27 Jul
2015
27 Jul
'15
6:04 p.m.
Hi All,
I have kamailio setup and listening on logical interfaces (for failover
purposes) and therefore need to force the sending socket on initial
messages. We are testing sips+tls at the moment and what we are trying
to achive is that the TLS connection occurs from the UAC to the edge
proxy (also responsible for the domain) and then force UDP for internal
communications to services.
What I am comming up against is that when I force the sending socket on
the internal interface to UDP, the record route header still shows up as
a "sips" request. Then, at the presense server, when generating the
NOTIFY it attempts to send it to the proxy using TLS.
My understanding was that the record route would set the uri something
like "sip:internal_ip" when forcing the sending socket to be
"udp:internal_ip". Is my understanding correct, or am I doing something
wrong here?
An example subscribe message follows, the top most record-route header,
from my understanding, should read sip:internal_ip, not
sips:internal_ip. Is this the expected behaviour of double rr with these
types of messages? How could I ensure that the top most record-route
would always be a sip uri (never sips).
SUBSCRIBE sips:subscriber@domain.com:5061 SIP/2.0.
Record-Route: <sips:proxy_internal_ip;r2=on;lr;ftag=594055226>.
Record-Route:
<sips:proxy_external_ip:5061;transport=tls;r2=on;lr;ftag=594055226>.
Max-Breadth: 60.
Via: SIP/2.0/UDP
proxy_internal_ip;branch=z9hG4bK6c9.d7dc4801e872ce9fb5730f9e09f1889e.0;i=1.
Via: SIP/2.0/TLS
172.16.0.121:5060;rport=33273;received=78.143.152.30;branch=z9hG4bK708ea7ba.
Max-Forwards: 69.
Call-ID: 17212ff4-4421321c8feafd63bf800080f0808080@KX-HDV230X.
From: <sips:subscriber@domain.com>;tag=594055226.
To: <sips:subscriber@domain.com>.
CSeq: 2 SUBSCRIBE.
Allow: INVITE,ACK,CANCEL,BYE,PRACK,INFO,UPDATE,OPTIONS,MESSAGE,NOTIFY,REFER.
Accept: application/dialog-info+xml,application/rlmi+xml,multipart/related.
Contact: <sips:subscriber@172.16.0.121:5060;alias=78.143.152.30~33273~3>.
Expires: 3600.
Event: dialog.
Any thoughts, tips, tricks would be greatly appreciated.
Cheers
28 Jul
28 Jul
1:01 p.m.
Hello,
sips uri scheme should not be used for TLS connectivity -- that should
be just an URI with transport=tls
The sips means that the communication must be done via a secure channel,
which can be UDP over IPSec, for example.
IIRC, the scheme is taken from request URI, based on SIP RFC.
You should instruct the UA to use sip with transport=tls or you can
change the r-uri not to use sips anymore on your server, before doing
record_route().
Cheers,
Daniel
On 27/07/15 17:04, Asgaroth wrote:
Hi All,
I have kamailio setup and listening on logical interfaces (for
failover purposes) and therefore need to force the sending socket on
initial messages. We are testing sips+tls at the moment and what we
are trying to achive is that the TLS connection occurs from the UAC to
the edge proxy (also responsible for the domain) and then force UDP
for internal communications to services.
What I am comming up against is that when I force the sending socket
on the internal interface to UDP, the record route header still shows
up as a "sips" request. Then, at the presense server, when generating
the NOTIFY it attempts to send it to the proxy using TLS.
My understanding was that the record route would set the uri something
like "sip:internal_ip" when forcing the sending socket to be
"udp:internal_ip". Is my understanding correct, or am I doing
something wrong here?
An example subscribe message follows, the top most record-route
header, from my understanding, should read sip:internal_ip, not
sips:internal_ip. Is this the expected behaviour of double rr with
these types of messages? How could I ensure that the top most
record-route would always be a sip uri (never sips).
SUBSCRIBE sips:subscriber@domain.com:5061 SIP/2.0.
Record-Route: <sips:proxy_internal_ip;r2=on;lr;ftag=594055226>.
Record-Route:
<sips:proxy_external_ip:5061;transport=tls;r2=on;lr;ftag=594055226>.
Max-Breadth: 60.
Via: SIP/2.0/UDP
proxy_internal_ip;branch=z9hG4bK6c9.d7dc4801e872ce9fb5730f9e09f1889e.0;i=1.
