[Freeswitch-users] SIP over TLS configuration problem
fabio
f.antonini at tiesse.com
Fri Jun 8 06:16:27 UTC 2018
Hi David
thanks a lot for your feedback.
I have investigated more in depth and I found out that the problem was
caused by the format of the agent.pem certificate generated by opensips.
I followed the following short tutorial to create the agent.pem certificate
htps://freeswitch.org/stash/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt
<https://freeswitch.org/stash/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt>t
<https://freeswitch.org/stash/projects/FS/repos/freeswitch/browse/docs/how_to_make_your_own_ca_correctly.txt>
and now I can manage also the inbound calls.
I'm waiting for the customer's official certificates. Anyway at the
moment everything is working fine.
In the meantime I'll move to 1.6.
Thanks
fabio
On 07/06/2018 19:52, David Villasmil wrote:
>
> If the certs are self-signed you're going to have many many problems.
> I followed that tutorial with a valid cert and worked beautifully.
> Also i did it with 1.6.
>
>
> On Thu, Jun 7, 2018, 18:40 fabio <f.antonini at tiesse.com
> <mailto:f.antonini at tiesse.com>> wrote:
>
> Hi all
>
>
> I'm a Freeswitch newbie and I'm trying to setup SIP over TLS in my
> FS version 1.5.15.
>
> As first step I have configured a SIP Gateway that successfully
> registers to a dedicated SIP Registrar/Proxy (opensips) using SIP
> over UDP. With this configuration I can successfully place
> outbound and inbound calls without any problem. Everything works
> as a charm.
>
> Further I have tried to switch to SIP over TLS and I followed the
> steps described in
> https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS.
>
> I have installed the agent.pem and cafile.pem generated by
> opensips (my SIP Registrar) and I configured FS to use them. After
> restart the sofia gateway profile can successfully register to the
> SIP Registrar by SIP over TLS.
>
> Further I can successfully place outbound call (from internal
> channel through the SIP gateway). It sounds great!
>
> Unfortunately FS fails to handle inbound calls (SIP INVITE from an
> external SIP UA registered to the same SIP Registrar to the SIP UA
> extension of the FS SIP gateway).
>
> I have tried to trace all the logs I can. Here below some traces
> from the FS console when an inbound INVITE is received:
>
>
> tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
> tport.c:862 tport_alloc_secondary()
> tport_alloc_secondary(0xb7f28): new secondary tport 0x1398c0
> tport_type_tcp.c:203 tport_tcp_init_secondary()
> tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPIDLE to 30
> tport_type_tcp.c:209 tport_tcp_init_secondary()
> tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPINTVL to 30
> tport_type_tls.c:610 tport_tls_accept()
> tport_tls_accept(0x1398c0): new connection from
> tls/10.3.10.110:38632/sips <http://10.3.10.110:38632/sips>
> tport_tls.c:919 tls_connect() tls_connect(0x1398c0): events
> NEGOTIATING
> tport_tls.c:1008 tls_connect() tls_connect(0x1398c0): TLS setup
> failed (error:00000001:lib(0):func(0):reason(1))
> tport.c:2090 tport_close() tport_close(0x1398c0):
> tls/10.3.10.110:38632/sips <http://10.3.10.110:38632/sips>
> tport.c:2263 tport_set_secondary_timer() tport(0x1398c0): set
> timer at 0 ms because zap
>
>
> In order to simplify the test I have also tried to connect to the
> 5061 TLS port by a simple openssl command from a linux shell of
> the SIP Registrar box:
>
>
> openssl s_client -connect 10.11.4.103:5061
> <http://10.11.4.103:5061> -tls1_2
> CONNECTED(00000003)
> 3074304200:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
> handshake failure:s3_pkt.c:1256:SSL alert number 40
> 3074304200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
> handshake failure:s3_pkt.c:596:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1528361426
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> ---
>
> In the FS console I read the same traces received in the previous
> test with the inbound call.
