[Freeswitch-users] FreeSWITCH Registrar TLS offload
Alexandru Covalschi
568691 at gmail.com
Thu Dec 1 01:54:43 MSK 2016
Well I'm not sure, but maybe Freeswitch doesn't understand urlencoded "received" path? I suppose there should be only sip:KAMAILIO_IP <sip:KAMAILIO_IP> in Route header, so I'm very curios about that.
To avoid that, you can try using add_path() instead of add_path_received(). Another way, if you need the "received", is to form the Path record manually:
append_hf("Path: <sip:$Ri:$Rp;lr;received=\"sip:$si:$sp;transport=$pr\";transport=udp>\r\n");
and avoid urlencode/force transport=udp there.
But anyway I'd also like to understand why Freeswitch doesn't route the call correctly. As far as I understood from https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS-4989/FS-4989.html <https://freeswitch.org/jira/si/jira.issueviews:issue-html/FS-4989/FS-4989.html>, there was such type of issue already. Are we having same, but with urlencoding now?
Also a silly proposal, but well: try creating a brand new user who has no "tls history" - maybe that's issue with sqlite?
Offtopic: Vladislav, you may be interested in joining @ru_voip and @ru_freeswitch groups in Telegram
Alexandru Covalschi
VoIP Engineer and System Administrator
tel: +373 673 98 493
> 29 нояб. 2016 г., в 12:43, Vladyslav Zakhozhai <v.zakhozhai at gmail.com> написал(а):
>
> Hi,
>
> Here is SIP REGISTER message which goes UAC => Kamailio => FreeSWITCH:
>
> REGISTER sip:DOMAIN_NAME <sip:DOMAIN_NAME> SIP/2.0
> Via: SIP/2.0/UDP KAMAILIO_IP;branch=z9hG4bK95f8.b6cff139a89c58ea38df4e2f8d375039.0;i=9
> Via: SIP/2.0/TLS USER_IP:34913;received=USER_IP;alias;branch=z9hG4bK.KAL7~HJ2E;rport=34913
> From: <sip:USER_NAME at DOMAIN_NAME <sip:USER_NAME at DOMAIN_NAME>>;tag=EbEqf28Bb
> To: sip:USER_NAME at DOMAIN_NAME <sip:USER_NAME at DOMAIN_NAME>
> CSeq: 22 REGISTER
> Call-ID: QHttR-2N4V
> Max-Forwards: 69
> Supported: outbound
> Accept: application/sdp
> Accept: text/plain
> Accept: application/vnd.gsma.rcs-ft-http+xml
> Contact: <sip:USER_NAME at USER_IP:34913; <sip:USER_NAME at USER_IP:34913;transport=tls>transport=tls <sip:USER_NAME at USER_IP:34913;transport=tls>>;+sip.instance="<urn:uuid:0bf6433b-c543-4a30-b00c-7259d78d5d30>"
> Expires: 60
> User-Agent: Linphone/3.9.0 (belle-sip/1.4.2)
> Content-Length: 0
> Path: <sip:KAMAILIO_IP;lr;received= <sip:KAMAILIO_IP;lr;received=sip:USER_IP:34913%3Btransport%3Dtls>sip:USER_IP:34913%3Btransport% <sip:KAMAILIO_IP;lr;received=sip:USER_IP:34913%3Btransport%3Dtls>3Dtls <sip:KAMAILIO_IP;lr;received=sip:USER_IP:34913%3Btransport%3Dtls>>
>
> Looks good. Isn't it?
