<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi all</p>
<p><br>
</p>
<p>I'm a Freeswitch newbie and I'm trying to setup SIP over TLS in
my FS version 1.5.15. </p>
<p>As first step I have configured a SIP Gateway that successfully
registers to a dedicated SIP Registrar/Proxy (opensips) using SIP
over UDP. With this configuration I can successfully place
outbound and inbound calls without any problem. Everything works
as a charm.<br>
</p>
<p>Further I have tried to switch to SIP over TLS and I followed the
steps described in
<a class="moz-txt-link-freetext" href="https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS">https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS</a>.</p>
<p>I have installed the agent.pem and cafile.pem generated by
opensips (my SIP Registrar) and I configured FS to use them. After
restart the sofia gateway profile can successfully register to the
SIP Registrar by SIP over TLS.</p>
<p>Further I can successfully place outbound call (from internal
channel through the SIP gateway). It sounds great!<br>
</p>
<p>Unfortunately FS fails to handle inbound calls (SIP INVITE from
an external SIP UA registered to the same SIP Registrar to the SIP
UA extension of the FS SIP gateway).</p>
<p>I have tried to trace all the logs I can. Here below some traces
from the FS console when an inbound INVITE is received:</p>
<p><br>
</p>
<p><tt>tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28):
events IN</tt><tt><br>
</tt><tt>tport.c:862 tport_alloc_secondary()
tport_alloc_secondary(0xb7f28): new secondary tport 0x1398c0</tt><tt><br>
</tt><tt>tport_type_tcp.c:203 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPIDLE to 30</tt><tt><br>
</tt><tt>tport_type_tcp.c:209 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPINTVL to 30</tt><tt><br>
</tt><tt>tport_type_tls.c:610 tport_tls_accept()
tport_tls_accept(0x1398c0): new connection from
tls/10.3.10.110:38632/sips</tt><tt><br>
</tt><tt>tport_tls.c:919 tls_connect() tls_connect(0x1398c0):
events NEGOTIATING</tt><tt><br>
</tt><tt>tport_tls.c:1008 tls_connect() tls_connect(0x1398c0): TLS
setup failed (error:00000001:lib(0):func(0):reason(1))</tt><tt><br>
</tt><tt>tport.c:2090 tport_close() tport_close(0x1398c0):
tls/10.3.10.110:38632/sips</tt><tt><br>
</tt><tt>tport.c:2263 tport_set_secondary_timer() tport(0x1398c0):
set timer at 0 ms because zap</tt></p>
<p><tt><br>
</tt></p>
<p>In order to simplify the test I have also tried to connect to the
5061 TLS port by a simple openssl command from a linux shell of
the SIP Registrar box:</p>
<p><br>
</p>
<p><font face="Courier New, Courier, monospace">openssl s_client
-connect 10.11.4.103:5061 -tls1_2 <br>
CONNECTED(00000003)<br>
3074304200:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3
alert handshake failure:s3_pkt.c:1256:SSL alert number 40<br>
3074304200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
handshake failure:s3_pkt.c:596:<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 7 bytes and written 0 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : 0000<br>
Session-ID: <br>
Session-ID-ctx: <br>
Master-Key: <br>
Key-Arg : None<br>
PSK identity: None<br>
PSK identity hint: None<br>
SRP username: None<br>
Start Time: 1528361426<br>
Timeout : 7200 (sec)<br>
Verify return code: 0 (ok)<br>
---<br>
</font><br>
</p>
<p>In the FS console I read the same traces received in the previous
test with the inbound call.</p>
<p><br>
</p>
<p><tt>tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28):
events IN</tt><tt><br>
</tt><tt>tport.c:862 tport_alloc_secondary()
tport_alloc_secondary(0xb7f28): new secondary tport 0x248210</tt><tt><br>
