[Freeswitch-users] FreeSWITCH Registrar TLS offload

Vladyslav Zakhozhai v.zakhozhai at gmail.com
Tue Nov 29 01:54:22 MSK 2016 

P.S. In kamailio's dispatcher the freeswitch destination is as follows

sip:FS_IP:5060

2016-11-29 0:51 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:

> Brian, I'm wondering too.
>
> First of all thing about my previous mail is not so good. I forgot that
> I've configured my sofia profile to work with TLS. When I disabled TLS I
> still have a problem with originating calls with error:
>
> [ERR] sofia_glue.c:943 TLS not supported by profile
>
> FreeSWITCH still originates calls over TLS.
>
> Contact:     "" <sip:user_name at user_ip:49337;transport=tls;fs_path=sip%
> 3Asip_proxy_ip%3Blr>
>
> What about random source port.
>
> As I have told already on the kamailio side I check source ip and port of
> dispatcher destination (FS_IP:5060) and make appropriate actions. But
> originated call from kamailio did not pass this check. When I have looked
> in kamailio logs I saw that INVITE request is going from FS_IP:RANDOM_PORT
>
> Method: <INVITE> URI: <sip:user_name at user_IP:49335;transport=tls>
> SourceIP/Port: <FS_IP>:<36378> From/To: [<sip:from_user at FS_IP>
> <sip:to_user at user_ip:49335;transport=tls>] Contact: <<sip:mod_sofia at FS_IP
> :5061;transport=tls>> <FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit>.
>
> Here we can see that call was originated over TLS and source port was
> different than 5061.
>
> Here is part of sofia profile:
>
> <param name="rtp-ip" value="FS_IP"/>
> <param name="sip-ip" value="FS_IP"/>
> <param name="sip-port" value="5060"/>
>
> <param name="tls" value="true"/>
> <param name="tls-only" value="false"/>
> <param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
> <param name="tls-bind-params" value="transport=tls"/>
> <param name="tls-sip-port" value="5061"/>
> <param name="tls-passphrase" value=""/>
> <param name="tls-verify-date" value="true"/>
> <param name="tls-verify-policy" value="none"/>
>
>
> 2016-11-29 0:37 GMT+02:00 Brian West <brian at freeswitch.org>:
>
>> You're using TLS/TCP the random port is how it happens.
>>
>> /b
>>
>>
>> On Mon, Nov 28, 2016 at 4:31 PM, Vladyslav Zakhozhai <
>> v.zakhozhai at gmail.com> wrote:
>>
>>> Hi, I'm from ser-userlist with a good news and testing results :)
>>>
>>> FreeSWITCH do honor path header and will back responses and will
>>> originate calls to/through SIP proxy IP address if it is in the path.
>>>
>>> Before relaying in Kamailio you need put add_path or add_path_received
>>> (both worked fine for me). FreeSWITCH will add it to Contact header:
>>>
>>> Contact:     "" <sip:user_name at user_ip:49335;t
>>> ransport=tls;fs_path=sip%3Akamailio_ip%3Blr>
>>>
>>> No manual manipulations on Contact header is needed from kamailio side
>>> (as well as from FreeSWITCH side).
>>>
>>> But be aware of correct handling SIP requests (i.e. INVITEs) from
>>> FreeSWITCHes. For example my FreeSWITCHes backends are in dispatcher table
>>> (sip:IP_ADDR:UDP_PORT). And I've checked it with ds_is_from_list in
>>> kamailio. But FreeSWITCH originates INVITE to kamailio from
>>> IP_ADDR:RANDOM_PORT. In this case ds_is_from_list fails :(
>>>
>>> Now I'm checking is there mistakes in my configs or this is normal
>>> usecase for FreeSWITCH (I did not mention it earlier).
>>>
>>>
>>> 2016-11-25 13:15 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>>
>>>> David,
>>>>
>>>> yes of course I'll be back with solution here :) But I'm not sure when
>>>> exactly.
>>>>
>>>> 2016-11-24 12:30 GMT+02:00 David Villasmil <
>>>> david.villasmil.work at gmail.com>:
>>>>
>>>>> Hello,
>>>>>
>>>>> Please come back with the solution when you have it. It should be
>>>>> interesting for people using kamailio/freeswitch.
>>>>>
>>>>> Regards,
>>>>>
>>>>> David
>>>>>
>>>>> On Wed, Nov 23, 2016 at 10:37 AM Vladyslav Zakhozhai <
>>>>> v.zakhozhai at gmail.com> wrote:
>>>>>
>>>>>> Alexandru, thank you for the answer. I think you've given me right
