<div dir="ltr"><p class="MsoNormal">This is what I had to do to get TLS working for me...</p><p class="MsoNormal"><br></p><p class="MsoNormal">In order to get client authenticated TLS to work between 2
FreeSWITCH servers, I had to add a "transport=tls" parameter to the
dial string of the outbound call:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> ex.
sofia/sip-ua/sips:10.191.210.23:5081;transport=tls</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Without this parameter, the UAC does not add a
"transport=tls" parameter to the contact address of its initial
INVITE request. This seems to cause the UAS to try to send all its
subsequent requests (such as a BYE) over UDP instead of TLS.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Also, generating the public certificate and private key
store files using FreeSWITCH's "gentls_cert" script as described in
"<a href="http://wiki.freeswitch.org/wiki/SIP_TLS">http://wiki.freeswitch.org/wiki/SIP_TLS</a>"
won't work by default for client authenticated TLS. This is because the
script generates the certs with attributes making them specific for either the
server side or client side of a TLS handshake. The TLS handshake will
fail Purpose Validation if you try to configure a UAC with a cert that was
generated specifically for a server. To get around this, I had to comment
out the "nsCertType" and "extendedKeyUsage" attributes from
the "gentls_cert" script.</p><p class="MsoNormal"><br></p><p class="MsoNormal">-JP</p><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 25, 2014 at 5:05 PM, JP <span dir="ltr"><<a href="mailto:jaykris@gmail.com" target="_blank">jaykris@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div class="im"><div dir="ltr"><div style="font-family:arial,sans-serif;font-size:13px">
Do you mean to say that the UAC need only send to "sip:<ip>:<tls_port>;transport=tcp" and not to "sips"?</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">I tried tweaking the parameters you mentioned in several different ways, but the contact address from the UAS always comes with "transport=udp". Is this my problem? </div>
</div></div><div class=""><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Mar 25, 2014 at 10:22 AM, Michael Jerris <span dir="ltr"><<a href="mailto:mike@jerris.com" target="_blank">mike@jerris.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div style="word-wrap:break-word">sips: should not make a difference, however.. take a look at bind-params and tls-bind-params<div>
<br></div><div><a href="https://wiki.freeswitch.org/wiki/Sofia.conf.xml" target="_blank">https://wiki.freeswitch.org/wiki/Sofia.conf.xml</a></div><div><br><div><div><div><div>On Mar 25, 2014, at 1:15 PM, JP <<a href="mailto:jaykris@gmail.com" target="_blank">jaykris@gmail.com</a>> wrote:</div>
<br></div></div><blockquote type="cite"><div><div><div dir="ltr"><p class="MsoNormal">Is there any way to specify the full contact header in a UA
profile that the SIP stack will use when formulating messages?
Specifically, have it use "sips" instead of "sip" as
the protocol scheme? </p><div> <br></div><p class="MsoNormal">I'm trying to establish an INVITE dialog between 2
FreeSWITCH servers using a client authenticated TLS handshake.</p><div> <br></div><p class="MsoNormal">To accomplish this, I've created 2 UA profiles on both
servers - one to fulfill the role of the UAC (i.e. tls-uac.xml) and one to
implement the UAS (i.e. tls-uas.xml). Here are the relevant parameters
from both profiles:</p><div> <br></div><p class="MsoNormal">tls-uac.xml:</p><div> <br></div><p class="MsoNormal"> <param
name="sip-port" value="5081"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls" value="true"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls-only" value="true"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls-sip-port" value="5082"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls-cert-dir" value="$${base_dir}/conf/tls/uac"/></p><div> <br></div><p class="MsoNormal">tls-uas.xml:</p><div> <br></div><p class="MsoNormal"> <param
name="sip-port" value="5081"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls" value="true"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls-only" value="true"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls-sip-port" value="5081"/></p><div> <br></div><p class="MsoNormal"> <param
name="tls-cert-dir" value="$${base_dir}/conf/tls/uas"/></p><div> <br></div><p class="MsoNormal">The problem already starts when "tls-uac" sends a
non-secure SIP URI in the contact header of its initial INVITE request (i.e. <a href="http://sip:mod_sofia@10.191.210.150:5081/" target="_blank">sip:mod_sofia@10.191.210.150:5081</a>).
But the more immediate issue is that "tls-uas" also responds
with a non-secure SIP URI in the contact header of its final response (i.e. <a>sip:14086805675@10.191.210.151:5081;transport=udp</a>).
This causes "tls-uac" to send its ACK to the right port number
(i.e. 5081) but on the wrong transport (i.e. UDP instead of TCP/TLS).</p><div> <br></div><p class="MsoNormal">I've seen in the FS documentation that there are ways to
manipulate the contact header through the dial plan, but I'd really prefer not
to do it this way. Any suggestions?</p><div> <br></div><p class="MsoNormal">Thanks</p><p class="MsoNormal">JP</p></div></div></div>
_________________________________________________________________________<br>Professional FreeSWITCH Consulting Services:<br><a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br><a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br><a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br><br>Official FreeSWITCH Sites<br><a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br><a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br><br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br></blockquote></div><br></div></div><br>_________________________________________________________________________<br>
Professional FreeSWITCH Consulting Services:<br>
<a href="mailto:consulting@freeswitch.org" target="_blank">consulting@freeswitch.org</a><br>
<a href="http://www.freeswitchsolutions.com" target="_blank">http://www.freeswitchsolutions.com</a><br>
<br>
FreeSWITCH-powered IP PBX: The CudaTel Communication Server<br>
<a href="http://www.cudatel.com" target="_blank">http://www.cudatel.com</a><br>
<br>
Official FreeSWITCH Sites<br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<a href="http://wiki.freeswitch.org" target="_blank">http://wiki.freeswitch.org</a><br>
<a href="http://www.cluecon.com" target="_blank">http://www.cluecon.com</a><br>
<br>
FreeSWITCH-users mailing list<br>
<a href="mailto:FreeSWITCH-users@lists.freeswitch.org" target="_blank">FreeSWITCH-users@lists.freeswitch.org</a><br>
<a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br>
UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users" target="_blank">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br>
<a href="http://www.freeswitch.org" target="_blank">http://www.freeswitch.org</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div>