Via: SIP/2.0/TLS
172.16.0.121:5060;rport=33273;received=78.143.152.30;branch=z9hG4bK708ea7ba.
Max-Forwards: 69.
Call-ID: 17212ff4-4421321c8feafd63bf800080f0808080@KX-HDV230X.
From: <sips:subscriber@domain.com>;tag=594055226.
To: <sips:subscriber@domain.com>.
CSeq: 2 SUBSCRIBE.
Allow:
INVITE,ACK,CANCEL,BYE,PRACK,INFO,UPDATE,OPTIONS,MESSAGE,NOTIFY,REFER.
Accept:
application/dialog-info+xml,application/rlmi+xml,multipart/related.
Contact: <sips:subscriber@172.16.0.121:5060;alias=78.143.152.30~33273~3>.
Expires: 3600.
Event: dialog.
Any thoughts, tips, tricks would be greatly appreciated.
Cheers
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
29 Jul
29 Jul
12:53 p.m.
Thank you for that information Daniel, I think I need to do more reading
to understand the sips scheme better.
On 28/07/2015 11:01, Daniel-Constantin Mierla wrote:
Hello,
sips uri scheme should not be used for TLS connectivity -- that should
be just an URI with transport=tls
The sips means that the communication must be done via a secure channel,
which can be UDP over IPSec, for example.
IIRC, the scheme is taken from request URI, based on SIP RFC.
You should instruct the UA to use sip with transport=tls or you can
change the r-uri not to use sips anymore on your server, before doing
record_route().
Cheers,
Daniel
On 27/07/15 17:04, Asgaroth wrote:
> Hi All,
>
> I have kamailio setup and listening on logical interfaces (for
> failover purposes) and therefore need to force the sending socket on
> initial messages. We are testing sips+tls at the moment and what we
> are trying to achive is that the TLS connection occurs from the UAC to
> the edge proxy (also responsible for the domain) and then force UDP
> for internal communications to services.
>
> What I am comming up against is that when I force the sending socket
> on the internal interface to UDP, the record route header still shows
> up as a "sips" request. Then, at the presense server, when generating
> the NOTIFY it attempts to send it to the proxy using TLS.
>
> My understanding was that the record route would set the uri something
> like "sip:internal_ip" when forcing the sending socket to be
> "udp:internal_ip". Is my understanding correct, or am I doing
> something wrong here?
>
> An example subscribe message follows, the top most record-route
> header, from my understanding, should read sip:internal_ip, not
> sips:internal_ip. Is this the expected behaviour of double rr with
> these types of messages? How could I ensure that the top most
> record-route would always be a sip uri (never sips).
>
> SUBSCRIBE sips:subscriber@domain.com:5061 SIP/2.0.
> Record-Route: <sips:proxy_internal_ip;r2=on;lr;ftag=594055226>.
> Record-Route:
> <sips:proxy_external_ip:5061;transport=tls;r2=on;lr;ftag=594055226>.
> Max-Breadth: 60.
> Via: SIP/2.0/UDP
> proxy_internal_ip;branch=z9hG4bK6c9.d7dc4801e872ce9fb5730f9e09f1889e.0;i=1.
> Via: SIP/2.0/TLS
> 172.16.0.121:5060;rport=33273;received=78.143.152.30;branch=z9hG4bK708ea7ba.
> Max-Forwards: 69.
> Call-ID: 17212ff4-4421321c8feafd63bf800080f0808080@KX-HDV230X.
> From: <sips:subscriber@domain.com>;tag=594055226.
> To: <sips:subscriber@domain.com>.
> CSeq: 2 SUBSCRIBE.
> Allow:
> INVITE,ACK,CANCEL,BYE,PRACK,INFO,UPDATE,OPTIONS,MESSAGE,NOTIFY,REFER.
> Accept:
> application/dialog-info+xml,application/rlmi+xml,multipart/related.
> Contact: <sips:subscriber@172.16.0.121:5060;alias=78.143.152.30~33273~3>.
> Expires: 3600.
> Event: dialog.
>
> Any thoughts, tips, tricks would be greatly appreciated.
>
> Cheers
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
3404
days inactive
3406
days old
2 comments
2 participants
participants (2)
-
Asgaroth -
Daniel-Constantin Mierla