Hi,
I'm trying to understand the best (or reasonable) approach of offloading SSL encryption from backend to Kamailio. Let me simplify a little bit:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
My main problem is in Contact header of SIP packet which passes through Kamailio SIP proxy and remains unmodified.
For example, REGISTER request. There is FreeSWITCH backend which is registrar server as well. UAC send REGISTER request to it through Kamailio SIP proxy via SIP/TLS. This request dispatches to backend(s) by Kamailio with dispatcher module. Backend does not configured to support TLS.
In this case everything works fine: I see REGISTER requests on FreeSWITCH. But Contact header of SIP message which is passing Kamailio remains unmodified. And as result I see on FreeSWITCH something like the following:
Call-ID: Jpmjp4ruHI User: user_name@domain_name Contact: "" sip:user_name@uac_ip :27026;transport=tls;fs_path=sip%3Akamailio_ip%3A5060 Agent: Linphone/3.10.2 (belle-sip/1.5.0) Status: Registered(TLS)(unknown) EXP(2016-11-28 11:48:28) EXPSECS(110) Ping-Status: Reachable Ping-Time: 0.00 Host: kamailio_host IP: kamailio_ip Port: 5060 Auth-User: unknown Auth-Realm: domain_name MWI-Account: user_name@domain_name
As a result FreeSWITCH tries to originate call over SIP/TLS and it fails because FreeSWITCH does not configured to work with TLS.
I want to understand what is correct workaraound of this issue. Do I need to modify Contact header manually on kamailio host and this is right approach? Or kamailio in case of correct config rewrites this header itself?
If parts of my kamailio config would be useful I will post it later.
Thanks in advance.
On Mon, Nov 28, 2016 at 01:00:37PM +0200, Vladyslav Zakhozhai wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
My main problem is in Contact header of SIP packet which passes through Kamailio SIP proxy and remains unmodified.
For example, REGISTER request. There is FreeSWITCH backend which is registrar server as well. UAC send REGISTER request to it through Kamailio SIP proxy via SIP/TLS. This request dispatches to backend(s) by Kamailio with dispatcher module. Backend does not configured to support TLS.
...
As a result FreeSWITCH tries to originate call over SIP/TLS and it fails because FreeSWITCH does not configured to work with TLS.
I want to understand what is correct workaraound of this issue. Do I need to modify Contact header manually on kamailio host and this is right approach? Or kamailio in case of correct config rewrites this header itself?
I'm doing something similar but with kamailio instead of freeswitch. My solution is to use Path on the frontend/loadbalancer. Contact headers for the REGISTERs are passed unaltered, location uses Path (with received parameter which contains the transport) to contact the correct loadbalancer/frontend over UDP and lets the fb/lb contact the UA with the correct transport and the correct ip:port combo. If freeswitch has support for this, look into that.
Path is indeed the exact solution for this type of problem.
-- Alex
-- Principal, Evariste Systems LLC (www.evaristesys.com)
Sent from my Google Nexus.
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for Kamailio/Freeswitch: https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS-4989/FS-4989.ht...
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba d.tryba@pocos.nl:
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for Kamailio/Freeswitch: https://freeswitch.org/jira/si/jira.issueviews:issue-html/ FS-4989/FS-4989.html
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path and add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba d.tryba@pocos.nl:
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for Kamailio/Freeswitch: https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS -4989/FS-4989.html
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- С уважением, Владислав Захожай
Ouch... It didn't work for me as expected. I forgot that I have configured FreeSWITCH to work with TLS. When I reverted sofia profile to work only over UDP originating call fails again with message:
[ERR] sofia_glue.c:943 TLS not supported by profile
2016-11-29 0:21 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path and add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba d.tryba@pocos.nl:
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for Kamailio/Freeswitch: https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS -4989/FS-4989.html
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- С уважением, Владислав Захожай
-- С уважением, Владислав Захожай
Hi, Vladislav
I had very simmilar issue, try to use topoh module. It will mask contact in header and called side will not try to send reply to contact dyrectly or using its proto. It will send using via or record-route headers. But this will work when kamailio is in statefull proxy mode.
29 нояб. 2016 г. 12:37 AM пользователь "Vladyslav Zakhozhai" < v.zakhozhai@gmail.com> написал:
Ouch... It didn't work for me as expected. I forgot that I have configured FreeSWITCH to work with TLS. When I reverted sofia profile to work only over UDP originating call fails again with message:
[ERR] sofia_glue.c:943 TLS not supported by profile
2016-11-29 0:21 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path and add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba d.tryba@pocos.nl:
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH
solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for Kamailio/Freeswitch: https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS -4989/FS-4989.html
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- С уважением, Владислав Захожай
-- С уважением, Владислав Захожай
-- С уважением, Владислав Захожай
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hi Sergey,
Thank you for the tip. I'm going to try topoh but not now.
The question is: is there a bug in freeswitch or bug in my kamailio's config. And it seems to me that there is a bug in freeswitch. I see in Via my SIP proxy without transport=tls. And as per RFC freeswitch must use transport which is specified in Via for the next hop.
Maybe I'm wrong. But I do not think so :)
2016-11-30 18:20 GMT+02:00 Sergey Basov sergey.v.basov@gmail.com:
Hi, Vladislav
I had very simmilar issue, try to use topoh module. It will mask contact in header and called side will not try to send reply to contact dyrectly or using its proto. It will send using via or record-route headers. But this will work when kamailio is in statefull proxy mode.
29 нояб. 2016 г. 12:37 AM пользователь "Vladyslav Zakhozhai" < v.zakhozhai@gmail.com> написал:
Ouch... It didn't work for me as expected. I forgot that I have configured
FreeSWITCH to work with TLS. When I reverted sofia profile to work only over UDP originating call fails again with message:
[ERR] sofia_glue.c:943 TLS not supported by profile
2016-11-29 0:21 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
Daniel, Alex, thank you for your answers.
FreeSWITCH works with path as expected and it is my solution. add_path and add_path_received works fine in kamailio's config.
2016-11-28 19:02 GMT+02:00 Vladyslav Zakhozhai v.zakhozhai@gmail.com:
That is very interesting.
I've added add_path_received in Kamailio config. And I can see that FreeSWITCH received it and reflected in registration info.
With SIP/UDP there is no problems. FreeSWITCH gets path and respnses and INVITEs goes through Kamailio.
But in case of TLS INVITES goes to Kamailio but FreeSWITCH tries to originate call with TLS.
Mybe this is FreeSWITCH issue. I'll check later.
2016-11-28 14:42 GMT+02:00 Daniel Tryba d.tryba@pocos.nl:
On Mon, Nov 28, 2016 at 01:15:03PM +0100, Daniel Tryba wrote:
> UAC == SIP/TLS ==> Kamailio == SIP/UDP ==> FreeSWITCH > solution is to use Path on the frontend/loadbalancer.
According to this closed bug report it should work for Kamailio/Freeswitch: https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS -4989/FS-4989.html
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- С уважением, Владислав Захожай
-- С уважением, Владислав Захожай
-- С уважением, Владислав Захожай
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Alex Balashov -
Daniel Tryba -
Sergey Basov -
Vladyslav Zakhozhai