[Freeswitch-users] SIP over TLS configuration problem

fabio f.antonini at tiesse.com
Thu Jun 7 09:05:13 UTC 2018 

Hi all


I'm a Freeswitch newbie and I'm trying to setup SIP over TLS in my FS 
version 1.5.15.

As first step I have configured a SIP Gateway that successfully 
registers to a dedicated SIP Registrar/Proxy (opensips) using SIP over 
UDP. With this configuration I can successfully place outbound and 
inbound calls without any problem. Everything works as a charm.

Further I have tried to switch to SIP over TLS and I followed the steps 
described in https://freeswitch.org/confluence/display/FREESWITCH/SIP+TLS.

I have installed the agent.pem and cafile.pem generated by opensips (my 
SIP Registrar) and I configured FS to use them. After restart the sofia 
gateway profile can successfully register to the SIP Registrar by SIP 
over TLS.

Further I can successfully place outbound call (from internal channel 
through the SIP gateway).  It sounds great!

Unfortunately FS fails to handle inbound calls (SIP INVITE from an 
external SIP UA registered to the same SIP Registrar to the SIP UA 
extension of the FS SIP gateway).

I have tried to trace all the logs I can. Here below some traces from 
the FS console when an inbound INVITE is received:


tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0xb7f28): new 
secondary tport 0x1398c0
tport_type_tcp.c:203 tport_tcp_init_secondary() 
tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPIDLE to 30
tport_type_tcp.c:209 tport_tcp_init_secondary() 
tport_tcp_init_secondary(0x1398c0): Setting TCP_KEEPINTVL to 30
tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x1398c0): new 
connection from tls/10.3.10.110:38632/sips
tport_tls.c:919 tls_connect() tls_connect(0x1398c0): events NEGOTIATING
tport_tls.c:1008 tls_connect() tls_connect(0x1398c0): TLS setup failed 
(error:00000001:lib(0):func(0):reason(1))
tport.c:2090 tport_close() tport_close(0x1398c0): tls/10.3.10.110:38632/sips
tport.c:2263 tport_set_secondary_timer() tport(0x1398c0): set timer at 0 
ms because zap


In order to simplify the test I have also tried to connect to the 5061 
TLS port by a simple openssl command from a linux shell of the SIP 
Registrar box:


openssl  s_client -connect 10.11.4.103:5061 -tls1_2
CONNECTED(00000003)
3074304200:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert 
handshake failure:s3_pkt.c:1256:SSL alert number 40
3074304200:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake 
failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : 0000
     Session-ID:
     Session-ID-ctx:
     Master-Key:
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1528361426
     Timeout   : 7200 (sec)
     Verify return code: 0 (ok)
---

In the FS console I read the same traces received in the previous test 
with the inbound call.


tport.c:2749 tport_wakeup_pri() tport_wakeup_pri(0xb7f28): events IN
tport.c:862 tport_alloc_secondary() tport_alloc_secondary(0xb7f28): new 
secondary tport 0x248210
tport_type_tcp.c:203 tport_tcp_init_secondary() 
tport_tcp_init_secondary(0x248210): Setting TCP_KEEPIDLE to 30
tport_type_tcp.c:209 tport_tcp_init_secondary() 
tport_tcp_init_secondary(0x248210): Setting TCP_KEEPINTVL to 30
tport_type_tls.c:610 tport_tls_accept() tport_tls_accept(0x248210): new 
connection from tls/10.11.4.103:33168/sips
tport_tls.c:919 tls_connect() tls_connect(0x248210): events NEGOTIATING
tport_tls.c:1008 tls_connect() tls_connect(0x248210): TLS setup failed 
(error:00000001:lib(0):func(0):reason(1))
tport.c:2090 tport_close() tport_close(0x248210): tls/10.11.4.103:33168/sips
tport.c:2263 tport_set_secondary_timer() tport(0x248210): set timer at 0 
ms because zap

I have attached also a wireshark capture of the inbound call. In this 
capture the SIP Registrar has IP 10.3.10.110. The FS device is 
10.11.4.103. The Client Hello is sent by the SIP Registrar, but the FS 
device replies with an "Alert: Level: fatal, Description: handshake 
failure (40).

I guess that there is some misconfiguration related to the TLS version 
or proposed ciphers  or any certifcates but I cannot understand what.


For comparison I have tried to run the same openssl command from FS to 
the external SIP Registrar (outbound).


