[OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP -> SIP Server
Bogdan-Andrei Iancu
bogdan at voice-system.ro
Fri Jun 19 23:52:10 CEST 2009
Hi Anil,
It might be possible...To be on the safe side, I will increase the value
also in the SVN tree.
Thank for the debugging and I really appreciate your help on
troubleshooting this.
Best regards,
Bogdan
Anil M Pannikode wrote:
> Looks like this is a bug / timing issue in OpenSIPS.
>
> In "tls_server.c" , function 'tls_blocking_write'
>
> If I change the
>
> #define MAX_SSL_RETRIES 32
>
> to
>
> #define MAX_SSL_RETRIES 320
>
> The connection succeeds and it works. I added a few log lines and it looks
> like
>
> n = poll(&pf, 1, timeout);
>
> is returning straight away without actually waiting for timeout (revents set
> to 4) and the retries count exceeds 32 and the call fails.
>
> It is almost like it did not have enough time to receive the response.
>
> I am running OpenSIPS on a VM.
>
> I don't think this is the correct way to fix this issue. I will leave it to
> experts to handle.
>
> Regards
>
> Anil
>
>
>
> -----Original Message-----
> From: Anil M Pannikode (hotmail) [mailto:anilpannikode at hotmail.com]
> Sent: Friday, June 19, 2009 5:59 AM
> To: 'Bogdan-Andrei Iancu'
> Cc: 'users at lists.opensips.org'
> Subject: RE: [OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP -> SIP
> Server
>
> We are still not able to get TLS working. The OpsnSIPS logs shows the
> following
>
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:parse_to:
> display={"Anonymous"}, ruri={sip:Anonymous at sip1.mydomain.com}
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: Method : INVITE
> from 10.10.20.246 fd sip1.mydomain.com
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:maxfwd:is_maxfwd_present: value = 70
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:tm:t_newtran:
> transaction on entrance=0xffffffff
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:parse_to_param: tag=772432463135364100001E34
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:parse_to:
> end of header reached, state=29
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:parse_to:
> display={}, ruri={sip:9999999999 at IPGateway.mydomain.com;user=phone}
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:get_hdr_field: <To> [86];
> uri=[sip:9999999999 at IPGateway.mydomain.com;user=phone]
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:get_hdr_field: to body
> [<sip:9999999999 at IPGateway.mydomain.com;user=phone>]
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:get_hdr_field: cseq <CSeq>: <2> <INVITE>
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:get_hdr_field: content_length=401
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:get_hdr_field: found end of header
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:parse_headers: flags=78
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:tm:t_lookup_request: start searching: hash=39696, isACK=0
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:tm:matching_3261: RFC3261 transaction matching failed
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:tm:t_lookup_request: no transaction found
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:tm:run_reqin_callbacks: trans=0xb40250e8, callback type 1, id 0 entered
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:parse_headers: flags=ffffffffffffffff
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:check_via_address: params 10.10.20.246, 10.10.20.246, 0
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:_shm_resize: resize(0) called
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:tm:_reply_light: reply sent out. buf=0x82a30c0: SIP/2.0 1...,
> shmem=0xb40141c8: SIP/2.0 1
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:tm:_reply_light: finished
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:mk_proxy:
> doing DNS lookup...
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:parse_headers: flags=2000
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
> no open tcp connection found, opening new one
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:print_ip:
> tcpconn_new: new tcp connection to: 10.10.20.206
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tcpconn_new: on port 5061, type 3
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tls_tcpconn_init: entered: Creating a whole new ssl connection
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tls_tcpconn_init: TLS client domain AVP found = 'sip1.mydomain.com'
>
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tls_find_client_domain_name: virtual TLS client domain found
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tls_tcpconn_init: found name based TLS client domain
> 'sip1.mydomain.com'
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tls_tcpconn_init: Setting in CONNECT mode (client)
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
> sending...
