28 Nov
2016
28 Nov
'16
2 p.m.
Hi,
I'm trying to understand the best (or reasonable) approach of offloading
SSL encryption from backend to Kamailio. Let me simplify a little bit:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
My main problem is in Contact header of SIP packet which passes through
Kamailio SIP proxy and remains unmodified.
For example, REGISTER request. There is FreeSWITCH backend which is
registrar server as well. UAC send REGISTER request to it through Kamailio
SIP proxy via SIP/TLS. This request dispatches to backend(s) by Kamailio
with dispatcher module. Backend does not configured to support TLS.
In this case everything works fine: I see REGISTER requests on FreeSWITCH.
But Contact header of SIP message which is passing Kamailio remains
unmodified. And as result I see on FreeSWITCH something like the following:
Call-ID: Jpmjp4ruHI
User: user_name@domain_name
Contact: "" <sip:user_name@uac_ip
:27026;transport=tls;fs_path=sip%3Akamailio_ip%3A5060>
Agent: Linphone/3.10.2 (belle-sip/1.5.0)
Status: Registered(TLS)(unknown) EXP(2016-11-28 11:48:28) EXPSECS(110)
Ping-Status: Reachable
Ping-Time: 0.00
Host: kamailio_host
IP: kamailio_ip
Port: 5060
Auth-User: unknown
Auth-Realm: domain_name
MWI-Account: user_name@domain_name
As a result FreeSWITCH tries to originate call over SIP/TLS and it fails
because FreeSWITCH does not configured to work with TLS.
I want to understand what is correct workaraound of this issue. Do I need
to modify Contact header manually on kamailio host and this is right
approach? Or kamailio in case of correct config rewrites this header itself?
If parts of my kamailio config would be useful I will post it later.
Thanks in advance.
--
С уважением,
Владислав Захожай
28 Nov
28 Nov
3:15 p.m.
On Mon, Nov 28, 2016 at 01:00:37PM +0200, Vladyslav Zakhozhai wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==>
FreeSWITCH
My main problem is in Contact header of SIP packet which passes through
Kamailio SIP proxy and remains unmodified.
For example, REGISTER request. There is FreeSWITCH backend which is
registrar server as well. UAC send REGISTER request to it through Kamailio
SIP proxy via SIP/TLS. This request dispatches to backend(s) by Kamailio
with dispatcher module. Backend does not configured to support TLS.
...
As a result FreeSWITCH tries to originate call over
SIP/TLS and it fails
because FreeSWITCH does not configured to work with TLS.
I want to understand what is correct workaraound of this issue. Do I need
to modify Contact header manually on kamailio host and this is right
approach? Or kamailio in case of correct config rewrites this header itself?
I'm doing something similar but with kamailio instead of freeswitch. My
solution is to use Path on the frontend/loadbalancer. Contact headers
for the REGISTERs are passed unaltered, location uses Path (with
received parameter which contains the transport) to contact the correct
loadbalancer/frontend over UDP and lets the fb/lb contact the UA with
the correct transport and the correct ip:port combo. If freeswitch has
support for this, look into that.
3:17 p.m.
Path is indeed the exact solution for this type of problem.
-- Alex
--
Principal, Evariste Systems LLC (www.evaristesys.com)
Sent from my Google Nexus.
3:42 p.m.
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
According to this closed bug report it should work for
Kamailio/Freeswitch:
https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS-4989/FS-4989.h…
UAC == SIP/TLS
==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
8:02 p.m.
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that
FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and
INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to
originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba <d.tryba(a)pocos.nl>nl>:
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba
wrote:
According to this closed bug report it should work for
Kamailio/Freeswitch:
https://freeswitch.org/jira/si/jira.issueviews:issue-html/
FS-4989/FS-4989.html
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
С уважением,
Владислав Захожай
UAC ==
SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
29 Nov
29 Nov
1:21 a.m.
