[Freeswitch-users] FreeSWITCH Registrar TLS offload

Tue Nov 29 01:51:55 MSK 2016

Brian, I'm wondering too.

First of all thing about my previous mail is not so good. I forgot that
I've configured my sofia profile to work with TLS. When I disabled TLS I
still have a problem with originating calls with error:

[ERR] sofia_glue.c:943 TLS not supported by profile

FreeSWITCH still originates calls over TLS.

Contact:     "" <sip:user_name at user_ip
:49337;transport=tls;fs_path=sip%3Asip_proxy_ip%3Blr>

What about random source port.

As I have told already on the kamailio side I check source ip and port of
dispatcher destination (FS_IP:5060) and make appropriate actions. But
originated call from kamailio did not pass this check. When I have looked
in kamailio logs I saw that INVITE request is going from FS_IP:RANDOM_PORT

Method: <INVITE> URI: <sip:user_name at user_IP:49335;transport=tls>
SourceIP/Port: <FS_IP>:<36378> From/To: [<sip:from_user at FS_IP>
<sip:to_user at user_ip:49335;transport=tls>] Contact:
<<sip:mod_sofia at FS_IP:5061;transport=tls>>
<FreeSWITCH-mod_sofia/1.6.12-20-b91a0a6~64bit>.

Here we can see that call was originated over TLS and source port was
different than 5061.

Here is part of sofia profile:

<param name="rtp-ip" value="FS_IP"/>
<param name="sip-ip" value="FS_IP"/>
<param name="sip-port" value="5060"/>

<param name="tls" value="true"/>
<param name="tls-only" value="false"/>
<param name="tls-cert-dir" value="/etc/freeswitch/tls"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="5061"/>
<param name="tls-passphrase" value=""/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="none"/>

2016-11-29 0:37 GMT+02:00 Brian West <brian at freeswitch.org>:

