[Freeswitch-users] FreeSWITCH Registrar TLS offload
Sergey Safarov
s.safarov at gmail.com
Thu Dec 1 06:55:52 MSK 2016
Look at Contact header in register message Tls transport is present.
вт, 29 нояб. 2016, 13:45 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
> Hi,
>
> Here is SIP REGISTER message which goes UAC => Kamailio => FreeSWITCH:
>
> REGISTER sip:DOMAIN_NAME SIP/2.0
> Via: SIP/2.0/UDP
> KAMAILIO_IP;branch=z9hG4bK95f8.b6cff139a89c58ea38df4e2f8d375039.0;i=9
> Via: SIP/2.0/TLS
> USER_IP:34913;received=USER_IP;alias;branch=z9hG4bK.KAL7~HJ2E;rport=34913
> From: <sip:USER_NAME at DOMAIN_NAME>;tag=EbEqf28Bb
> To: sip:USER_NAME at DOMAIN_NAME
> CSeq: 22 REGISTER
> Call-ID: QHttR-2N4V
> Max-Forwards: 69
> Supported: outbound
> Accept: application/sdp
> Accept: text/plain
> Accept: application/vnd.gsma.rcs-ft-http+xml
> Contact: <sip:USER_NAME at USER_IP
> :34913;transport=tls>;+sip.instance="<urn:uuid:0bf6433b-c543-4a30-b00c-7259d78d5d30>"
> Expires: 60
> User-Agent: Linphone/3.9.0 (belle-sip/1.4.2)
> Content-Length: 0
> Path: <sip:KAMAILIO_IP;lr;received=sip:USER_IP:34913%3Btransport%3Dtls>
>
> Looks good. Isn't it?
>
> Call origination from FreeSWITCH => Kamailio => UAC
>
> INVITE sip:TO_USER at TO_USER_IP:56408;transport=tls SIP/2.0
> Via: SIP/2.0/TLS FS_IP;branch=z9hG4bKS4Dr1pBa4NB1K
> Route: <sip:KAMAILIO_IP>;lr;received=sip:TO_USER_IP:56408;transport=tls
> Max-Forwards: 68
> From: "vlakas" <sip:FROM_USER at FS_IP>;tag=91r5XtyZa62Bj
> To: <sip:TO_USER at TO_USER_IP:56408;transport=tls>
> Call-ID: 7a17700d-30ae-1235-8bbb-005056b9778d
> CSeq: 99867524 INVITE
> Contact: <sip:mod_sofia at FS_IP:5061;transport=tls>
> User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit
> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER,
> REFER, NOTIFY
> Supported: timer, path, replaces
> Allow-Events: talk, hold, conference, refer
> Content-Type: application/sdp
> Content-Disposition: session
> Content-Length: 246
> X-FS-Support: update_display,send_info
> Remote-Party-ID: "TO_USER" <sip:TO_USER at FS_IP
> >;party=calling;screen=yes;privacy=off
>
> v=0
> o=FreeSWITCH 1480390787 1480390788 IN IP4 FS_IP
> s=FreeSWITCH
> c=IN IP4 FS_IP
> t=0 0
> m=audio 16390 RTP/AVP 8 101 13
> a=rtpmap:8 PCMA/8000
> a=rtpmap:101 telephone-event/8000
> a=fmtp:101 0-16
> a=rtpmap:13 CN/8000
> a=ptime:20
>
> This is looks good too I guess...
>
> I can't understand why FreeSWITCH tries to originate call over TLS. What
> did I miss?
>
> 2016-11-29 0:54 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>
> P.S. In kamailio's dispatcher the freeswitch destination is as follows
>
> sip:FS_IP:5060
>
> 2016-11-29 0:51 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>
> Brian, I'm wondering too.
>
> First of all thing about my previous mail is not so good. I forgot that
> I've configured my sofia profile to work with TLS. When I disabled TLS I
> still have a problem with originating calls with error:
>
> [ERR] sofia_glue.c:943 TLS not supported by profile
>
> FreeSWITCH still originates calls over TLS.
>
> Contact: "" <sip:user_name at user_ip
> :49337;transport=tls;fs_path=sip%3Asip_proxy_ip%3Blr>
>
> What about random source port.
>
> As I have told already on the kamailio side I check source ip and port of
> dispatcher destination (FS_IP:5060) and make appropriate actions. But
> originated call from kamailio did not pass this check. When I have looked
> in kamailio logs I saw that INVITE request is going from FS_IP:RANDOM_PORT
>
> Method: <INVITE> URI: <sip:user_name at user_IP:49335;transport=tls>
> SourceIP/Port: <FS_IP>:<36378> From/To: [<sip:from_user at FS_IP>
> <sip:to_user at user_ip:49335;transport=tls>] Contact: <<sip:mod_sofia at FS_IP:5061;transport=tls>>
> <FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit>.
>
> Here we can see that call was originated over TLS and source port was
> different than 5061.