>
>
> tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
> tport.c:862 tport_alloc_secondary()
> tport_alloc_secondary(0xb7f28): new secondary tport 0x248210
> tport_type_tcp.c:203 tport_tcp_init_secondary()
> tport_tcp_init_secondary(0x248210): Setting TCP_KEEPIDLE to 30
> tport_type_tcp.c:209 tport_tcp_init_secondary()
> tport_tcp_init_secondary(0x248210): Setting TCP_KEEPINTVL to 30
> tport_type_tls.c:610 tport_tls_accept()
> tport_tls_accept(0x248210): new connection from
> tls/10.11.4.103:33168/sips <http://10.11.4.103:33168/sips>
> tport_tls.c:919 tls_connect() tls_connect(0x248210): events
> NEGOTIATING
> tport_tls.c:1008 tls_connect() tls_connect(0x248210): TLS setup
> failed (error:00000001:lib(0):func(0):reason(1))
> tport.c:2090 tport_close() tport_close(0x248210):
> tls/10.11.4.103:33168/sips <http://10.11.4.103:33168/sips>
> tport.c:2263 tport_set_secondary_timer() tport(0x248210): set
> timer at 0 ms because zap
>
> I have attached also a wireshark capture of the inbound call. In
> this capture the SIP Registrar has IP 10.3.10.110. The FS device
> is 10.11.4.103. The Client Hello is sent by the SIP Registrar, but
> the FS device replies with an "Alert: Level: fatal, Description:
> handshake failure (40).
>
> I guess that there is some misconfiguration related to the TLS
> version or proposed ciphers or any certifcates but I cannot
> understand what.
>
>
> For comparison I have tried to run the same openssl command from
> FS to the external SIP Registrar (outbound).
>
>
> openssl s_client -connect 10.3.10.110:5061
> <http://10.3.10.110:5061> -tls1_2
> CONNECTED(00000003)
> depth=1 CN = Your_NAME, ST = Your_STATE, C = CO, emailAddress =
> YOUR_EMAIL, O = YOUR_ORG_NAME
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
> 0 s:/C=XY/ST=Some State/O=My Large Organization Name/OU=My
> Subunit of Large
> Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com
> <mailto:Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com>
> i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
> 1
> s:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
> i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy
> X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI
> hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTE4
> MDUwODEyMzcyM1oXDTE5MDUwODEyMzcyM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD
> VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g
> TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x
> HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW
> G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
> MEgCQQDL7uikSc1kVIvw5rhyQzk2dSJcmJ6EJ1LSmtAoafZH8bqfZ25cDQZQGi05
> YcuxGR0vSaW7xPnyhaWCLQlxQFx7AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI
> hvcNAQEFBQADggEBAHv4WzGdYhoEyHZmBQTVjdEKOVBMnNoOqum79uzWtSzSjG4E
> pP/9c331uT7fBZ/Z7XNhIV+PbDZXorLgUhwwT7zxYURNnV52Of2SWRmWtPBrgEX1
> +8S0IMtJFfJta8FAfTTaNqLpRDaiTQs3em1Maxls15cTyRQzMIjIJnY4eRrh5CNM
> YV/+kg/lpKAe0awiMu96cxpnMdz9h33g7RedBnh9wDi6k7pfYtvlC6o4snZO01AN
> 8qRiQf54OPvKcVeseJFBPWLhdYns6g+/SXhq1Lek2us93ZpuKgIaBtzkyDm2+SFa
> QXF9f0a+UuEdPvrtvMjAijcDwcaXq0r2f2MA++M=
> -----END CERTIFICATE-----
> subject=/C=XY/ST=Some State/O=My Large Organization Name/OU=My
> Subunit of Large
> Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com
> <mailto:Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com>
> issuer=/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1979 bytes and written 337 bytes
> ---
> New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
> Server public key is 512 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : AES256-GCM-SHA384
> Session-ID:
> EA8B17008E58F1D04CD1CEA53103CF477AA9DE0DC80A4FF4F0DD4814031E4C15
> Session-ID-ctx:
> Master-Key:
> D28ED5C21D288944D2277AF86FE82A9BF3BEDABAA14DBCD5AE32B190EF0A0CA6AB99719E751E6DD4FECAA9DD1307A3C0
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> TLS session ticket:
> 0000 - 2f c5 82 ea bf 8b 66 49-bc bc ee 48 1a fb 8e 6c
> /.....fI...H...l
> 0010 - de 42 d9 e0 6e 36 40 78-06 cc 68 c6 74 6d 6e aa
> .B..n6 at x..h.tmn.