openssl  s_client -connect 10.3.10.110:5061 -tls1_2
CONNECTED(00000003)
depth=1 CN = Your_NAME, ST = Your_STATE, C = CO, emailAddress = 
YOUR_EMAIL, O = YOUR_ORG_NAME
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
  0 s:/C=XY/ST=Some State/O=My Large Organization Name/OU=My Subunit of 
Large 
Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
  1 
s:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
i:/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC6TCCAdGgAwIBAgIBATANBgkqhkiG9w0BAQUFADBpMRIwEAYDVQQDFAlZb3Vy
X05BTUUxEzARBgNVBAgUCllvdXJfU1RBVEUxCzAJBgNVBAYTAkNPMRkwFwYJKoZI
hvcNAQkBFgpZT1VSX0VNQUlMMRYwFAYDVQQKFA1ZT1VSX09SR19OQU1FMB4XDTE4
MDUwODEyMzcyM1oXDTE5MDUwODEyMzcyM1owgb8xCzAJBgNVBAYTAlhZMRMwEQYD
VQQIEwpTb21lIFN0YXRlMSMwIQYDVQQKExpNeSBMYXJnZSBPcmdhbml6YXRpb24g
TmFtZTEpMCcGA1UECxMgTXkgU3VidW5pdCBvZiBMYXJnZSBPcmdhbml6YXRpb24x
HzAdBgNVBAMTFnNvbWVuYW1lLnNvbWV3aGVyZS5jb20xKjAoBgkqhkiG9w0BCQEW
G3Jvb3RAc29tZW5hbWUuc29tZXdoZXJlLmNvbTBcMA0GCSqGSIb3DQEBAQUAA0sA
MEgCQQDL7uikSc1kVIvw5rhyQzk2dSJcmJ6EJ1LSmtAoafZH8bqfZ25cDQZQGi05
YcuxGR0vSaW7xPnyhaWCLQlxQFx7AgMBAAGjDTALMAkGA1UdEwQCMAAwDQYJKoZI
hvcNAQEFBQADggEBAHv4WzGdYhoEyHZmBQTVjdEKOVBMnNoOqum79uzWtSzSjG4E
pP/9c331uT7fBZ/Z7XNhIV+PbDZXorLgUhwwT7zxYURNnV52Of2SWRmWtPBrgEX1
+8S0IMtJFfJta8FAfTTaNqLpRDaiTQs3em1Maxls15cTyRQzMIjIJnY4eRrh5CNM
YV/+kg/lpKAe0awiMu96cxpnMdz9h33g7RedBnh9wDi6k7pfYtvlC6o4snZO01AN
8qRiQf54OPvKcVeseJFBPWLhdYns6g+/SXhq1Lek2us93ZpuKgIaBtzkyDm2+SFa
QXF9f0a+UuEdPvrtvMjAijcDwcaXq0r2f2MA++M=
-----END CERTIFICATE-----
subject=/C=XY/ST=Some State/O=My Large Organization Name/OU=My Subunit 
of Large 
Organization/CN=somename.somewhere.com/emailAddress=root at somename.somewhere.com
issuer=/CN=Your_NAME/ST=Your_STATE/C=CO/emailAddress=YOUR_EMAIL/O=YOUR_ORG_NAME
---
No client certificate CA names sent
---
SSL handshake has read 1979 bytes and written 337 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 512 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : AES256-GCM-SHA384
     Session-ID: 
EA8B17008E58F1D04CD1CEA53103CF477AA9DE0DC80A4FF4F0DD4814031E4C15
     Session-ID-ctx:
     Master-Key: 
D28ED5C21D288944D2277AF86FE82A9BF3BEDABAA14DBCD5AE32B190EF0A0CA6AB99719E751E6DD4FECAA9DD1307A3C0
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 300 (seconds)
     TLS session ticket:
     0000 - 2f c5 82 ea bf 8b 66 49-bc bc ee 48 1a fb 8e 6c /.....fI...H...l
     0010 - de 42 d9 e0 6e 36 40 78-06 cc 68 c6 74 6d 6e aa .B..n6 at x..h.tmn.
     0020 - b6 53 8a ed b2 8d 5a c4-02 e1 88 8b d2 a9 56 5f .S....Z.......V_
     0030 - ee c6 b9 14 55 da 37 df-8f aa af 81 b4 22 4e be ....U.7......"N.
     0040 - 9c c5 87 d6 46 22 47 03-4a 88 dd 1e 9d 05 81 09 ....F"G.J.......
     0050 - c3 8b 9f 44 29 90 4d 93-c9 f5 41 e2 4d 72 1b de ...D).M...A.Mr..
     0060 - 8d c2 15 ab 49 ad da 26-0e 72 a9 01 02 3e 89 33 ....I..&.r...>.3
     0070 - 6e 6c 2f 20 1c 15 06 7a-8d c5 a6 6e ee 46 d2 76   nl/ 
...z...n.F.v
     0080 - 63 c1 89 1e 9b 3c a1 10-d0 78 31 9e e6 8e 86 ab c....<...x1.....
     0090 - ff bc 3a 4c ab 3d 33 8f-e9 56 c5 f1 45 46 73 41 ..:L.=3..V..EFsA

     Start Time: 1528361487
     Timeout   : 7200 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)
---
closed


In this case the command seems to have been successfully executed. I 
remark that the outbound TLS transactions seems to be working fine also 
from FS (SIP Registrar, SIP INVITE in outbound don't have any problem).

If required I can provide also the FS configuration files (vars.xml, 
sofia.conf.xml,  etc etc).

Any help will be greatly appreciated.

Thanks in advance

Best regards


fabio

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180607/87fe4bb9/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: siptls-inbound.pcap
Type: application/vnd.tcpdump.pcap
Size: 1092 bytes
Desc: not available
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20180607/87fe4bb9/attachment-0001.pcap>

More information about the FreeSWITCH-users mailing list