doing wrong? >>> My SER is only listening on tls port 5061. Do I still have to >>> open udp >>> 5060 ? >>> >>> >>>> it seems that you try to forward on UDP. >>>> I figured that out too. But I don't know which part forwardes something on UDP? I attached my conf. Can you give it a quick look? >>>> You can configure openser to >>>> listen on UDP as well, and drop messages coming on UDP, if you >>>> want to >>>> accept only TLS. (as you have in above snippet). If all peers you >>>> connect to support TLS, then you can forse sending over TLS all >>>> the >>>> time. >>>> Cheers, >>>> Daniel >>>> chris... >>> Cesc wrote: >>> >>> >>> >>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=… >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On 4/11/06, Thorsten.Haupt(a)t-systems.com >>>>>> <Thorsten.Haupt(a)t-systems.com> wrote: >>>>>> >>>>>> >>>>>>> I searched for this function, but I didn't found it :-( >>>>>>> Knows anyone the correct code, not only pseudo-code? >>>>>>> >>>>>>> Torsten >>>>>>> >>>>>>> -----Ursprüngliche Nachricht----- >>>>>>> Von: Cesc [mailto:cesc.santa@gmail.com] >>>>>>> Gesendet: Dienstag, 11. April 2006 14:03 >>>>>>> An: Haupt, Thorsten >>>>>>> Cc: users(a)openser.org >>>>>>> Betreff: Re: [Users] Allow only TLS connections >>>>>>> >>>>>>> I think in openser there is a function to check what >>>>>>> transport the >>>>>>> message came in ... you can do something like: >>>>>>> if ( transport != TLS ) { >>>>>>> send error to UA >>>>>>> break; >>>>>>> } >>>>>>> >>>>>>> Cesc >>>>>>> >>>>>>> On 4/11/06, Thorsten.Haupt(a)t-systems.com >>>>>>> <Thorsten.Haupt(a)t-systems.com> wrote: >>>>>>> >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> I use OpenSER in a testing environment for VoIP security. My >>>>>>>> clients >>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it >>>>>>>> doesn't >>>>>>>> work correct. >>>>>>>> Some Clients can't connect and others can't establish calls. I >>>>>>>> read in >>>>>>>> another thread, that UDP is mandatory for SIP and that the >>>>>>>> server >>>>>>>> need it. >>>>>>>> >>>>>>>> But how can I prevent users from connecting via UDP and force >>>>>>>> them to >>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port >>>>>>>> 5060. >>>>>>>> But is >>>>>>>> this the correct way? Are there any parameters server-side >>>>>>>> to force >>>>>>>> users to connect via TLS? >>>>>>>> >>>>>>>> Thanks for response. >>>>>>>> Torsten >>>>>>>> _______________________________________________ >>>>>>>> Users mailing list >>>>>>>> Users(a)openser.org >>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Users mailing list >>>>>>> Users(a)openser.org >>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>>>>> >>>>>>> >>>>>> _______________________________________________ >>>>>> Users mailing list >>>>>> Users(a)openser.org >>>>>> http://openser.org/cgi-bin/mailman/listinfo/users >>>>>> _______________________________________________ Users mailing list Users(a)openser.org http://openser.org/cgi-bin/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEPhq7R0exH8dhr/YRAl59AKCX48Li98lcSElrrbtDTOdl1QeJIwCgkcnQ IH4j1N1grf2PVLeEYJ0Nvfs= =tsRB -----END PGP SIGNATURE-----