[OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Matt Hamilton mistral9999 at hotmail.com
Sun Sep 6 00:04:16 CEST 2015


Hi Bogdan,


We have been using force_send_socket before calling t_relay to manually set the outbound interface (out of a couple of interfaces), so it was done for all the messages (not only for initial INVITE). Not sure if this was the right way to do it, but it has worked in 1.7.1. When we decided to use TLS recently, we also decided to to upgrade to 1.11. In our script, force_send_socket is called without explicitly specifying the port and proto. When those are not specified, in 1.7.1,  messages marked with tls are sent encrypted, whereas in 1.11 they are sent unencrypted (which the phones didn't like).


Anyway, passing the port and proto to force_send_socket took care of it. The more interesting thing we noticed is that the system also worked when we remove the force_send_sockets from the script completely. We will do more tests, and try to remember why the force_send_sockets were put in the script in the first place.


Matt


________________________________
From: Bogdan-Andrei Iancu <bogdan at opensips.org>
Sent: Friday, September 4, 2015 11:56 AM
To: users at lists.opensips.org; mistral9999 at hotmail.com
Subject: Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Hi Matt,

You mean the force_send_socket() you do for the initial INVITE ? or ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 03.09.2015 17:19, Matt Hamilton wrote:


Hi Bogdan,

This issue is seems to be related to force_send_socket which behaves differently in 1.11 vs 1.7.  To make it work, I had to explicitly specify the port and and the proto (for force_send_socket) based on "transport=tls" statement and the direction of the traffic.

Matt


________________________________
From: Bogdan-Andrei Iancu <bogdan at opensips.org><mailto:bogdan at opensips.org>
Sent: Monday, August 31, 2015 4:19 PM
To: OpenSIPS users mailling list; Matt Hamilton
Subject: Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Hi Matt,

Indeed, the SIP messages do look ok.

Could you post the OpenSIPS logs (in debug 4) for processing the NOTIFY request ?

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 31.08.2015 20:07, Matt Hamilton wrote:

Hi Bogdan,


Pastebin link is http://pastebin.com/tM7zqTKX


I included both 1.7.1 and 1.11 captures. I don't see a difference between them other than 1.11 sending the NOTIFY to UAC unencrypted.

Btw, INVITEs seems to be behaving the same way as NOTIFY (don't have a capture for those - I assume the issue is the same).


Btw, TLS works fine between Opensips 1.11 and the phone (OK messages, etc. are encrypted).


Thanks,

Matt


[http://pastebin.com/i/fb2.jpg]<http://pastebin.com/tM7zqTKX>

Opensips TLS - Pastebin.com
Read more...<http://pastebin.com/tM7zqTKX>


________________________________
From: Bogdan-Andrei Iancu <bogdan at opensips.org><mailto:bogdan at opensips.org>
Sent: Monday, August 31, 2015 5:21 AM
To: OpenSIPS users mailling list; mistral9999 at hotmail.com<mailto:mistral9999 at hotmail.com>
Subject: Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Hi Matt,

Can you post of pastebin (or similar) the SIP capture showing the incoming NOTIFY (via UDP) from Asterisk and the outgoing NOTIFY (supposedly via TLS) to UAC ?
Also the SUBSCRIBE request going from OpenSIPS to Asterisk will help alot.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 30.08.2015 18:22, Matt Hamilton wrote:


We use Opensips (with TLS) as a dispatcher to multiple Asterisk servers.  Currently we are in the process of upgrading from 1.7.1 to 1.11.5, and we ran into a discrepancy between 1.7.1 and 1.11.5 regarding SIP NOTIFY messages.


Here is the flow (both ways):

UAC    (TLS) ->     Opensips   (UDP)->     Asterisk
Asterisk     (UDP) ->     Opensips       (TLS)->    UAC


In 1.7.1,  all messages between Opensips and UAC were encrypted - didn't matter if it was originated at UAC or Asterisk.

In 1.11.5, the SIP NOTIFY messages coming from Asterisk are sent to UAC unencrypted (and not accepted by UAC). Here is the request that Opensips receives and sends to the UAC in plaintext:

Request-Line: NOTIFY sip:101 at 1.2.3.4:5075;transport=tls;nat=yes<mailto:sip:101 at 1.2.3.4:5075;transport=tls;nat=yes> SIP/2.0

Anything we can do to have that leg encrypted as well?

Thanks,
Matt




_______________________________________________
Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users





_______________________________________________
Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users





_______________________________________________
Users mailing list
Users at lists.opensips.org<mailto:Users at lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150905/bfa0aa4c/attachment.htm>


More information about the Users mailing list