[Freeswitch-users] FreeSWITCH Registrar TLS offload

Vladyslav Zakhozhai v.zakhozhai at gmail.com
Tue Nov 29 13:43:40 MSK 2016


Hi,

Here is SIP REGISTER message which goes UAC => Kamailio => FreeSWITCH:

REGISTER sip:DOMAIN_NAME SIP/2.0
Via: SIP/2.0/UDP KAMAILIO_IP;branch=z9hG4bK95f8.
b6cff139a89c58ea38df4e2f8d375039.0;i=9
Via: SIP/2.0/TLS USER_IP:34913;received=USER_IP;alias;branch=z9hG4bK.KAL7~
HJ2E;rport=34913
From: <sip:USER_NAME at DOMAIN_NAME>;tag=EbEqf28Bb
To: sip:USER_NAME at DOMAIN_NAME
CSeq: 22 REGISTER
Call-ID: QHttR-2N4V
Max-Forwards: 69
Supported: outbound
Accept: application/sdp
Accept: text/plain
Accept: application/vnd.gsma.rcs-ft-http+xml
Contact: <sip:USER_NAME at USER_IP:34913;transport=tls>;+sip.instance="
<urn:uuid:0bf6433b-c543-4a30-b00c-7259d78d5d30>"
Expires: 60
User-Agent: Linphone/3.9.0 (belle-sip/1.4.2)
Content-Length: 0
Path: <sip:KAMAILIO_IP;lr;received=sip:USER_IP:34913%3Btransport%3Dtls>

Looks good. Isn't it?

Call origination from FreeSWITCH => Kamailio => UAC

INVITE sip:TO_USER at TO_USER_IP:56408;transport=tls SIP/2.0
Via: SIP/2.0/TLS FS_IP;branch=z9hG4bKS4Dr1pBa4NB1K
Route: <sip:KAMAILIO_IP>;lr;received=sip:TO_USER_IP:56408;transport=tls
Max-Forwards: 68
From: "vlakas" <sip:FROM_USER at FS_IP>;tag=91r5XtyZa62Bj
To: <sip:TO_USER at TO_USER_IP:56408;transport=tls>
Call-ID: 7a17700d-30ae-1235-8bbb-005056b9778d
CSeq: 99867524 INVITE
Contact: <sip:mod_sofia at FS_IP:5061;transport=tls>
User-Agent: FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit
Allow: INVITE, ACK, BYE, CANCEL, OPTIONS, MESSAGE, INFO, UPDATE, REGISTER,
REFER, NOTIFY
Supported: timer, path, replaces
Allow-Events: talk, hold, conference, refer
Content-Type: application/sdp
Content-Disposition: session
Content-Length: 246
X-FS-Support: update_display,send_info
Remote-Party-ID: "TO_USER" <sip:TO_USER at FS_IP>;party=
calling;screen=yes;privacy=off

v=0
o=FreeSWITCH 1480390787 1480390788 IN IP4 FS_IP
s=FreeSWITCH
c=IN IP4 FS_IP
t=0 0
m=audio 16390 RTP/AVP 8 101 13
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=rtpmap:13 CN/8000
a=ptime:20

This is looks good too I guess...

I can't understand why FreeSWITCH tries to originate call over TLS. What
did I miss?

2016-11-29 0:54 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:

> P.S. In kamailio's dispatcher the freeswitch destination is as follows
>
> sip:FS_IP:5060
>
> 2016-11-29 0:51 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>
>> Brian, I'm wondering too.
>>
>> First of all thing about my previous mail is not so good. I forgot that
>> I've configured my sofia profile to work with TLS. When I disabled TLS I
>> still have a problem with originating calls with error:
>>
>> [ERR] sofia_glue.c:943 TLS not supported by profile
>>
>> FreeSWITCH still originates calls over TLS.
>>
>> Contact:     "" <sip:user_name at user_ip:49337;t
>> ransport=tls;fs_path=sip%3Asip_proxy_ip%3Blr>
>>
>> What about random source port.
>>
>> As I have told already on the kamailio side I check source ip and port of
>> dispatcher destination (FS_IP:5060) and make appropriate actions. But
>> originated call from kamailio did not pass this check. When I have looked
>> in kamailio logs I saw that INVITE request is going from FS_IP:RANDOM_PORT
>>
>> Method: <INVITE> URI: <sip:user_name at user_IP:49335;transport=tls>
>> SourceIP/Port: <FS_IP>:<36378> From/To: [<sip:from_user at FS_IP>
>> <sip:to_user at user_ip:49335;transport=tls>] Contact: <<sip:mod_sofia at FS_IP
>> :5061;transport=tls>> <FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit>.
>>
>> Here we can see that call was originated over TLS and source port was
>> different than 5061.
>>
>> Here is part of sofia profile:
>>
>> <param name="rtp-ip" value="FS_IP"/>
>> <param name="sip-ip" value="FS_IP"/>
>> <param name="sip-port" value="5060"/>
>>
>> <param name="tls" value="true"/>
>> <param name="tls-only" value="false"/>
>> <param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
>> <param name="tls-bind-params" value="transport=tls"/>
>> <param name="tls-sip-port" value="5061"/>
>> <param name="tls-passphrase" value=""/>
>> <param name="tls-verify-date" value="true"/>
>> <param name="tls-verify-policy" value="none"/>
>>
>>
>> 2016-11-29 0:37 GMT+02:00 Brian West <brian at freeswitch.org>:
>>
>>> You're using TLS/TCP the random port is how it happens.
>>>
>>> /b
>>>
>>>
>>> On Mon, Nov 28, 2016 at 4:31 PM, Vladyslav Zakhozhai <
>>> v.zakhozhai at gmail.com> wrote:
>>>
>>>> Hi, I'm from ser-userlist with a good news and testing results :)
>>>>
>>>> FreeSWITCH do honor path header and will back responses and will
>>>> originate calls to/through SIP proxy IP address if it is in the path.
>>>>
>>>> Before relaying in Kamailio you need put add_path or add_path_received
>>>> (both worked fine for me). FreeSWITCH will add it to Contact header:
>>>>
>>>> Contact:     "" <sip:user_name at user_ip:49335;t
>>>> ransport=tls;fs_path=sip%3Akamailio_ip%3Blr>
>>>>
>>>> No manual manipulations on Contact header is needed from kamailio side
>>>> (as well as from FreeSWITCH side).
>>>>
>>>> But be aware of correct handling SIP requests (i.e. INVITEs) from
>>>> FreeSWITCHes. For example my FreeSWITCHes backends are in dispatcher table
>>>> (sip:IP_ADDR:UDP_PORT). And I've checked it with ds_is_from_list in
>>>> kamailio. But FreeSWITCH originates INVITE to kamailio from
>>>> IP_ADDR:RANDOM_PORT. In this case ds_is_from_list fails :(
>>>>
>>>> Now I'm checking is there mistakes in my configs or this is normal
>>>> usecase for FreeSWITCH (I did not mention it earlier).
>>>>
>>>>
>>>> 2016-11-25 13:15 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>>>
>>>>> David,
>>>>>
>>>>> yes of course I'll be back with solution here :) But I'm not sure when
>>>>> exactly.
>>>>>
>>>>> 2016-11-24 12:30 GMT+02:00 David Villasmil <
>>>>> david.villasmil.work at gmail.com>:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Please come back with the solution when you have it. It should be
>>>>>> interesting for people using kamailio/freeswitch.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> David
>>>>>>
>>>>>> On Wed, Nov 23, 2016 at 10:37 AM Vladyslav Zakhozhai <
>>>>>> v.zakhozhai at gmail.com> wrote:
>>>>>>
>>>>>>> Alexandru, thank you for the answer. I think you've given me right
>>>>>>> direction to investigate.
>>>>>>>
>>>>>>> As you've mentioned this is really kamailio issue/question. So I'm
>>>>>>> moving to sr-users list.
>>>>>>>
>>>>>>>
>>>>>>> 2016-11-22 13:03 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>>>>>>>
>>>>>>> Do you have set_contact_alias or add_contact_alias in Kamailio?
>>>>>>> Anyways you're doing something wrong as AFAIK Kamailio translates contact
>>>>>>> header to udp automatically. You should try to post on sr-users list.
>>>>>>>
>>>>>>> 2016-11-22 12:33 GMT+02:00 Vladyslav Zakhozhai <
>>>>>>> v.zakhozhai at gmail.com>:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm trying to understand what is the best or suitable approach to
