[Freeswitch-users] FS gateway over TLS - force ephemeral port in contact header

Victor Chukalovskiy victor.chukalovskiy at gmail.com
Thu Aug 15 15:29:06 UTC 2019 

Hi Folks, long time away from this list but I do run into another FS 
questions I can't answer myself.

General scenario is latest FS V1.8 registering to Oracle SBC via gateway 
with register-transport TLS, and then trying to send / receive some calls.

Issue I observe is as following:
Registration goes well, as well as outbound call is established (from FS 
to Oracle). So far FS is always an SSL "Client" and SBC is always an SSL 
"Server". So TCP connection is between an ephemeral port e.g 57647 on FS 
side and 5061 on SBC side.

However, when SBC sends a BYE to FS, it does so in a brand new TCP 
socket going from a high range port on SBC side e.g. 27696 and 5061 on 
FS side. In this new connection SBC tries to be an SSL client and expect 
FS to act as SSL server. FS ignores it completely (nothing in debug log 
or in sofia sip trace). My presumption is that it's incorrect, and that 
everything should go back to the port that REGISTER / INVITE came from. 
I thinks SBC does so because of FS contact header not matching theĀ  
actual TCP connection. I'm trying to figure out FS guilt in this, as I 
suspect it happens because of the way FS sets Contact header port on the 
outbound REGISTER and INVITE:

Contact: <sip:gw+test@<freeswitch_ip>:5061;tport=tcp;transport=tls;gw=test>

I suspect that 5061 is not the right port given FS is actually using 
ephemeral port for this registration. Is this a bug I should report, or 
a configuration I can change, or normal?
How can I force FS to put it's actual ephemeral port? So that it looks 
something like this:

Contact: <sip:gw+test@<freeswitch_ip>:57647;tport=tcp;transport=tls;gw=test>

Below is just an illustration of two TCP connections that end-up being 
created on a single outbound call.

FreeSWITCH - initiated REGISTER, INVITE, 100 Trying, 200 OK etc:

11:05:53.303006 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:53.408646 IP <sbc_ip>.5061 > <freeswitch_ip>.57647
11:05:53.408745 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.242105 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.242307 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.309673 IP <sbc_ip>.5061 > <freeswitch_ip>.57647
11:05:54.309767 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.393547 IP <sbc_ip>.5061 > <freeswitch_ip>.57647
11:05:54.393584 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.394273 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.395283 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.395430 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.395500 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:54.463197 IP <sbc_ip>.5061 > <freeswitch_ip>.57647
11:05:54.511325 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:05:57.283340 IP <sbc_ip>.5061 > <freeswitch_ip>.57647
11:05:57.283498 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:06:02.904345 IP <sbc_ip>.5061 > <freeswitch_ip>.57647
11:06:02.904391 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:06:02.918036 IP <freeswitch_ip>.57647 > <sbc_ip>.5061
11:06:03.085751 IP <sbc_ip>.5061 > <freeswitch_ip>.57647



Far-end (SBC) initiated "BYE". Note that ports have changed to a new 
set, and ssl server / client roles reversed:
11:06:11.285869 IP <sbc_ip>.27696 > <freeswitch_ip>.5061
11:06:11.285960 IP <freeswitch_ip>.5061 > <sbc_ip>.27696
11:06:11.354400 IP <sbc_ip>.27696 > <freeswitch_ip>.5061
11:06:11.357416 IP <sbc_ip>.27696 > <freeswitch_ip>.5061
11:06:11.357464 IP <freeswitch_ip>.5061 > <sbc_ip>.27696
11:06:11.358337 IP <freeswitch_ip>.5061 > <sbc_ip>.27696
11:06:11.358342 IP <freeswitch_ip>.5061 > <sbc_ip>.27696
11:06:11.426766 IP <sbc_ip>.27696 > <freeswitch_ip>.5061
11:06:11.427018 IP <freeswitch_ip>.5061 > <sbc_ip>.27696
11:06:11.492787 IP <sbc_ip>.27696 > <freeswitch_ip>.5061


Thanks a lot,
-Vic

More information about the FreeSWITCH-users mailing list