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path and
add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that
FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and
INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to
originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba <d.tryba(a)pocos.nl>nl>:
--
С уважением,
Владислав Захожай
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel
Tryba wrote:
According to this closed bug report it should work for
Kamailio/Freeswitch:
https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS
-4989/FS-4989.html
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
С уважением,
Владислав Захожай
UAC ==
SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
1:37 a.m.
Ouch... It didn't work for me as expected. I forgot that I have configured
FreeSWITCH to work with TLS.
When I reverted sofia profile to work only over UDP originating call fails
again with message:
[ERR] sofia_glue.c:943 TLS not supported by profile
2016-11-29 0:21 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path and
add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
--
С уважением,
Владислав Захожай
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that
FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and
INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to
originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba <d.tryba(a)pocos.nl>nl>:
--
С уважением,
Владислав Захожай
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel
Tryba wrote:
--
С уважением,
Владислав Захожай
> UAC == SIP/TLS ==> Kamailio == SIP/UDP
==> FreeSWITCH
>
solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for
Kamailio/Freeswitch:
https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS
-4989/FS-4989.html
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
30 Nov
30 Nov
7:20 p.m.
Hi, Vladislav
I had very simmilar issue, try to use topoh module.
It will mask contact in header and called side will not try to send reply
to contact dyrectly or using its proto.
It will send using via or record-route headers.
But this will work when kamailio is in statefull proxy mode.
29 нояб. 2016 г. 12:37 AM пользователь "Vladyslav Zakhozhai" <
v.zakhozhai(a)gmail.com> написал:
Ouch... It didn't work for me as expected. I
forgot that I have configured
FreeSWITCH to work with TLS.
When I reverted sofia profile to work only over UDP originating call fails
again with message:
[ERR] sofia_glue.c:943 TLS not supported by profile
2016-11-29 0:21 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path
and add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
--
С уважением,
Владислав Захожай
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that
FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and
INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to
originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba <d.tryba(a)pocos.nl>nl>:
--
С уважением,
Владислав Захожай
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel
Tryba wrote:
> > UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
> >
> solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for
Kamailio/Freeswitch:
https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS
-4989/FS-4989.html
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
С уважением,
Владислав Захожай
8:24 p.m.
Hi Sergey,
Thank you for the tip. I'm going to try topoh but not now.
The question is: is there a bug in freeswitch or bug in my kamailio's
config. And it seems to me that there is a bug in freeswitch. I see in Via
my SIP proxy without transport=tls. And as per RFC freeswitch must use
transport which is specified in Via for the next hop.
Maybe I'm wrong. But I do not think so :)
2016-11-30 18:20 GMT+02:00 Sergey Basov <sergey.v.basov(a)gmail.com>om>:
Hi, Vladislav
I had very simmilar issue, try to use topoh module.
It will mask contact in header and called side will not try to send reply
to contact dyrectly or using its proto.
It will send using via or record-route headers.
But this will work when kamailio is in statefull proxy mode.
29 нояб. 2016 г. 12:37 AM пользователь "Vladyslav Zakhozhai" <
v.zakhozhai(a)gmail.com> написал:
Ouch... It didn't work for me as expected. I forgot that I have configured
--
С уважением,
Владислав Захожай
FreeSWITCH to work with TLS.
When I reverted sofia profile to work only over UDP originating call
fails again with message:
[ERR] sofia_glue.c:943 TLS not supported by profile
2016-11-29 0:21 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path
and add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai(a)gmail.com>om>:
--
С уважением,
Владислав Захожай
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that
FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses
and INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to
originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba <d.tryba(a)pocos.nl>nl>:
> On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
> > > UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
> > >
> > solution is to use Path on the frontend/loadbalancer.
>
> According to this closed bug report it should work for
> Kamailio/Freeswitch:
> https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS
> -4989/FS-4989.html
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
--
С уважением,
Владислав Захожай
--
С уважением,
Владислав Захожай
2900
days inactive
2902
days old
8 comments
4 participants
participants (4)
-
Alex Balashov -
Daniel Tryba -
Sergey Basov -
Vladyslav Zakhozhai