>>>>>>> the following use case. Let me simplify thing a little bit.
>>>>>>>
>>>>>>> Suppose we have one FreeSWITCH registrar behind SIP proxy
>>>>>>> (kamailio). I'd like to offload SSL/TLS encryption/decryption to SIP proxy:
>>>>>>>
>>>>>>> REGISTER:
>>>>>>>
>>>>>>> Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
>>>>>>> Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH
>>>>>>>
>>>>>>> INVITE:
>>>>>>> UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==>
>>>>>>> Kamailio == SIP/TLS ==> UAC2
>>>>>>>
>>>>>>> (FreeSWITCH uses kamailio as outbound proxy with fs_path tag
>>>>>>> appended in dialplan).
>>>>>>>
>>>>>>> The main problem is in Contact header which contains transport=tls
>>>>>>> and we can see it in FreeSWITCH console:
>>>>>>>
>>>>>>> User:       user at domain.com
>>>>>>> Contact:   "" <sip:user at UAC_IP:57976;transport=tls>
>>>>>>> Status:     Registered(TLS)(unknown) EXP(2016-11-22 10:16:59)
>>>>>>> EXPSECS(108)
>>>>>>> IP:         SIP_PROXY_IP
>>>>>>> Port:       5060
>>>>>>>
>>>>>>> When FreeSWITCH sends INVITE to UAC2 (during call) it tries to
>>>>>>> establish TLS session to UAC2. It fails because there is no TLS-enabled
>>>>>>> sofia profiles in the config of FreeSWITCH.
>>>>>>>
>>>>>>> I have only one solution in my mind: rewrite transport tag in
>>>>>>> Contact header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls
>>>>>>> to UAC).
>>>>>>>
>>>>>>> I'd like to know it this solution ok or there is more elegant
>>>>>>> solutions.
>>>>>>>
>>>>>>> I've tried appending tag transport=udp in FreeSWITCH's dialplan but
>>>>>>> no success.
>>>>>>>
>>>>>>> Thank you in advance.
>>>>>>>
>>>>>>> --
>>>>>>> С уважением,
>>>>>>> Владислав Захожай
>>>>>>>
>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>>> _____________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://confluence.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>>> switch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Alexandru Covalschi
>>>>>>> VoIP engineer and system administrator
>>>>>>> tel: +37367398493
>>>>>>>
>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>>> _____________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://confluence.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>>> switch-users
>>>>>>> http://www.freeswitch.org
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> С уважением,
>>>>>>> Владислав Захожай
>>>>>>>
>>>>>>> ____________________________________________________________
>>>>>>> _____________
>>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>>> consulting at freeswitch.org
>>>>>>> http://www.freeswitchsolutions.com
>>>>>>>
>>>>>>> Official FreeSWITCH Sites
>>>>>>> http://www.freeswitch.org
>>>>>>> http://confluence.freeswitch.org
>>>>>>> http://www.cluecon.com
>>>>>>>
>>>>>>> FreeSWITCH-users mailing list
>>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>>> switch-users
>>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>>
>>>>>> ____________________________________________________________
>>>>>> _____________
>>>>>> Professional FreeSWITCH Consulting Services:
>>>>>> consulting at freeswitch.org
>>>>>> http://www.freeswitchsolutions.com
>>>>>>
>>>>>> Official FreeSWITCH Sites
>>>>>> http://www.freeswitch.org
>>>>>> http://confluence.freeswitch.org
>>>>>> http://www.cluecon.com
>>>>>>
>>>>>> FreeSWITCH-users mailing list
>>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>>> switch-users
>>>>>> http://www.freeswitch.org
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> С уважением,
>>>>> Владислав Захожай
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> С уважением,
>>>> Владислав Захожай
>>>>
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>>
>>> *Brian West*
>>> brian at freeswitch.org
>>>
>>>
>>> *Twitter: @FreeSWITCH , @briankwest*
>>> http://www.freeswitchbook.com (50% Discount using code FreeSwitch50)
>>> http://www.freeswitchcookbook.com (50% Discount using code FreeSwitch50)
>>> https://www.gofundme.com/freeswitch_ubuntu
>>>
>>> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
>>> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>>>
>>> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
>>> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>>>
>>> ____________________________________________________________
>>> _____________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>
>
> --
> С уважением,
> Владислав Захожай
>
>


-- 
С уважением,
Владислав Захожай
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161129/4689f064/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list