[Freeswitch-users] FreeSWITCH Registrar TLS offload

Vladyslav Zakhozhai v.zakhozhai at gmail.com
Tue Nov 22 13:33:02 MSK 2016


Hi,

I'm trying to understand what is the best or suitable approach to the
following use case. Let me simplify thing a little bit.

Suppose we have one FreeSWITCH registrar behind SIP proxy (kamailio). I'd
like to offload SSL/TLS encryption/decryption to SIP proxy:

REGISTER:

Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH

INVITE:
UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==> Kamailio ==
SIP/TLS ==> UAC2

(FreeSWITCH uses kamailio as outbound proxy with fs_path tag appended in
dialplan).

The main problem is in Contact header which contains transport=tls and we
can see it in FreeSWITCH console:

User:       user at domain.com
Contact:   "" <sip:user at UAC_IP:57976;transport=tls>
Status:     Registered(TLS)(unknown) EXP(2016-11-22 10:16:59) EXPSECS(108)
IP:         SIP_PROXY_IP
Port:       5060

When FreeSWITCH sends INVITE to UAC2 (during call) it tries to establish
TLS session to UAC2. It fails because there is no TLS-enabled sofia
profiles in the config of FreeSWITCH.

I have only one solution in my mind: rewrite transport tag in Contact
header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls to UAC).

I'd like to know it this solution ok or there is more elegant solutions.

I've tried appending tag transport=udp in FreeSWITCH's dialplan but no
success.

Thank you in advance.

-- 
С уважением,
Владислав Захожай
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161122/99e73abf/attachment.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list