>
> Here is part of sofia profile:
>
> <param name="rtp-ip" value="FS_IP"/>
> <param name="sip-ip" value="FS_IP"/>
> <param name="sip-port" value="5060"/>
>
> <param name="tls" value="true"/>
> <param name="tls-only" value="false"/>
> <param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
> <param name="tls-bind-params" value="transport=tls"/>
> <param name="tls-sip-port" value="5061"/>
> <param name="tls-passphrase" value=""/>
> <param name="tls-verify-date" value="true"/>
> <param name="tls-verify-policy" value="none"/>
>
>
> 2016-11-29 0:37 GMT+02:00 Brian West <brian at freeswitch.org>:
>
> You're using TLS/TCP the random port is how it happens.
>
> /b
>
>
> On Mon, Nov 28, 2016 at 4:31 PM, Vladyslav Zakhozhai <
> v.zakhozhai at gmail.com> wrote:
>
> Hi, I'm from ser-userlist with a good news and testing results :)
>
> FreeSWITCH do honor path header and will back responses and will originate
> calls to/through SIP proxy IP address if it is in the path.
>
> Before relaying in Kamailio you need put add_path or add_path_received
> (both worked fine for me). FreeSWITCH will add it to Contact header:
>
> Contact: "" <sip:user_name at user_ip
> :49335;transport=tls;fs_path=sip%3Akamailio_ip%3Blr>
>
> No manual manipulations on Contact header is needed from kamailio side (as
> well as from FreeSWITCH side).
>
> But be aware of correct handling SIP requests (i.e. INVITEs) from
> FreeSWITCHes. For example my FreeSWITCHes backends are in dispatcher table
> (sip:IP_ADDR:UDP_PORT). And I've checked it with ds_is_from_list in
> kamailio. But FreeSWITCH originates INVITE to kamailio from
> IP_ADDR:RANDOM_PORT. In this case ds_is_from_list fails :(
>
> Now I'm checking is there mistakes in my configs or this is normal usecase
> for FreeSWITCH (I did not mention it earlier).
>
>
> 2016-11-25 13:15 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>
> David,
>
> yes of course I'll be back with solution here :) But I'm not sure when
> exactly.
>
> 2016-11-24 12:30 GMT+02:00 David Villasmil <david.villasmil.work at gmail.com
> >:
>
> Hello,
>
> Please come back with the solution when you have it. It should be
> interesting for people using kamailio/freeswitch.
>
> Regards,
>
> David
>
> On Wed, Nov 23, 2016 at 10:37 AM Vladyslav Zakhozhai <
> v.zakhozhai at gmail.com> wrote:
>
> Alexandru, thank you for the answer. I think you've given me right
> direction to investigate.
>
> As you've mentioned this is really kamailio issue/question. So I'm moving
> to sr-users list.
>
>
> 2016-11-22 13:03 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>
> Do you have set_contact_alias or add_contact_alias in Kamailio? Anyways
> you're doing something wrong as AFAIK Kamailio translates contact header to
> udp automatically. You should try to post on sr-users list.
>
> 2016-11-22 12:33 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>
> Hi,
>
> I'm trying to understand what is the best or suitable approach to the
> following use case. Let me simplify thing a little bit.
>
> Suppose we have one FreeSWITCH registrar behind SIP proxy (kamailio). I'd
> like to offload SSL/TLS encryption/decryption to SIP proxy:
>
> REGISTER:
>
> Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
> Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH
>
> INVITE:
> UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==> Kamailio ==
> SIP/TLS ==> UAC2
>
> (FreeSWITCH uses kamailio as outbound proxy with fs_path tag appended in
> dialplan).
>
> The main problem is in Contact header which contains transport=tls and we
> can see it in FreeSWITCH console:
>
> User: user at domain.com
> Contact: "" <sip:user at UAC_IP:57976;transport=tls>
> Status: Registered(TLS)(unknown) EXP(2016-11-22 10:16:59) EXPSECS(108)
> IP: SIP_PROXY_IP
> Port: 5060
>
> When FreeSWITCH sends INVITE to UAC2 (during call) it tries to establish
> TLS session to UAC2. It fails because there is no TLS-enabled sofia
> profiles in the config of FreeSWITCH.
>
> I have only one solution in my mind: rewrite transport tag in Contact
> header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls to UAC).
>
> I'd like to know it this solution ok or there is more elegant solutions.
>
> I've tried appending tag transport=udp in FreeSWITCH's dialplan but no
> success.
>
> Thank you in advance.
>
> --
> С уважением,
> Владислав Захожай
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> --
> Alexandru Covalschi
> VoIP engineer and system administrator
> tel: +37367398493
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com (50% Discount using code FreeSwitch50)
> http://www.freeswitchcookbook.com (50% Discount using code FreeSwitch50)
> https://www.gofundme.com/freeswitch_ubuntu
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161201/6d97fad9/attachment-0001.html
Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users
mailing list