</tt><tt>tport_type_tcp.c:203 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x248210): Setting TCP_KEEPIDLE to 30</tt><tt><br>
</tt><tt>tport_type_tcp.c:209 tport_tcp_init_secondary()
tport_tcp_init_secondary(0x248210): Setting TCP_KEEPINTVL to 30</tt><tt><br>
</tt><tt>tport_type_tls.c:610 tport_tls_accept()
tport_tls_accept(0x248210): new connection from
tls/10.11.4.103:33168/sips</tt><tt><br>
</tt><tt>tport_tls.c:919 tls_connect() tls_connect(0x248210):
events NEGOTIATING</tt><tt><br>
</tt><tt>tport_tls.c:1008 tls_connect() tls_connect(0x248210): TLS
setup failed (error:00000001:lib(0):func(0):reason(1))</tt><tt><br>
</tt><tt>tport.c:2090 tport_close() tport_close(0x248210):
tls/10.11.4.103:33168/sips</tt><tt><br>
</tt><tt>tport.c:2263 tport_set_secondary_timer() tport(0x248210):
set timer at 0 ms because zap</tt><tt><br>
</tt><br>
</p>
<p>I have attached also a wireshark capture of the inbound call. In
this capture the SIP Registrar has IP 10.3.10.110. The FS device
is 10.11.4.103. The Client Hello is sent by the SIP Registrar, but
the FS device replies with an "Alert: Level: fatal, Description:
handshake failure (40).</p>
<p>I guess that there is some misconfiguration related to the TLS
version or proposed ciphers or any certifcates but I cannot
understand what.</p>
<p><br>
</p>
<p>For comparison I have tried to run the same openssl command from
FS to the external SIP Registrar (outbound).</p>
<p><br>
</p>
<p><font face="Courier New, Courier, monospace">openssl s_client
-connect 10.3.10.110:5061 -tls1_2 <br>
CONNECTED(00000003)<br>
depth=1 CN = Your_NAME, ST = Your_STATE, C = CO, emailAddress =
YOUR_EMAIL, O = YOUR_ORG_NAME<br>
verify error:num=19:self signed certificate in certificate chain<br>
verify return:0<br>
---<br>
Certificate chain<br>
0 s:/C=XY/ST=Some State/O=My Large Organization Name/OU=My
Subunit of Large
<a class="moz-txt-link-abbreviated" href="mailto:Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com">Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com</a><br>
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
1
s:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy<br>
X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI<br>
hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTE4<br>
MDUwODEyMzcyM1oXDTE5MDUwODEyMzcyM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD<br>
VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g<br>
TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x<br>
HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW<br>
G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA<br>
MEgCQQDL7uikSc1kVIvw5rhyQzk2dSJcmJ6EJ1LSmtAoafZH8bqfZ25cDQZQGi05<br>
YcuxGR0vSaW7xPnyhaWCLQlxQFx7AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI<br>
hvcNAQEFBQADggEBAHv4WzGdYhoEyHZmBQTVjdEKOVBMnNoOqum79uzWtSzSjG4E<br>
pP/9c331uT7fBZ/Z7XNhIV+PbDZXorLgUhwwT7zxYURNnV52Of2SWRmWtPBrgEX1<br>
+8S0IMtJFfJta8FAfTTaNqLpRDaiTQs3em1Maxls15cTyRQzMIjIJnY4eRrh5CNM<br>
YV/+kg/lpKAe0awiMu96cxpnMdz9h33g7RedBnh9wDi6k7pfYtvlC6o4snZO01AN<br>
8qRiQf54OPvKcVeseJFBPWLhdYns6g+/SXhq1Lek2us93ZpuKgIaBtzkyDm2+SFa<br>
QXF9f0a+UuEdPvrtvMjAijcDwcaXq0r2f2MA++M=<br>
-----END CERTIFICATE-----<br>
subject=/C=XY/ST=Some State/O=My Large Organization Name/OU=My
Subunit of Large
<a class="moz-txt-link-abbreviated" href="mailto:Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com">Organization/CN=somename.somewhere.com/emailAddress=root@somename.somewhere.com</a><br>
issuer=/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 1979 bytes and written 337 bytes<br>
---<br>
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384<br>