> 0020 - b6 53 8a ed b2 8d 5a c4-02 e1 88 8b d2 a9 56 5f
> .S....Z.......V_
> 0030 - ee c6 b9 14 55 da 37 df-8f aa af 81 b4 22 4e be
> ....U.7......"N.
> 0040 - 9c c5 87 d6 46 22 47 03-4a 88 dd 1e 9d 05 81 09
> ....F"G.J.......
> 0050 - c3 8b 9f 44 29 90 4d 93-c9 f5 41 e2 4d 72 1b de
> ...D).M...A.Mr..
> 0060 - 8d c2 15 ab 49 ad da 26-0e 72 a9 01 02 3e 89 33
> ....I..&.r...>.3
> 0070 - 6e 6c 2f 20 1c 15 06 7a-8d c5 a6 6e ee 46 d2 76 nl/
> ...z...n.F.v
> 0080 - 63 c1 89 1e 9b 3c a1 10-d0 78 31 9e e6 8e 86 ab
> c....<...x1.....
> 0090 - ff bc 3a 4c ab 3d 33 8f-e9 56 c5 f1 45 46 73 41
> ..:L.=3..V..EFsA
>
> Start Time: 1528361487
> Timeout : 7200 (sec)
> Verify return code: 19 (self signed certificate in certificate
> chain)
> ---
> closed
>
>
> In this case the command seems to have been successfully executed.
> I remark that the outbound TLS transactions seems to be working
> fine also from FS (SIP Registrar, SIP INVITE in outbound don't
> have any problem).
>
> If required I can provide also the FS configuration files
> (vars.xml, sofia.conf.xml, etc etc).
>
> Any help will be greatly appreciated.
>
> Thanks in advance
>
> Best regards
>
>
> fabio
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com <mailto:sales at freeswitch.com>
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> <mailto:FreeSWITCH-users at lists.freeswitch.org>
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
>
>
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com
--
Fabio Antonini
/Software Engineer (Ph.D)/
f.antonini at tiesse.com <mailto:f.antonini at tiesse.com>
*Tel* +39.0863.455830
*Mob* +39.393.9261941
*Fax* +39.0863.455830
Via Corradini 80
67051 Avezzano (AQ)
Logo Tiesse dal 1998 al 2018, vent'anni di Innovazione Made in Italy.
Clicca per visitare il sito Tiesse <http://www.tiesse.com/>
*Tiesse S.p.A.* - www.tiesse.com <http://www.tiesse.com/>
Via Asti 4, 10015 Ivrea (TO)
Pagina Tiesse su Linkedin, clicca e visitaci
<https://linkedin.com/company/tiesse-spa>
*Disclaimer:* il contenuto di questa email è riservato e non vincolante
per Tiesse S.p.A.. Se lo avesse ricevuto per errore, la preghiamo di
segnalarlo immediatamente al mittente, di non utilizzare e divulgare il
contenuto e di distruggere ogni copia in suo possesso. Tiesse S.p.A.
declina ogni responsabilità da qualsiasi conseguenza derivante da
utilizzi non autorizzati, contraffazioni o manomissioni di email recanti
riferimenti all'azienda.
*Rispetta l'ambiente. Non stampare questa mail se non è necessario.*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180608/2d7be35f/attachment-0001.html>
More information about the FreeSWITCH-users
mailing list