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:tls_update_fd: New fd is 8
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> ERROR:core:tls_blocking_write: too many retries with no operation
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
> after write: c= 0xb40284d8 n=-1 fd=8
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2114]:
> DBG:core:handle_ser_child: read response= b40284d8, 2, fd 25 from 1 (2103)
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2114]:
> DBG:core:tcpconn_add: hashes: 463, 36
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2114]:
> DBG:core:io_watch_add: io_watch_add(0x826a9c0, 25, 2, 0xb40284d8), fd_no=17
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
> buf= INVITE sip:9999999999 at 10.10.20.206:5061;transport=tls SIP/2.0^M Via:
> SIP/2.0/TLS 10.10.10.193:5061;branch=z9hG4bK01b9.1a760103.0^M Via:
> SIP/2.0/UDP
> 10.10.20.246:5060;received=10.10.20.246;rport=5060;branch=z9hG4bK3270876536-
> 394448^M Route:
> <sip:10.10.10.193;r2=on;lr=on>,<sip:10.10.10.193:5061;transport=tls;r2=on;lr
> =on>^M Max-Forwards: 69^M Allow:
> SUBSCRIBE,NOTIFY,REFER,INVITE,ACK,OPTIONS,CANCEL,BYE^M Supported:
> timer,replaces,TIMER^M From: "Anonymous"
> <sip:Anonymous at sip1.mydomain.com>;tag=Test_3270532536-328912^M To:
> <sip:9999999999 at IPGateway.mydomain.com;user=phone>;tag=772432463135364100001
> E34^M Call-ID: 01B2270F8E81400000000029 at IPGateway.mydomain.com^M CSeq: 2
> INVITE^M Min-SE: 10^M Contact: <sip:Test at 10.10.20.246:5060>^M Content-Type:
> application/sdp^M Content-Length: 401^M ^M v=0^M o=Test 256 3 IN IP4
> 10.10.20.246^M s=SipSession with Test^M i=Test^M u=http://www.Test.com^M
> c=IN IP4 10.10.20.246^M t=0 0^M
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> ERROR:core:tcp_send: failed to send
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: ERROR:tm:msg_send:
> tcp_send failed
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> ERROR:tm:t_forward_nonack: sending request failed
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:tm:t_relay_to:
> t_forward_nonack returned error
> Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
> DBG:core:parse_headers: flags=ffffffffffffffff
>
> Based on the wireshark traces.
>
> - OpenSIPS sends a 'Client Helo' to Gateway
> - Before it receives the 'Server Helo' back , it is sending '477 Send
> failed' back to Media gateway.
> - Gateway sends 'Server Helo' back to OpenSIPS.
>
> In the config I have set the following values
>
> tls_handshake_timeout=60
> tls_send_timeout=60
>
> However it looks like the OpenSIPS is returning failure way too early (in
> less than 1 second)
>
> And there are no firewalls between these two servers.
>
> Any help will be appreciated.
>
> Regards
>
> Anil
>
>
>
>
> -----Original Message-----
> From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro]
> Sent: Wednesday, June 10, 2009 2:12 PM
> To: Anil M Pannikode (hotmail)
> Cc: users at lists.opensips.org
> Subject: Re: [OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP -> SIP
> Server
>
> Hi Anil,
>
> The error you get means opensips is unable to send the message out -
> typically this means so OS / network related issue. Like the connection
> could not be established because firewall, nat, etc...
>
> Is the client where opensips tries to connect to behind a nat?
>
> Regards,
> Bogdan
>
> Anil M Pannikode (hotmail) wrote:
>
>> Here are the log files from opensips server.
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tcp_send: no open tcp connection found, opening new one
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:print_ip: tcpconn_new: new tcp connection to: 10.10.20.206
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tcpconn_new: on port 5061, type 3
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_tcpconn_init: entered: Creating a whole new ssl connection
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_tcpconn_init: name based TLS client domains are disabled
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_tcpconn_init: no TLS client doman AVP set, looking for
>> socket based TLS client domain
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_find_client_domain: virtual TLS client domain not found,
>> Using default TLS client domain settings
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_tcpconn_init: found socket based TLS client domain
>> [0.0.0.0:0]
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_tcpconn_init: Setting in CONNECT mode (client)
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7172]:
>> DBG:core:handle_ser_child: read response= b3f5b400, 2, fd 25 from 2
>> (7162)
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7172]:
>> DBG:core:tcpconn_add: hashes: 463, 2
>>
>> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7172]:
>> DBG:core:io_watch_add: io_watch_add(0x826a9c0, 25, 2, 0xb3f5b400),
>> fd_no=17
>>
>> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tcp_send: sending... *
>>
>> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tls_update_fd: New fd is 9 *
>>
>> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> ERROR:core:tls_blocking_write: too many retries with no operation *
>>
>> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]:
>> DBG:core:tcp_send: after write: c= 0xb3f5b400 n=-1 fd=9 *
>>
>> * *
>>
>> * *
>>
>> Wireshark shows "SSL Client helo" to server and "SSL Server helo" back
>> from server.
>>
>> Is there a way to get more detailed error on the SSL Issues ?
>>
>> Anil
>>
>> *From:* users-bounces at lists.opensips.org
>> [mailto:users-bounces at lists.opensips.org] *On Behalf Of *Anil M
>> Pannikode (hotmail)
>> *Sent:* Wednesday, June 03, 2009 10:01 AM
>> *To:* users at lists.opensips.org
>> *Subject:* [OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP ->
>> SIP Server
>>
>> I am having the same issue as the following email which I found in the
>> archive, Do we know if there is solution to this issue ? I tried the
>> suggested solution , however still not working.
