Hi,
Sorry if this was asked before, I made a quick research in the archives, but didn't find anything relevant.
On test purposes, I would like to have a TLS SIP server. My idea was to use stunnel to establish the TLS tunnel, then forward the traffic to SER. I have two questions regarding this:
* Do you think that using stunnel would be sufficient ?
* In order to use stunnel, I must have SER listening on TCP. I read that in the 0.8.11pre versions, TCP was being implemented. I installed 0.8.11pre29, but I couldn't find out how to enable TCP.
Thank you for your help,
At 03:34 PM 7/10/2003, Johan Bilien wrote:
Hi,
Sorry if this was asked before, I made a quick research in the archives, but didn't find anything relevant.
On test purposes, I would like to have a TLS SIP server. My idea was to use stunnel to establish the TLS tunnel, then forward the traffic to SER. I have two questions regarding this:
Do you think that using stunnel would be sufficient ?
In order to use stunnel, I must have SER listening on TCP. I read
that in the 0.8.11pre versions, TCP was being implemented. I installed 0.8.11pre29, but I couldn't find out how to enable TCP.
Just start SER, TCP is enabled by default.
-jiri
On Jul 10, 2003 at 15:34, Johan Bilien jobi@via.ecp.fr wrote:
Hi,
Sorry if this was asked before, I made a quick research in the archives, but didn't find anything relevant.
On test purposes, I would like to have a TLS SIP server. My idea was to use stunnel to establish the TLS tunnel, then forward the traffic to SER. I have two questions regarding this:
- Do you think that using stunnel would be sufficient ?
No. stunnel is used for SSL-tunneling inetd daemons. It won't work with ser. sip proxies have to be able to open new connections (they can't be run from inetd). Even if you use it to re-inject the packets on another port (e.g. send all the ssl stuff on tcp localhost:5060 via netcat) you will still not have a tls sip server (any connections opened from ser side will still be non-tls). A TLS sip proxy should also support sips: uris.
BTW: what tls-enabled sip uac do you use?
Andrei
On Thu, Jul 10, 2003, Andrei Pelinescu-Onciul wrote:
No. stunnel is used for SSL-tunneling inetd daemons. It won't work with ser. sip proxies have to be able to open new connections (they can't be run from inetd). Even if you use it to re-inject the packets on another port (e.g. send all the ssl stuff on tcp localhost:5060 via netcat) you will still not have a tls sip server (any connections opened from ser side will still be non-tls). A TLS sip proxy should also support sips: uris.
I agree it would not be able to handle outgoing connections. Still, this should allow TLS communication between the UA and its proxy (especially REGISTER), correct me if I'm wrong.
BTW: what tls-enabled sip uac do you use?
I just tried connecting to my stunnel with Windows Messenger, but it failed with almost no reason given. I will tried to see what happens with tcpdump.
Thanks for your help,
On Jul 10, 2003 at 19:29, Johan Bilien jobi@via.ecp.fr wrote:
On Thu, Jul 10, 2003, Andrei Pelinescu-Onciul wrote:
No. stunnel is used for SSL-tunneling inetd daemons. It won't work with ser. sip proxies have to be able to open new connections (they can't be run from inetd). Even if you use it to re-inject the packets on another port (e.g. send all the ssl stuff on tcp localhost:5060 via netcat) you will still not have a tls sip server (any connections opened from ser side will still be non-tls). A TLS sip proxy should also support sips: uris.
I agree it would not be able to handle outgoing connections. Still, this should allow TLS communication between the UA and its proxy (especially REGISTER), correct me if I'm wrong.
Yes but only for a while :-) tcp connections time out after some time. If they are not used, they will be closed. So the tcp connection between ser and stunnel will be closed and then if ser wants to send something back to your UA, it will try to open a new connection to it. You could try to increase the default timeouts (see tcpconn.h: TCP_CON_*_TIMEOUT).
BTW: what tls-enabled sip uac do you use?
I just tried connecting to my stunnel with Windows Messenger, but it failed with almost no reason given. I will tried to see what happens with tcpdump.
It seems Messenger does not work with openssl (I don't know if it works with something at all). It will go through the ssl handshake and immediately after that it will close the underlying tcp connection without any reason or error messages. It doesn't even bother to send a ssl close notify.
Andrei
On Jul 10, 2003 at 20:11, Andrei Pelinescu-Onciul pelinescu-onciul@fokus.fraunhofer.de wrote:
On Jul 10, 2003 at 19:29, Johan Bilien jobi@via.ecp.fr wrote:
On Thu, Jul 10, 2003, Andrei Pelinescu-Onciul wrote:
No. stunnel is used for SSL-tunneling inetd daemons. It won't work with ser. sip proxies have to be able to open new connections (they can't be run from inetd). Even if you use it to re-inject the packets on another port (e.g. send all the ssl stuff on tcp localhost:5060 via netcat) you will still not have a tls sip server (any connections opened from ser side will still be non-tls). A TLS sip proxy should also support sips: uris.
I agree it would not be able to handle outgoing connections. Still, this should allow TLS communication between the UA and its proxy (especially REGISTER), correct me if I'm wrong.
Yes but only for a while :-) tcp connections time out after some time. If they are not used, they will be closed. So the tcp connection between ser and stunnel will be closed and then if ser wants to send something back to your UA, it will try to open a new connection to it. You could try to increase the default timeouts (see tcpconn.h: TCP_CON_*_TIMEOUT).
I've just remembered another thing: fi your UA is TLS enabled it will use TLS in vias and probably sips uris. ser doesn't know how to handle them. You'll probably get some unknown protocol errors.
Andrei
On Thu, Jul 10, 2003, Andrei Pelinescu-Onciul wrote:
I agree it would not be able to handle outgoing connections. Still, this should allow TLS communication between the UA and its proxy (especially REGISTER), correct me if I'm wrong.
Yes but only for a while :-) tcp connections time out after some time. If they are not used, they will be closed. So the tcp connection between ser and stunnel will be closed and then if ser wants to send something back to your UA, it will try to open a new connection to it. You could try to increase the default timeouts (see tcpconn.h: TCP_CON_*_TIMEOUT).
Oh yes I had not thought about TCP timeouts :(. At least the registration could go through TLS.
BTW: what tls-enabled sip uac do you use?
I just tried connecting to my stunnel with Windows Messenger, but it failed with almost no reason given. I will tried to see what happens with tcpdump.
It seems Messenger does not work with openssl (I don't know if it works with something at all). It will go through the ssl handshake and immediately after that it will close the underlying tcp connection without any reason or error messages. It doesn't even bother to send a ssl close notify.
Damn it! That's indeed what Ethereal showed me. Do you know any other TLS-enabled SIP UA ?
On Jul 10, 2003 at 20:32, Johan Bilien jobi@via.ecp.fr wrote:
Damn it! That's indeed what Ethereal showed me. Do you know any other TLS-enabled SIP UA ?
No.
Andrei
-
Andrei Pelinescu-Onciul -
Jiri Kuthan -
Johan Bilien