>>>>>> direction to investigate.
>>>>>>
>>>>>> As you've mentioned this is really kamailio issue/question. So I'm
>>>>>> moving to sr-users list.
>>>>>>
>>>>>>
>>>>>> 2016-11-22 13:03 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>>>>>>
>>>>>> Do you have set_contact_alias or add_contact_alias in Kamailio?
>>>>>> Anyways you're doing something wrong as AFAIK Kamailio translates contact
>>>>>> header to udp automatically. You should try to post on sr-users list.
>>>>>>
>>>>>> 2016-11-22 12:33 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com
>>>>>> >:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm trying to understand what is the best or suitable approach to the
>>>>>> following use case. Let me simplify thing a little bit.
>>>>>>
>>>>>> Suppose we have one FreeSWITCH registrar behind SIP proxy (kamailio).
>>>>>> I'd like to offload SSL/TLS encryption/decryption to SIP proxy:
>>>>>>
>>>>>> REGISTER:
>>>>>>
>>>>>> Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
>>>>>> Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH
>>>>>>
>>>>>> INVITE:
>>>>>> UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==>
>>>>>> Kamailio == SIP/TLS ==> UAC2
>>>>>>
>>>>>> (FreeSWITCH uses kamailio as outbound proxy with fs_path tag appended
>>>>>> in dialplan).
>>>>>>
>>>>>> The main problem is in Contact header which contains transport=tls
>>>>>> and we can see it in FreeSWITCH console:
>>>>>>
>>>>>> User:       user at domain.com
>>>>>> Contact:   "" <sip:user at UAC_IP:57976;transport=tls>
>>>>>> Status:     Registered(TLS)(unknown) EXP(2016-11-22 10:16:59)
>>>>>> EXPSECS(108)
>>>>>> IP:         SIP_PROXY_IP
>>>>>> Port:       5060
>>>>>>
>>>>>> When FreeSWITCH sends INVITE to UAC2 (during call) it tries to
>>>>>> establish TLS session to UAC2. It fails because there is no TLS-enabled
>>>>>> sofia profiles in the config of FreeSWITCH.
>>>>>>
>>>>>> I have only one solution in my mind: rewrite transport tag in Contact
>>>>>> header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls to UAC).
>>>>>>
>>>>>> I'd like to know it this solution ok or there is more elegant
>>>>>> solutions.
>>>>>>
>>>>>> I've tried appending tag transport=udp in FreeSWITCH's dialplan but
>>>>>> no success.
>>>>>>
>>>>>> Thank you in advance.
>>>>>>
>>>>>> --
>>>>>> С уважением,
>>>>>> Владислав Захожай
>>>>>>
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> _____________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>> switch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Alexandru Covalschi
>>>>>> VoIP engineer and system administrator
>>>>>> tel: +37367398493
>>>>>>
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> _____________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>> switch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> С уважением,
>>>>>> Владислав Захожай
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> _____________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>> switch-users
>>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>> ____________________________________________________________
>>>>> _____________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> С уважением,
>>>> Владислав Захожай
>>>>
>>>>
>>>
>>>
>>> --
>>> С уважением,
>>> Владислав Захожай
>>>
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>>
>> *Brian West*
>> brian at freeswitch.org
>>
>>
>> *Twitter: @FreeSWITCH , @briankwest*
>> http://www.freeswitchbook.com (50% Discount using code FreeSwitch50)
>> http://www.freeswitchcookbook.com (50% Discount using code FreeSwitch50)
>> https://www.gofundme.com/freeswitch_ubuntu
>>
>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>
>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
> С уважением,
> Владислав Захожай
>
>


-- 
С уважением,
Владислав Захожай
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161129/c8b9956a/attachment-0001.html

Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list