> You're using TLS/TCP the random port is how it happens.
>
> /b
>
>
> On Mon, Nov 28, 2016 at 4:31 PM, Vladyslav Zakhozhai <
> v.zakhozhai at gmail.com> wrote:
>
>> Hi, I'm from ser-userlist with a good news and testing results :)
>>
>> FreeSWITCH do honor path header and will back responses and will
>> originate calls to/through SIP proxy IP address if it is in the path.
>>
>> Before relaying in Kamailio you need put add_path or add_path_received
>> (both worked fine for me). FreeSWITCH will add it to Contact header:
>>
>> Contact:     "" <sip:user_name at user_ip:49335;t
>> ransport=tls;fs_path=sip%3Akamailio_ip%3Blr>
>>
>> No manual manipulations on Contact header is needed from kamailio side
>> (as well as from FreeSWITCH side).
>>
>> But be aware of correct handling SIP requests (i.e. INVITEs) from
>> FreeSWITCHes. For example my FreeSWITCHes backends are in dispatcher table
>> (sip:IP_ADDR:UDP_PORT). And I've checked it with ds_is_from_list in
>> kamailio. But FreeSWITCH originates INVITE to kamailio from
>> IP_ADDR:RANDOM_PORT. In this case ds_is_from_list fails :(
>>
>> Now I'm checking is there mistakes in my configs or this is normal
>> usecase for FreeSWITCH (I did not mention it earlier).
>>
>>
>> 2016-11-25 13:15 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>:
>>
>>> David,
>>>
>>> yes of course I'll be back with solution here :) But I'm not sure when
>>> exactly.
>>>
>>> 2016-11-24 12:30 GMT+02:00 David Villasmil <
>>> david.villasmil.work at gmail.com>:
>>>
>>>> Hello,
>>>>
>>>> Please come back with the solution when you have it. It should be
>>>> interesting for people using kamailio/freeswitch.
>>>>
>>>> Regards,
>>>>
>>>> David
>>>>
>>>> On Wed, Nov 23, 2016 at 10:37 AM Vladyslav Zakhozhai <
>>>> v.zakhozhai at gmail.com> wrote:
>>>>
>>>>> Alexandru, thank you for the answer. I think you've given me right
>>>>> direction to investigate.
>>>>>
>>>>> As you've mentioned this is really kamailio issue/question. So I'm
>>>>> moving to sr-users list.
>>>>>
>>>>>
>>>>> 2016-11-22 13:03 GMT+02:00 Alexandru Covalschi <568691 at gmail.com>:
>>>>>
>>>>> Do you have set_contact_alias or add_contact_alias in Kamailio?
>>>>> Anyways you're doing something wrong as AFAIK Kamailio translates contact
>>>>> header to udp automatically. You should try to post on sr-users list.
>>>>>
>>>>> 2016-11-22 12:33 GMT+02:00 Vladyslav Zakhozhai <v.zakhozhai at gmail.com>
>>>>> :
>>>>>
>>>>> Hi,
>>>>>
>>>>> I'm trying to understand what is the best or suitable approach to the
>>>>> following use case. Let me simplify thing a little bit.
>>>>>
>>>>> Suppose we have one FreeSWITCH registrar behind SIP proxy (kamailio).
>>>>> I'd like to offload SSL/TLS encryption/decryption to SIP proxy:
>>>>>
>>>>> REGISTER:
>>>>>
>>>>> Request: UAC == SIP/TLS ==> Kamailio == UDP ==> FreeSWITCH:50
>>>>> Reply: UAC <== SIP/TLS == Kamailio <== UDP == FreeSWITCH
>>>>>
>>>>> INVITE:
>>>>> UAC1 == SIP/TLS ==> Kamailio == UDP == > FreeSWITCH == UDP ==>
>>>>> Kamailio == SIP/TLS ==> UAC2
>>>>>
>>>>> (FreeSWITCH uses kamailio as outbound proxy with fs_path tag appended
>>>>> in dialplan).
>>>>>
>>>>> The main problem is in Contact header which contains transport=tls and
>>>>> we can see it in FreeSWITCH console:
>>>>>
>>>>> User:       user at domain.com
>>>>> Contact:   "" <sip:user at UAC_IP:57976;transport=tls>
>>>>> Status:     Registered(TLS)(unknown) EXP(2016-11-22 10:16:59)
>>>>> EXPSECS(108)
>>>>> IP:         SIP_PROXY_IP
>>>>> Port:       5060
>>>>>
>>>>> When FreeSWITCH sends INVITE to UAC2 (during call) it tries to
>>>>> establish TLS session to UAC2. It fails because there is no TLS-enabled
>>>>> sofia profiles in the config of FreeSWITCH.
>>>>>
>>>>> I have only one solution in my mind: rewrite transport tag in Contact
>>>>> header on SIP proxy (transport=udp to FreeSWITCH, and transport=tls to UAC).
>>>>>
>>>>> I'd like to know it this solution ok or there is more elegant
>>>>> solutions.
>>>>>
>>>>> I've tried appending tag transport=udp in FreeSWITCH's dialplan but no
>>>>> success.
>>>>>
>>>>> Thank you in advance.
>>>>>
>>>>> --
>>>>> С уважением,
>>>>> Владислав Захожай
>>>>>
>>>>>
>>>>> ____________________________________________________________
>>>>> _____________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Alexandru Covalschi
>>>>> VoIP engineer and system administrator
>>>>> tel: +37367398493
>>>>>
>>>>>
>>>>> ____________________________________________________________
>>>>> _____________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> http://www.freeswitch.org
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> С уважением,
>>>>> Владислав Захожай
>>>>>
>>>>> ____________________________________________________________
>>>>> _____________
>>>>> Professional FreeSWITCH Consulting Services:
>>>>> consulting at freeswitch.org
>>>>> http://www.freeswitchsolutions.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> http://www.freeswitch.org
>>>>> http://confluence.freeswitch.org
>>>>> http://www.cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>>> switch-users
>>>>> http://www.freeswitch.org
>>>>
>>>>
>>>> ____________________________________________________________
>>>> _____________
>>>> Professional FreeSWITCH Consulting Services:
>>>> consulting at freeswitch.org
>>>> http://www.freeswitchsolutions.com
>>>>
>>>> Official FreeSWITCH Sites
>>>> http://www.freeswitch.org
>>>> http://confluence.freeswitch.org
>>>> http://www.cluecon.com
>>>>
>>>> FreeSWITCH-users mailing list
>>>> FreeSWITCH-users at lists.freeswitch.org
>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/free
>>>> switch-users
>>>> http://www.freeswitch.org
>>>>
>>>
>>>
>>>
>>> --
>>> С уважением,
>>> Владислав Захожай
>>>
>>>
>>
>>
>> --
>> С уважением,
>> Владислав Захожай
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com (50% Discount using code FreeSwitch50)
> http://www.freeswitchcookbook.com (50% Discount using code FreeSwitch50)
> https://www.gofundme.com/freeswitch_ubuntu
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>

-- 
С уважением,
Владислав Захожай
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20161129/d788cb0f/attachment-0001.html 