[Freeswitch-users] gateway registration using TLS

Mi Ke mi.ke at null.net
Fri Jun 22 01:42:55 MSD 2012 

Hi Sean,

 Thank you for your links, I've double checked my setup and found that both openssl-dev and opentls-dev were in place before compiling. I presume that my SSL profile wouldn't start w/o these libs at all but it does:

 root at freeswitch /usr/local/freeswitch/bin # netstat -lpn |grep free
 tcp 0 0 127.0.0.1:8021 0.0.0.0:* LISTEN 22156/freeswitch
 tcp 0 0 78.46.44.138:5060 0.0.0.0:* LISTEN 22156/freeswitch
tcp 0 0 78.46.44.138:5061 0.0.0.0:* LISTEN 22156/freeswitch
 udp 0 0 78.46.44.138:5060 0.0.0.0:* 22156/freeswitch

 Also, as an extra test - when I remove cafile.pem and agent.pem profiles do not start so my ssl part seem to be ok.

 I would be very appreciated if FreeSwitch developers could shed some light on that matter i.e. can FS do TLS registration as a client and how to configure it ?

 Thanks / Mike


----- Original Message -----
From: Sean Devoy
Sent: 06/21/12 04:37 PM
To: 'FreeSWITCH Users Help'
Subject: Re: [Freeswitch-users] gateway registration using TLS

HI MiKe,
I have not, but we have been looking into it.
Have you seen this thread:
http://lists.freeswitch.org/pipermail/freeswitch-users/2008-May/003233.html 
 where Brian West says:
You need to make sure you have openssl-devel when you configure/ 
compile Sofia otherwise it's not enabled. Also their is more to it 
than "bin/gentls_cert setup"
http://wiki.freeswitch.org/wiki/Tls 
 And Helmut Kuper responds with:
ok works now. I had to install libgnutls-dev befor running ./configure
script. TLS works with default-values of "bin/gentls_cert setup" and
"bin/gentls_cert create".
 Hope that helps,
 Sean
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org]  *On Behalf Of *Mi Ke  *Sent:* Thursday, June 21, 2012 9:17 AM  *To:* FreeSWITCH Users Help  *Subject:* Re: [Freeswitch-users] gateway registration using TLS
Hi Sean, It seems that setting realm port to 5061 does not set registration mode to TLS - this is how remote server sees our reg attempt: REGISTER sip:server_ip:5061;transport=tcp  SIP/2.0 Via: SIP/2.0/TCP our_ip;branch=z9hG4bKXK27gKtt61X9a Max-Forwards: 70 From: <sip:xxxx at server_ip:5061 >;tag=Q4ytjXN7t319Q To: <sip:xxxx at server_ip:5061 > Call-ID: 29e638e8-ba6d-11e1-aa8e-e35fbde939c6 CSeq: 29804746 REGISTER Contact: <sip:gw+xxxx at our_ip:5060;transport=tcp;gw=xxxx > Expires: 3600 User-Agent: FreeSWITCH-mod_sofia/1.2.0-rc2 Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, UPDATE, INFO, REGISTER, REFER, NOTIFY Supported: timer, precondition, path, replaces Content-Length: 0 Instead of switching to TLS mode FS just sends plain unencrypted reg request to remote port 5061. After that remote server closes connection. Have you practically succeded in placing FS into TLS registration mode? Cheers / Mike
----- Original Message -----
From: Sean Devoy
Sent: 06/20/12 10:27 PM
To: 'FreeSWITCH Users Help'
Subject: Re: [Freeswitch-users] gateway registration using TLS

NO, sorry. I just saw “remote_ip_here” in the error message and thought may you actually had used that.
Sorry.
From: freeswitch-users-bounces at lists.freeswitch.org  %5Bmailto:freeswitch-users-bounces at lists.freeswitch.org%5D  *On Behalf Of *Mi Ke  *Sent:* Wednesday, June 20, 2012 12:20 PM  *To:* FreeSWITCH Users Help  *Subject:* Re: [Freeswitch-users] gateway registration using TLS
Dear Sean, It's not that bad - remote_ip, xxx and yyy are only placeholders in my example - actual config has real params ;) Did you mean that FS will automatically use TLS for registration when I append :5061 to realm value ? Thanks / MiKe
----- Original Message -----
From: Sean Devoy
Sent: 06/20/12 07:03 PM
To: 'FreeSWITCH Users Help'
Subject: Re: [Freeswitch-users] gateway registration using TLS

Mi Ke,
You should put your actual remote provider’s domain name or tip address in where it says “remote_ip_here” and I assume you have entered you actual username and password where it says “yyy” and “zzz”.
It should look SIMILAR to this, but with your provider: <param name="realm" value="sip.voipinnovations.com:5061"/>
Hope that helps,
Sean
From: freeswitch-users-bounces at lists.freeswitch.org  %5Bmailto:freeswitch-users-bounces at lists.freeswitch.org%5D  *On Behalf Of *Mi Ke  *Sent:* Wednesday, June 20, 2012 11:46 AM  *To:* Freeswitch Users  *Subject:* [Freeswitch-users] gateway registration using TLS

Hi All, Is it possible to explicitly tell sofia to register as a client using TLS? Here's my TLS-related part of sofia config: <profiles> <profile name="external"> <domains> <domain name="all" alias="true" parse="false"/> </domains> <gateways> <gateway name="xxx"> <param name="register" value="true"/> <param name="username" value="yyy"/> <param name="realm" value="remote_ip_here:5061"/> <param name="password" value="zzz"/> <param name="register-transport" value="tcp"/> <param name="expire-seconds" value="3600"/> <param name="retry-seconds" value="60" /> </gateway> </gateways> <settings> ... <param name="context" value="external"/> <param name="sip-port" value="5060"/> <param name="tls" value="true"/> <param name="tls-only" value="false"/> <param name="tls-bind-params" value="transport=tls"/> <param name="contact-params" value="tport=tcp"/> <param name="tls-version" value="sslv23"/> <param name="tls-cert-dir" value="/usr/local/freeswitch/conf/ssl"/> <param name="tls-sip-port" value="5061"/> <param name="dialplan" value="XML"/> ... </settings> </profile> </profiles> But that does not work... tport_connected( 

0x7f9b44014110): events CONNECTED tport_send_event(0x7f9b44014110) - ready to send to (tcp/remote_ip_here:5061 http://212.58.166.54:5061 ) tport_vsend(0x7f9b44014110): 600 bytes of 600 to tcp/remote_ip_here:5061 http://212.58.166.54:5061  tport_vsend returned 600 tport_set_events(0x7f9b44014110): events IN tport(0x7f9b44014110): reset timer tport_wakeup(0x7f9b44014110): events IN HUP ERR tport_release(0x7f9b44014110): 0x7f9b4401a460 by 0x7f9b4402ca70 with (nil) nta: REGISTER (29733430): Connection reset by peer (104) with tcp/[remote_ip_here]:5061nua(0x7f9b440196a0): event r_register 503 Service Unavailable
Any ideas what I'm doing wrong? Thanks / MiKe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120621/208021a3/attachment-0001.html

Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users mailing list