[Freeswitch-users] SIP over TLS configuration problem

Joel Serrano joel at textplus.com
Thu Jun 7 16:51:36 UTC 2018 

Hi Fabio,

First thing you should do is try on latest 1.6.X version, 1.5 was never
even released AFAIK.



On Thu, Jun 7, 2018 at 2:05 AM, fabio <f.antonini at tiesse.com> wrote:

> Hi all
>
>
> I'm a Freeswitch newbie and I'm trying to setup SIP over TLS in my FS
> version 1.5.15.
>
> As first step I have configured a SIP Gateway that successfully registers
> to a dedicated SIP Registrar/Proxy (opensips) using SIP over UDP. With this
> configuration I can successfully place outbound and inbound calls without
> any problem. Everything works as a charm.
>
> Further I have tried to switch to SIP over TLS and I followed the steps
> described in https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS.
>
> I have installed the agent.pem and cafile.pem generated by opensips (my
> SIP Registrar) and I configured FS to use them. After restart the sofia
> gateway profile can successfully register to the SIP Registrar by SIP over
> TLS.
>
> Further I can successfully place outbound call (from internal channel
> through the SIP gateway).  It sounds great!
>
> Unfortunately FS fails to handle inbound calls (SIP INVITE from an
> external SIP UA registered to the same SIP Registrar to the SIP UA
> extension of the FS SIP gateway).
>
> I have tried to trace all the logs I can. Here below some traces from the
> FS console when an inbound INVITE is received:
>
>
> tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
> tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0xb7f28): new
> secondary tport 0x1398c0
> tport_type_tcp.c:203 tport_tcp_init_secondary() tport_tcp_init_secondary(0x1398c0):
> Setting TCP_KEEPIDLE to 30
> tport_type_tcp.c:209 tport_tcp_init_secondary() tport_tcp_init_secondary(0x1398c0):
> Setting TCP_KEEPINTVL to 30
> tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x1398c0): new
> connection from tls/10.3.10.110:38632/sips
> tport_tls.c:919 tls_connect() tls_connect(0x1398c0): events NEGOTIATING
> tport_tls.c:1008 tls_connect() tls_connect(0x1398c0): TLS setup failed
> (error:00000001:lib(0):func(0):reason(1))
> tport.c:2090 tport_close() tport_close(0x1398c0): tls/
> 10.3.10.110:38632/sips
> tport.c:2263 tport_set_secondary_timer() tport(0x1398c0): set timer at 0
> ms because zap
>
>
> In order to simplify the test I have also tried to connect to the 5061 TLS
> port by a simple openssl command from a linux shell of the SIP Registrar
> box:
>
>
> openssl  s_client -connect 10.11.4.103:5061 -tls1_2
> CONNECTED(00000003)
> 3074304200:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:s3_pkt.c:1256:SSL alert number 40
> 3074304200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:596:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1528361426
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
> ---
>
> In the FS console I read the same traces received in the previous test
> with the inbound call.
>
>
> tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
> tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0xb7f28): new
> secondary tport 0x248210
> tport_type_tcp.c:203 tport_tcp_init_secondary() tport_tcp_init_secondary(0x248210):
> Setting TCP_KEEPIDLE to 30
> tport_type_tcp.c:209 tport_tcp_init_secondary() tport_tcp_init_secondary(0x248210):
> Setting TCP_KEEPINTVL to 30
> tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x248210): new
> connection from tls/10.11.4.103:33168/sips
> tport_tls.c:919 tls_connect() tls_connect(0x248210): events NEGOTIATING
> tport_tls.c:1008 tls_connect() tls_connect(0x248210): TLS setup failed
> (error:00000001:lib(0):func(0):reason(1))
> tport.c:2090 tport_close() tport_close(0x248210): tls/
> 10.11.4.103:33168/sips
> tport.c:2263 tport_set_secondary_timer() tport(0x248210): set timer at 0
> ms because zap
>
> I have attached also a wireshark capture of the inbound call. In this
> capture the SIP Registrar has IP 10.3.10.110. The FS device is 10.11.4.103.
> The Client Hello is sent by the SIP Registrar, but the FS device replies
> with an "Alert: Level: fatal, Description:  handshake failure (40).
>