>
> Call origination from FreeSWITCH => Kamailio => UAC
>
> INVITE sip:TO_USER at TO_USER_IP:56408; <sip:TO_USER at TO_USER_IP:56408;transport=tls>transport=tls <sip:TO_USER at TO_USER_IP:56408;transport=tls> SIP/2.0
> Via: SIP/2.0/TLS FS_IP;branch=z9hG4bKS4Dr1pBa4NB1K
> Route: <sip:KAMAILIO_IP <sip:KAMAILIO_IP>>;lr;received=sip:TO_USER_IP:56408; <sip:TO_USER_IP:56408;transport=tls>transport=tls <sip:TO_USER_IP:56408;transport=tls>
> Max-Forwards: 68
> From: "vlakas" <sip:FROM_USER at FS_IP <sip:FROM_USER at FS_IP>>;tag=91r5XtyZa62Bj
> To: <sip:TO_USER at TO_USER_IP:56408; <sip:TO_USER at TO_USER_IP:56408;transport=tls>transport=tls <sip:TO_USER at TO_USER_IP:56408;transport=tls>>
> Call-ID: 7a17700d-30ae-1235-8bbb-005056b9778d
> CSeq: 99867524 INVITE
> Contact: <sip:mod_sofia at FS_IP:5061; <sip:mod_sofia at FS_IP:5061;transport=tls>transport=tls <sip:mod_sofia at FS_IP:5061;transport=tls>>
> User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit
> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER, REFER, NOTIFY
> Supported: timer, path, replaces
> Allow-Events: talk, hold, conference, refer
> Content-Type: application/sdp
> Content-Disposition: session
> Content-Length: 246
> X-FS-Support: update_display,send_info
> Remote-Party-ID: "TO_USER" <sip:TO_USER at FS_IP <sip:TO_USER at FS_IP>>;party=calling;screen=yes;privacy=off
>
> v=0
> o=FreeSWITCH 1480390787 1480390788 IN IP4 FS_IP
> s=FreeSWITCH
> c=IN IP4 FS_IP
> t=0 0
> m=audio 16390 RTP/AVP 8 101 13
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-16
> a=rtpmap:13 CN/8000
> a=ptime:20
>
> This is looks good too I guess...
>
> I can't understand why FreeSWITCH tries to originate call over TLS. What did I miss?
>
> 2016-11-29 0:54 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com <mailto:v.zakhozhai at gmail.com>>:
> P.S. In kamailio's dispatcher the freeswitch destination is as follows
>
> sip:FS_IP:5060
>
> 2016-11-29 0:51 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com <mailto:v.zakhozhai at gmail.com>>:
> Brian, I'm wondering too.
>
> First of all thing about my previous mail is not so good. I forgot that I've configured my sofia profile to work with TLS. When I disabled TLS I still have a problem with originating calls with error:
>
> [ERR] sofia_glue.c:943 TLS not supported by profile
>
> FreeSWITCH still originates calls over TLS.
>
> Contact: "" <sip:user_name at user_ip:49337;transport=tls;fs_path=sip%3Asip_proxy_ip%3Blr>
>
> What about random source port.
>
> As I have told already on the kamailio side I check source ip and port of dispatcher destination (FS_IP:5060) and make appropriate actions. But originated call from kamailio did not pass this check. When I have looked in kamailio logs I saw that INVITE request is going from FS_IP:RANDOM_PORT
>
> Method: <INVITE> URI: <sip:user_name at user_IP:49335;transport=tls> SourceIP/Port: <FS_IP>:<36378> From/To: [<sip:from_user at FS_IP> <sip:to_user at user_ip:49335;transport=tls>] Contact: <<sip:mod_sofia at FS_IP:5061;transport=tls>> <FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit>.
>
> Here we can see that call was originated over TLS and source port was different than 5061.
>
> Here is part of sofia profile:
>
> <param name="rtp-ip" value="FS_IP"/>
> <param name="sip-ip" value="FS_IP"/>
> <param name="sip-port" value="5060"/>
>
> <param name="tls" value="true"/>
> <param name="tls-only" value="false"/>
> <param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
> <param name="tls-bind-params" value="transport=tls"/>
> <param name="tls-sip-port" value="5061"/>
> <param name="tls-passphrase" value=""/>
> <param name="tls-verify-date" value="true"/>
> <param name="tls-verify-policy" value="none"/>
>
>
> 2016-11-29 0:37 GMT+02:00 Brian West <brian at freeswitch.org <mailto:brian at freeswitch.org>>:
> You're using TLS/TCP the random port is how it happens.
>
> /b
>
>
> On Mon, Nov 28, 2016 at 4:31 PM, Vladyslav Zakhozhai <v.zakhozhai at gmail.com <mailto:v.zakhozhai at gmail.com>> wrote:
> Hi, I'm from ser-userlist with a good news and testing results :)
>
> FreeSWITCH do honor path header and will back responses and will originate calls to/through SIP proxy IP address if it is in the path.
>
> Before relaying in Kamailio you need put add_path or add_path_received (both worked fine for me). FreeSWITCH will add it to Contact header:
>
> Contact: "" <sip:user_name at user_ip:49335;transport=tls;fs_path=sip%3Akamailio_ip%3Blr>
>
> No manual manipulations on Contact header is needed from kamailio side (as well as from FreeSWITCH side).
>
> But be aware of correct handling SIP requests (i.e. INVITEs) from FreeSWITCHes. For example my FreeSWITCHes backends are in dispatcher table (sip:IP_ADDR:UDP_PORT). And I've checked it with ds_is_from_list in kamailio. But FreeSWITCH originates INVITE to kamailio from IP_ADDR:RANDOM_PORT. In this case ds_is_from_list fails :(
>
> Now I'm checking is there mistakes in my configs or this is normal usecase for FreeSWITCH (I did not mention it earlier).