>>
>> Anil
>>
>> *Bogdan-Andrei Iancu* bogdan at voice-system.ro
>>
>>
> <mailto:users%40lists.opensips.org?Subject=%5BOpenSIPS-Users%5D%20Problem%20
> in%20sending%20outbound%20SIP%20messages%20via%0A%20TLS&In-Reply-To=c443f41b
> 0808200558x3bb41aaft33d6c6a45aa7d9b%40mail.gmail.com>
>
>> /Sun Aug 31 01:10:56 CEST 2008/
>>
>> * Previous message: [OpenSIPS-Users] Problem in sending outbound
>> SIP messages via TLS
>> <http://www.openser.org/pipermail/users/2008-August/000193.html>
>> * Next message: [OpenSIPS-Users] Simple question: Asterisk with
>> Zoiper (no sound).
>> <http://www.openser.org/pipermail/users/2008-August/000194.html>
>> * *Messages sorted by:* [ date ]
>> <http://www.openser.org/pipermail/users/2008-August/date.html#369>
>> [ thread ]
>> <http://www.openser.org/pipermail/users/2008-August/thread.html#369>
>> [ subject ]
>>
>>
> <http://www.openser.org/pipermail/users/2008-August/subject.html#369>
>
>> [ author ]
>> <http://www.openser.org/pipermail/users/2008-August/author.html#369>
>>
>>
>> ------------------------------------------------------------------------
>> Hi,
>>
>> have you tried with:
>>
>> tls_verify_server = 0
>> tls_verify_client = 0
>> tls_require_client_certificate = 0
>>
>> Regards,
>> Bogdan
>>
>> Nachiket Tarate wrote:
>>
>>> / /
>>> / Hi,/
>>> / /
>>> / I am currently trying to make Secure RTP calls between my SIP client /
>>> / and the eyeBeam. When eyeBeam is configured for encrypted calls, it /
>>> / uses Secure RTP for media and TLS for SIP signalling./
>>> / /
>>> / I have configured the OpenSIPs server with TLS support./
>>> / /
>>> / The scenario is as shown below:/
>>> / /
>>> / /
>>> / ---------------- UDP ------------------ TLS
>>>
> -------------/
>
>>> / | My SIP Client | <-----> | OpenSIPs Server | <-----> | eyeBeam 1.5
>>>
> |/
>
>>> / ---------------- ------------------
>>>
> -------------/
>
>>> / Linux Machine Linux Machine Widows XP /
>>> / machine/
>>> / /
>>> / When a call is made from eyeBeam to My SIP client the call gets /
>>> / established properly and the OpenSIPs server acts as a gateway./
>>> / /
>>> / But when a call is made from My SIP client to eyeBeam the OpenSIPs /
>>> / returns the *477 Send failed* response to My SIP client./
>>> / /
>>> / By enabling the debug informaiton on OpenSIPs server, I found that it /
>>> / couldn't do TLS handshake with the eyeBeam and so couldn't send the /
>>> / SIP Request from My SIP client to the eyeBeam./
>>> / /
>>> / In brief the OpenSIPs server can accept the inbound messages via TLS /
>>> / but *it can't send outbound messages via TLS*./
>>> / /
>>> / Can anybody help me to resolve this problem? Please see my /
>>> / opensips.cfg file and OpenSIPs server logs attached with this mail./
>>> / /
>>> / Thanks,/
>>> / NT/
>>> / /
>>> / /
>>> /
>>>
> ------------------------------------------------------------------------/
>
>>> / /
>>> / _______________________________________________/
>>> / Users mailing list/
>>> / Users at lists.opensips.org
>>>
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>/
>
>>> / http://lists.opensips.org/cgi-bin/mailman/listinfo/users/
>>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> * Previous message: [OpenSIPS-Users] Problem in sending outbound
>> SIP messages via TLS
>> <http://www.openser.org/pipermail/users/2008-August/000193.html>
>> * Next message: [OpenSIPS-Users] Simple question: Asterisk with
>> Zoiper (no sound).
>> <http://www.openser.org/pipermail/users/2008-August/000194.html>
>> * *Messages sorted by:* [ date ]
>> <http://www.openser.org/pipermail/users/2008-August/date.html#369>
>> [ thread ]
>> <http://www.openser.org/pipermail/users/2008-August/thread.html#369>
>> [ subject ]
>>
>>
> <http://www.openser.org/pipermail/users/2008-August/subject.html#369>
>
>> [ author ]
>> <http://www.openser.org/pipermail/users/2008-August/author.html#369>
>>
>>
>> ------------------------------------------------------------------------
>>
>> More information about the Users mailing list
>> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>
>
>
>
More information about the Users
mailing list