> I guess that there is some misconfiguration related to the TLS version or
> proposed ciphers  or any certifcates but I cannot understand what.
>
>
> For comparison I have tried to run the same openssl command from FS to the
> external SIP Registrar (outbound).
>
>
> openssl  s_client -connect 10.3.10.110:5061 -tls1_2
> CONNECTED(00000003)
> depth=1 CN = Your_NAME, ST = Your_STATE, C = CO, emailAddress =
> YOUR_EMAIL, O = YOUR_ORG_NAME
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=XY/ST=Some State/O=My Large Organization Name/OU=My Subunit of
> Large Organization/CN=somename.somewhere.com/emailAddress=
> root at somename.somewhere.com
>    i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/
> O=YOUR_ORG_NAME
>  1 s:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/
> O=YOUR_ORG_NAME
>    i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/
> O=YOUR_ORG_NAME
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy
> X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI
> hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTE4
> MDUwODEyMzcyM1oXDTE5MDUwODEyMzcyM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD
> VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g
> TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x
> HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW
> G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
> MEgCQQDL7uikSc1kVIvw5rhyQzk2dSJcmJ6EJ1LSmtAoafZH8bqfZ25cDQZQGi05
> YcuxGR0vSaW7xPnyhaWCLQlxQFx7AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI
> hvcNAQEFBQADggEBAHv4WzGdYhoEyHZmBQTVjdEKOVBMnNoOqum79uzWtSzSjG4E
> pP/9c331uT7fBZ/Z7XNhIV+PbDZXorLgUhwwT7zxYURNnV52Of2SWRmWtPBrgEX1
> +8S0IMtJFfJta8FAfTTaNqLpRDaiTQs3em1Maxls15cTyRQzMIjIJnY4eRrh5CNM
> YV/+kg/lpKAe0awiMu96cxpnMdz9h33g7RedBnh9wDi6k7pfYtvlC6o4snZO01AN
> 8qRiQf54OPvKcVeseJFBPWLhdYns6g+/SXhq1Lek2us93ZpuKgIaBtzkyDm2+SFa
> QXF9f0a+UuEdPvrtvMjAijcDwcaXq0r2f2MA++M=
> -----END CERTIFICATE-----
> subject=/C=XY/ST=Some State/O=My Large Organization Name/OU=My Subunit of
> Large Organization/CN=somename.somewhere.com/emailAddress=
> root at somename.somewhere.com
> issuer=/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_
> EMAIL/O=YOUR_ORG_NAME
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1979 bytes and written 337 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
> Server public key is 512 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : AES256-GCM-SHA384
>     Session-ID: EA8B17008E58F1D04CD1CEA53103CF
> 477AA9DE0DC80A4FF4F0DD4814031E4C15
>     Session-ID-ctx:
>     Master-Key: D28ED5C21D288944D2277AF86FE82A
> 9BF3BEDABAA14DBCD5AE32B190EF0A0CA6AB99719E751E6DD4FECAA9DD1307A3C0
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - 2f c5 82 ea bf 8b 66 49-bc bc ee 48 1a fb 8e 6c
> /.....fI...H...l
>     0010 - de 42 d9 e0 6e 36 40 78-06 cc 68 c6 74 6d 6e aa   .B..n6 at x.
> .h.tmn.
>     0020 - b6 53 8a ed b2 8d 5a c4-02 e1 88 8b d2 a9 56 5f
> .S....Z.......V_
>     0030 - ee c6 b9 14 55 da 37 df-8f aa af 81 b4 22 4e be
> ....U.7......"N.
>     0040 - 9c c5 87 d6 46 22 47 03-4a 88 dd 1e 9d 05 81 09
> ....F"G.J.......
>     0050 - c3 8b 9f 44 29 90 4d 93-c9 f5 41 e2 4d 72 1b de
> ...D).M...A.Mr..
>     0060 - 8d c2 15 ab 49 ad da 26-0e 72 a9 01 02 3e 89 33
> ....I..&.r...>.3
>     0070 - 6e 6c 2f 20 1c 15 06 7a-8d c5 a6 6e ee 46 d2 76   nl/
> ...z...n.F.v
>     0080 - 63 c1 89 1e 9b 3c a1 10-d0 78 31 9e e6 8e 86 ab
> c....<...x1.....
>     0090 - ff bc 3a 4c ab 3d 33 8f-e9 56 c5 f1 45 46 73 41
> ..:L.=3..V..EFsA
>
>     Start Time: 1528361487
>     Timeout   : 7200 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> closed
>
>
> In this case the command seems to have been successfully executed. I
> remark that the outbound TLS transactions seems to be working fine also
> from FS (SIP Registrar, SIP INVITE in outbound don't have any problem).
>
> If required I can provide also the FS configuration files (vars.xml,
> sofia.conf.xml,  etc etc).
>
> Any help will be greatly appreciated.
>
> Thanks in advance
>
> Best regards
>
>
> fabio
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180607/a958c932/attachment-0001.html>

More information about the FreeSWITCH-users mailing list