>
>
> 2016-11-25 13:15 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com <mailto:v.zakhozhai at gmail.com>>:
> David,
>
> yes of course I'll be back with solution here :) But I'm not sure when exactly.
>
> 2016-11-24 12:30 GMT+02:00 David Villasmil <david.villasmil.work at gmail.com <mailto:david.villasmil.work at gmail.com>>:
> Hello,
>
> Please come back with the solution when you have it. It should be interesting for people using kamailio/freeswitch.
>
> Regards,
>
> David
>
> On Wed, Nov 23, 2016 at 10:37 AM Vladyslav Zakhozhai <v.zakhozhai at gmail.com <mailto:v.zakhozhai at gmail.com>> wrote:
> Alexandru, thank you for the answer. I think you've given me right direction to investigate.
>
> As you've mentioned this is really kamailio issue/question. So I'm moving to sr-users list.
>
>
> 2016-11-22 13:03 GMT+02:00 Alexandru Covalschi <568691 at gmail.com <mailto:568691 at gmail.com>>:
> Do you have set_contact_alias or add_contact_alias in Kamailio? Anyways you're doing something wrong as AFAIK Kamailio translates contact header to udp automatically. You should try to post on sr-users list.
>
> 2016-11-22 12:33 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com <mailto:v.zakhozhai at gmail.com>>:
> Hi,
>
> I'm trying to understand what is the best or suitable approach to the following use case. Let me simplify thing a little bit.
>
> Suppose we have one FreeSWITCH registrar behind SIP proxy (kamailio). I'd like to offload SSL/TLS encryption/decryption to SIP proxy:
>
> REGISTER:
>
> Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
> Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH
>
> INVITE:
> UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==> Kamailio == SIP/TLS ==> UAC2
>
> (FreeSWITCH uses kamailio as outbound proxy with fs_path tag appended in dialplan).
>
> The main problem is in Contact header which contains transport=tls and we can see it in FreeSWITCH console:
>
> User: user at domain.com <mailto:user at domain.com>
> Contact: "" <sip:user at UAC_IP:57976;transport=tls>
> Status: Registered(TLS)(unknown) EXP(2016-11-22 10:16:59) EXPSECS(108)
> IP: SIP_PROXY_IP
> Port: 5060
>
> When FreeSWITCH sends INVITE to UAC2 (during call) it tries to establish TLS session to UAC2. It fails because there is no TLS-enabled sofia profiles in the config of FreeSWITCH.
>
> I have only one solution in my mind: rewrite transport tag in Contact header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls to UAC).
>
> I'd like to know it this solution ok or there is more elegant solutions.
>
> I've tried appending tag transport=udp in FreeSWITCH's dialplan but no success.
>
> Thank you in advance.
>
> --
> С уважением,
> Владислав Захожай
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> --
> Alexandru Covalschi
> VoIP engineer and system administrator
> tel: +37367398493 <tel:%2B37367398493>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> --
> Brian West
> brian at freeswitch.org <mailto:brian at freeswitch.org>
>
> Twitter: @FreeSWITCH , @briankwest
> http://www.freeswitchbook.com <http://www.freeswitchbook.com/> (50% Discount using code FreeSwitch50)
> http://www.freeswitchcookbook.com <http://www.freeswitchcookbook.com/> (50% Discount using code FreeSwitch50)
> https://www.gofundme.com/freeswitch_ubuntu <https://www.gofundme.com/freeswitch_ubuntu>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit: /r/freeswitch <https://www.reddit.com/r/freeswitch>
> T:+19184209001 <tel:%2B19184209001> | F:+19184209002 <tel:%2B19184209002> | M:+1918424WEST (9378)
> iNUM:+883 5100 1420 9001 | ISN:410*543 | Skype:briankwest
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org <mailto:consulting at freeswitch.org>
> http://www.freeswitchsolutions.com <http://www.freeswitchsolutions.com/>
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org <http://www.freeswitch.org/>
> http://confluence.freeswitch.org <http://confluence.freeswitch.org/>
> http://www.cluecon.com <http://www.cluecon.com/>
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users <http://lists.freeswitch.org/mailman/listinfo/freeswitch-users>
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users <http://lists.freeswitch.org/mailman/options/freeswitch-users>
> http://www.freeswitch.org <http://www.freeswitch.org/>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161201/d7a18894/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list