Server public key is 512 bit<br>
Secure Renegotiation IS NOT supported<br>
Compression: NONE<br>
Expansion: NONE<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : AES256-GCM-SHA384<br>
Session-ID:
EA8B17008E58F1D04CD1CEA53103CF477AA9DE0DC80A4FF4F0DD4814031E4C15<br>
Session-ID-ctx: <br>
Master-Key:
D28ED5C21D288944D2277AF86FE82A9BF3BEDABAA14DBCD5AE32B190EF0A0CA6AB99719E751E6DD4FECAA9DD1307A3C0<br>
Key-Arg : None<br>
PSK identity: None<br>
PSK identity hint: None<br>
SRP username: None<br>
TLS session ticket lifetime hint: 300 (seconds)<br>
TLS session ticket:<br>
0000 - 2f c5 82 ea bf 8b 66 49-bc bc ee 48 1a fb 8e 6c
/.....fI...H...l<br>
0010 - de 42 d9 e0 6e 36 40 78-06 cc 68 c6 74 6d 6e aa
.B..n6@x..h.tmn.<br>
0020 - b6 53 8a ed b2 8d 5a c4-02 e1 88 8b d2 a9 56 5f
.S....Z.......V_<br>
0030 - ee c6 b9 14 55 da 37 df-8f aa af 81 b4 22 4e be
....U.7......"N.<br>
0040 - 9c c5 87 d6 46 22 47 03-4a 88 dd 1e 9d 05 81 09
....F"G.J.......<br>
0050 - c3 8b 9f 44 29 90 4d 93-c9 f5 41 e2 4d 72 1b de
...D).M...A.Mr..<br>
0060 - 8d c2 15 ab 49 ad da 26-0e 72 a9 01 02 3e 89 33
....I..&.r...>.3<br>
0070 - 6e 6c 2f 20 1c 15 06 7a-8d c5 a6 6e ee 46 d2 76 nl/
...z...n.F.v<br>
0080 - 63 c1 89 1e 9b 3c a1 10-d0 78 31 9e e6 8e 86 ab
c....<...x1.....<br>
0090 - ff bc 3a 4c ab 3d 33 8f-e9 56 c5 f1 45 46 73 41
..:L.=3..V..EFsA<br>
<br>
Start Time: 1528361487<br>
Timeout : 7200 (sec)<br>
Verify return code: 19 (self signed certificate in
certificate chain)<br>
---<br>
closed</font></p>
<p><font face="Courier New, Courier, monospace"></font><br>
</p>
<p>In this case the command seems to have been successfully
executed. I remark that the outbound TLS transactions seems to be
working fine also from FS (SIP Registrar, SIP INVITE in outbound
don't have any problem).</p>
<p>If required I can provide also the FS configuration files
(vars.xml, sofia.conf.xml, etc etc).<br>
</p>
<p>Any help will be greatly appreciated.</p>
<p>Thanks in advance<br>
</p>
<p>Best regards</p>
<p><br>
</p>
<p>fabio<br>
</p>
<div class="moz-signature"><!--[if IE]><html class="ie"><![endif]-->
<!--[if !IE]><!--><!--<![endif]-->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">
table, p, td, img {margin: 0; padding: 0; border: 0; font-size: 100%; line-height: normal; font-family: Arial, Helvetica, Sans-Serif; vertical-align: baseline;
text-align: left; word-break:break-word;word-wrap:break-word;}
.ie table, .ie p, .ie td, .ie img{margin: 0; padding: 0; border: 0; font-size: 100%; line-height: normal; font-family: Arial, Helvetica, Sans-Serif; vertical-align: baseline;
text-align: left; word-break:break-word;word-wrap:break-word;}
.layout {
width: 440px;
}
@media (min-width: 440px) {
.layout {
width: 440px !important;
}
}
.ie .layout {
width: 440px !important;
}
.nome {color:black;font: normal bold 9pt/14pt Arial, Helvetica, Sans-Serif;}
.ie .nome {color:black !important;font: normal bold 12px/14px Arial, Helvetica, Sans-Serif!important;}
.contact {color:black;font: normal normal 8pt/14pt Arial, Helvetica, Sans-Serif;}
.ie .contact {color:black;font: normal normal 10px/16px Arial, Helvetica, Sans-Serif;}
.leftcol {text-align:left;padding-left:4px;vertical-align:top}
.ie .leftcol {text-align:left;padding-left:4px;vertical-align:top}
.disclaimer {color:gray;font: normal normal 7pt/9pt Arial, Helvetica, Sans-Serif;padding-top:10px;text-align:justify}
.ie .disclaimer {color:gray;font: normal normal 8px/10px Arial, Helvetica, Sans-Serif;padding-top:10px;text-align:justify}
</style><!--[if mso]><body class="ie"><![endif]-->
<!--[if !mso]><!--><!--<![endif]--></div>
</body>
</html>