[Freeswitch-users] SIP over TLS configuration problem
fabio
f.antonini at tiesse.com
Thu Jun 7 09:05:13 UTC 2018
Hi all
I'm a Freeswitch newbie and I'm trying to setup SIP over TLS in my FS
version 1.5.15.
As first step I have configured a SIP Gateway that successfully
registers to a dedicated SIP Registrar/Proxy (opensips) using SIP over
UDP. With this configuration I can successfully place outbound and
inbound calls without any problem. Everything works as a charm.
Further I have tried to switch to SIP over TLS and I followed the steps
described in https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS.
I have installed the agent.pem and cafile.pem generated by opensips (my
SIP Registrar) and I configured FS to use them. After restart the sofia
gateway profile can successfully register to the SIP Registrar by SIP
over TLS.
Further I can successfully place outbound call (from internal channel
through the SIP gateway). It sounds great!
Unfortunately FS fails to handle inbound calls (SIP INVITE from an
external SIP UA registered to the same SIP Registrar to the SIP UA
extension of the FS SIP gateway).
I have tried to trace all the logs I can. Here below some traces from
the FS console when an inbound INVITE is received:
tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0xb7f28): new
secondary tport 0x1398c0
tport_type_tcp.c:203 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPIDLE to 30
tport_type_tcp.c:209 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPINTVL to 30
tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x1398c0): new
connection from tls/10.3.10.110:38632/sips
tport_tls.c:919 tls_connect() tls_connect(0x1398c0): events NEGOTIATING
tport_tls.c:1008 tls_connect() tls_connect(0x1398c0): TLS setup failed
(error:00000001:lib(0):func(0):reason(1))
tport.c:2090 tport_close() tport_close(0x1398c0): tls/10.3.10.110:38632/sips
tport.c:2263 tport_set_secondary_timer() tport(0x1398c0): set timer at 0
ms because zap
In order to simplify the test I have also tried to connect to the 5061
TLS port by a simple openssl command from a linux shell of the SIP
Registrar box:
openssl s_client -connect 10.11.4.103:5061 -tls1_2
CONNECTED(00000003)
3074304200:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074304200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1528361426
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
In the FS console I read the same traces received in the previous test
with the inbound call.
tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0xb7f28): new
secondary tport 0x248210
tport_type_tcp.c:203 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x248210): Setting TCP_KEEPIDLE to 30
tport_type_tcp.c:209 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x248210): Setting TCP_KEEPINTVL to 30
tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x248210): new
connection from tls/10.11.4.103:33168/sips
tport_tls.c:919 tls_connect() tls_connect(0x248210): events NEGOTIATING
tport_tls.c:1008 tls_connect() tls_connect(0x248210): TLS setup failed
(error:00000001:lib(0):func(0):reason(1))
tport.c:2090 tport_close() tport_close(0x248210): tls/10.11.4.103:33168/sips
tport.c:2263 tport_set_secondary_timer() tport(0x248210): set timer at 0
ms because zap
I have attached also a wireshark capture of the inbound call. In this
capture the SIP Registrar has IP 10.3.10.110. The FS device is
10.11.4.103. The Client Hello is sent by the SIP Registrar, but the FS
device replies with an "Alert: Level: fatal, Description: handshake
failure (40).
I guess that there is some misconfiguration related to the TLS version
or proposed ciphers or any certifcates but I cannot understand what.
For comparison I have tried to run the same openssl command from FS to
the external SIP Registrar (outbound).
openssl s_client -connect 10.3.10.110:5061 -tls1_2
CONNECTED(00000003)
depth=1 CN = Your_NAME, ST = Your_STATE, C = CO, emailAddress =
YOUR_EMAIL, O = YOUR_ORG_NAME
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=XY/ST=Some State/O=My Large Organization Name/OU=My Subunit of
Large
Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
1
s:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy
X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI
hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTE4
MDUwODEyMzcyM1oXDTE5MDUwODEyMzcyM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD
VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g
TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x
HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW
G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQDL7uikSc1kVIvw5rhyQzk2dSJcmJ6EJ1LSmtAoafZH8bqfZ25cDQZQGi05
YcuxGR0vSaW7xPnyhaWCLQlxQFx7AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI
hvcNAQEFBQADggEBAHv4WzGdYhoEyHZmBQTVjdEKOVBMnNoOqum79uzWtSzSjG4E
pP/9c331uT7fBZ/Z7XNhIV+PbDZXorLgUhwwT7zxYURNnV52Of2SWRmWtPBrgEX1
+8S0IMtJFfJta8FAfTTaNqLpRDaiTQs3em1Maxls15cTyRQzMIjIJnY4eRrh5CNM
YV/+kg/lpKAe0awiMu96cxpnMdz9h33g7RedBnh9wDi6k7pfYtvlC6o4snZO01AN
8qRiQf54OPvKcVeseJFBPWLhdYns6g+/SXhq1Lek2us93ZpuKgIaBtzkyDm2+SFa
QXF9f0a+UuEdPvrtvMjAijcDwcaXq0r2f2MA++M=
-----END CERTIFICATE-----
subject=/C=XY/ST=Some State/O=My Large Organization Name/OU=My Subunit
of Large
Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com
issuer=/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
---
No client certificate CA names sent
---
SSL handshake has read 1979 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 512 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID:
EA8B17008E58F1D04CD1CEA53103CF477AA9DE0DC80A4FF4F0DD4814031E4C15
Session-ID-ctx:
Master-Key:
D28ED5C21D288944D2277AF86FE82A9BF3BEDABAA14DBCD5AE32B190EF0A0CA6AB99719E751E6DD4FECAA9DD1307A3C0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 2f c5 82 ea bf 8b 66 49-bc bc ee 48 1a fb 8e 6c /.....fI...H...l
0010 - de 42 d9 e0 6e 36 40 78-06 cc 68 c6 74 6d 6e aa .B..n6 at x..h.tmn.
0020 - b6 53 8a ed b2 8d 5a c4-02 e1 88 8b d2 a9 56 5f .S....Z.......V_
0030 - ee c6 b9 14 55 da 37 df-8f aa af 81 b4 22 4e be ....U.7......"N.
0040 - 9c c5 87 d6 46 22 47 03-4a 88 dd 1e 9d 05 81 09 ....F"G.J.......
0050 - c3 8b 9f 44 29 90 4d 93-c9 f5 41 e2 4d 72 1b de ...D).M...A.Mr..
0060 - 8d c2 15 ab 49 ad da 26-0e 72 a9 01 02 3e 89 33 ....I..&.r...>.3
0070 - 6e 6c 2f 20 1c 15 06 7a-8d c5 a6 6e ee 46 d2 76 nl/
...z...n.F.v
0080 - 63 c1 89 1e 9b 3c a1 10-d0 78 31 9e e6 8e 86 ab c....<...x1.....
0090 - ff bc 3a 4c ab 3d 33 8f-e9 56 c5 f1 45 46 73 41 ..:L.=3..V..EFsA
Start Time: 1528361487
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
closed
In this case the command seems to have been successfully executed. I
remark that the outbound TLS transactions seems to be working fine also
from FS (SIP Registrar, SIP INVITE in outbound don't have any problem).
If required I can provide also the FS configuration files (vars.xml,
sofia.conf.xml, etc etc).
Any help will be greatly appreciated.
Thanks in advance
Best regards
fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180607/87fe4bb9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: siptls-inbound.pcap
Type: application/vnd.tcpdump.pcap
Size: 1092 bytes
Desc: not available
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180607/87fe4bb9/attachment-0001.pcap>
More information about the FreeSWITCH-users
mailing list