[Freeswitch-users] FreeSWITCH Registrar TLS offload

Vladyslav Zakhozhai v.zakhozhai at gmail.com
Thu Dec 1 13:33:42 MSK 2016 

Sergey, thank for your answer. I'd rather agree with Alexandru about
encoding than with transport in Contact header issue.

Here https://tools.ietf.org/pdf/rfc3327.pdf... There is no any mentioning
about Contact header modification but:

"The home proxy, in its basic mode of operation, rewrites the request-URI
from the incoming request with the value of the registered contact and
retransmits the request." (5.4)

So Contact header is meaningful for Home proxy (i.e. the nearest proxy of
UAC).

Do transient SIP proxy really need to change Contact header? I doubt that.
But if I'm wrong I'd be glad to understand where exactly :)

Alexandru interesting thing about uri encoding is that return path is
correct. I.e. without path header freeswitch will try to contact UAC
directly. In my case responses and origination goes through SIP proxy which
is in the path and in register information in freeswitch db.

What about add_path and add_path_received. I really have tried to use both
of them with the same result (I've mentioned it earlier). I think I'll try
to play with append_hf.


And thank you for your invitation. I'm not a telegram user. But I'll give
it a try.

2016-12-01 5:55 GMT+02:00 Sergey Safarov <s.safarov at gmail.com>:

> Look at Contact header in register message Tls transport is present.
>
> вт, 29 нояб. 2016, 13:45 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>
>> Hi,
>>
>> Here is SIP REGISTER message which goes UAC => Kamailio => FreeSWITCH:
>>
>> REGISTER sip:DOMAIN_NAME SIP/2.0
>> Via: SIP/2.0/UDP KAMAILIO_IP;branch=z9hG4bK95f8.
>> b6cff139a89c58ea38df4e2f8d375039.0;i=9
>> Via: SIP/2.0/TLS USER_IP:34913;received=USER_
>> IP;alias;branch=z9hG4bK.KAL7~HJ2E;rport=34913
>> From: <sip:USER_NAME at DOMAIN_NAME>;tag=EbEqf28Bb
>> To: sip:USER_NAME at DOMAIN_NAME
>> CSeq: 22 REGISTER
>> Call-ID: QHttR-2N4V
>> Max-Forwards: 69
>> Supported: outbound
>> Accept: application/sdp
>> Accept: text/plain
>> Accept: application/vnd.gsma.rcs-ft-http+xml
>> Contact: <sip:USER_NAME at USER_IP:34913;transport=tls>;+sip.instance="
>> <urn:uuid:0bf6433b-c543-4a30-b00c-7259d78d5d30>"
>> Expires: 60
>> User-Agent: Linphone/3.9.0 (belle-sip/1.4.2)
>> Content-Length: 0
>> Path: <sip:KAMAILIO_IP;lr;received=sip:USER_IP:34913%3Btransport%3Dtls>
>>
>> Looks good. Isn't it?
>>
>> Call origination from FreeSWITCH => Kamailio => UAC
>>
>> INVITE sip:TO_USER at TO_USER_IP:56408;transport=tls SIP/2.0
>> Via: SIP/2.0/TLS FS_IP;branch=z9hG4bKS4Dr1pBa4NB1K
>> Route: <sip:KAMAILIO_IP>;lr;received=sip:TO_USER_IP:56408;transport=tls
>> Max-Forwards: 68
>> From: "vlakas" <sip:FROM_USER at FS_IP>;tag=91r5XtyZa62Bj
>> To: <sip:TO_USER at TO_USER_IP:56408;transport=tls>
>> Call-ID: 7a17700d-30ae-1235-8bbb-005056b9778d
>> CSeq: 99867524 INVITE
>> Contact: <sip:mod_sofia at FS_IP:5061;transport=tls>
>> User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit
>> Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE,
>> REGISTER, REFER, NOTIFY
>> Supported: timer, path, replaces
>> Allow-Events: talk, hold, conference, refer
>> Content-Type: application/sdp
>> Content-Disposition: session
>> Content-Length: 246
>> X-FS-Support: update_display,send_info
>> Remote-Party-ID: "TO_USER" <sip:TO_USER at FS_IP>;party=
>> calling;screen=yes;privacy=off
>>
>> v=0
>> o=FreeSWITCH 1480390787 1480390788 IN IP4 FS_IP
>> s=FreeSWITCH
>> c=IN IP4 FS_IP
>> t=0 0
>> m=audio 16390 RTP/AVP 8 101 13
>> a=rtpmap:8 PCMA/8000
>> a=rtpmap:101 telephone-event/8000
>> a=fmtp:101 0-16
>> a=rtpmap:13 CN/8000
>> a=ptime:20
>>
>> This is looks good too I guess...
>>
>> I can't understand why FreeSWITCH tries to originate call over TLS. What
>> did I miss?
>>
>> 2016-11-29 0:54 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>
>> P.S. In kamailio's dispatcher the freeswitch destination is as follows
>>
>> sip:FS_IP:5060
>>
>> 2016-11-29 0:51 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>
>> Brian, I'm wondering too.
>>
>> First of all thing about my previous mail is not so good. I forgot that
>> I've configured my sofia profile to work with TLS. When I disabled TLS I
>> still have a problem with originating calls with error:
>>
>> [ERR] sofia_glue.c:943 TLS not supported by profile
>>
>> FreeSWITCH still originates calls over TLS.
>>
>> Contact:     "" <sip:user_name at user_ip:49337;transport=tls;fs_path=sip%
>> 3Asip_proxy_ip%3Blr>
>>
>> What about random source port.
>>
>> As I have told already on the kamailio side I check source ip and port of
>> dispatcher destination (FS_IP:5060) and make appropriate actions. But
>> originated call from kamailio did not pass this check. When I have looked
>> in kamailio logs I saw that INVITE request is going from FS_IP:RANDOM_PORT
>>
>> Method: <INVITE> URI: <sip:user_name at user_IP:49335;transport=tls>
>> SourceIP/Port: <FS_IP>:<36378> From/To: [<sip:from_user at FS_IP>
>> <sip:to_user at user_ip:49335;transport=tls>] Contact: <<sip:mod_sofia at FS_IP
>> :5061;transport=tls>> <FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit>.
>>
>> Here we can see that call was originated over TLS and source port was
>> different than 5061.
>>
>> Here is part of sofia profile:
>>
>> <param name="rtp-ip" value="FS_IP"/>
>> <param name="sip-ip" value="FS_IP"/>
>> <param name="sip-port" value="5060"/>
>>
>> <param name="tls" value="true"/>
>> <param name="tls-only" value="false"/>
>> <param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
>> <param name="tls-bind-params" value="transport=tls"/>
>> <param name="tls-sip-port" value="5061"/>
>> <param name="tls-passphrase" value=""/>
>> <param name="tls-verify-date" value="true"/>
>> <param name="tls-verify-policy" value="none"/>
>>
>>
>> 2016-11-29 0:37 GMT+02:00 Brian West <brian at freeswitch.org>:
>>
>> You're using TLS/TCP the random port is how it happens.
>>
>> /b
>>
>>
>> On Mon, Nov 28, 2016 at 4:31 PM, Vladyslav Zakhozhai <
>> v.zakhozhai at gmail.com> wrote:
>>
>> Hi, I'm from ser-userlist with a good news and testing results :)
>>
>> FreeSWITCH do honor path header and will back responses and will
>> originate calls to/through SIP proxy IP address if it is in the path.
>>
>> Before relaying in Kamailio you need put add_path or add_path_received
>> (both worked fine for me). FreeSWITCH will add it to Contact header:
>>
>> Contact:     "" <sip:user_name at user_ip:49335;transport=tls;fs_path=sip%
>> 3Akamailio_ip%3Blr>
>>
>> No manual manipulations on Contact header is needed from kamailio side
>> (as well as from FreeSWITCH side).
>>
>> But be aware of correct handling SIP requests (i.e. INVITEs) from
>> FreeSWITCHes. For example my FreeSWITCHes backends are in dispatcher table
>> (sip:IP_ADDR:UDP_PORT). And I've checked it with ds_is_from_list in
>> kamailio. But FreeSWITCH originates INVITE to kamailio from
>> IP_ADDR:RANDOM_PORT. In this case ds_is_from_list fails :(
>>
>> Now I'm checking is there mistakes in my configs or this is normal
>> usecase for FreeSWITCH (I did not mention it earlier).
>>
>>
>> 2016-11-25 13:15 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>
>> David,
>>
>> yes of course I'll be back with solution here :) But I'm not sure when
>> exactly.
>>
>> 2016-11-24 12:30 GMT+02:00 David Villasmil <david.villasmil.work at gmail.
>> com>:
>>
>> Hello,
>>
>> Please come back with the solution when you have it. It should be
>> interesting for people using kamailio/freeswitch.
>>
>> Regards,
>>
>> David
>>
>> On Wed, Nov 23, 2016 at 10:37 AM Vladyslav Zakhozhai <
>> v.zakhozhai at gmail.com> wrote:
>>
>> Alexandru, thank you for the answer. I think you've given me right
>> direction to investigate.
>>
>> As you've mentioned this is really kamailio issue/question. So I'm moving
>> to sr-users list.
>>
>>
>> 2016-11-22 13:03 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>>
>> Do you have set_contact_alias or add_contact_alias in Kamailio? Anyways
>> you're doing something wrong as AFAIK Kamailio translates contact header to
>> udp automatically. You should try to post on sr-users list.
>>
>> 2016-11-22 12:33 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>
>> Hi,
>>
>> I'm trying to understand what is the best or suitable approach to the
>> following use case. Let me simplify thing a little bit.
>>
>> Suppose we have one FreeSWITCH registrar behind SIP proxy (kamailio). I'd
>> like to offload SSL/TLS encryption/decryption to SIP proxy:
>>
>> REGISTER:
>>
>> Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
>> Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH
>>
>> INVITE:
>> UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==> Kamailio
>> == SIP/TLS ==> UAC2
>>
>> (FreeSWITCH uses kamailio as outbound proxy with fs_path tag appended in
>> dialplan).
>>
>> The main problem is in Contact header which contains transport=tls and we
>> can see it in FreeSWITCH console:
>>
>> User:       user at domain.com
>> Contact:   "" <sip:user at UAC_IP:57976;transport=tls>
>> Status:     Registered(TLS)(unknown) EXP(2016-11-22 10:16:59)
>> EXPSECS(108)
>> IP:         SIP_PROXY_IP
>> Port:       5060
>>
>> When FreeSWITCH sends INVITE to UAC2 (during call) it tries to establish
>> TLS session to UAC2. It fails because there is no TLS-enabled sofia
>> profiles in the config of FreeSWITCH.
>>
>> I have only one solution in my mind: rewrite transport tag in Contact
>> header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls to UAC).
>>
>> I'd like to know it this solution ok or there is more elegant solutions.
>>
>> I've tried appending tag transport=udp in FreeSWITCH's dialplan but no
>> success.
>>
>> Thank you in advance.
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>> Alexandru Covalschi
>> VoIP engineer and system administrator
>> tel: +37367398493
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com (50% Discount using code FreeSwitch50)
>> http://www.freeswitchcookbook.com (50% Discount using code FreeSwitch50)
>> https://www.gofundme.com/freeswitch_ubuntu
>>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>



-- 
С уважением,
Владислав Захожай
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161201/1e78f530/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list