[OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Bogdan-Andrei Iancu bogdan at opensips.org
Mon Sep 7 12:06:26 CEST 2015 

Hi Matt,

When doing SIP routing, all the decisions (where and how to route) must 
be done only for the initial requests, for the requests creating a SIP 
session/dialog.
The sequential requests (inside en existing dialog) are automatically 
routed based on the Route headers, so, from script level, you should not 
do anything more than "loose_route() + t_relay()" .

This approach is valid for all the OpenSIPS versions.

See the webinar "Routing in SIP" :
     http://www.opensips.org/Documentation/Webinars#toc12

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 06.09.2015 05:14, Matt Hamilton wrote:
>
> Hi Bogdan,
>
>
> We have been using force_send_socket before calling t_relay to 
> manually set the outbound interface (out of a couple of interfaces), 
> so it was done for all the messages (not only for initial INVITE). Not 
> sure if this was the right way to do it, but it has worked in 1.7.1. 
> When we decided to use TLS recently, we also decided to to upgrade to 
> 1.11. In our script, force_send_socket is called without explicitly 
> specifying the port and proto. When those are not specified, in 
> 1.7.1,  messages marked with tls are sent encrypted, whereas in 1.11 
> they are sent unencrypted (which the phones didn't like).
>
>
> Anyway, passing the port and proto to force_send_socket took care of 
> it. The more interesting thing we noticed is that the system also 
> worked when we remove the force_send_sockets from the script 
> completely. We will do more tests, and try to remember why the 
> force_send_sockets were put in the script in the first place.
>
>
> Matt
>
>
>
> ------------------------------------------------------------------------
> *From:* Bogdan-Andrei Iancu <bogdan at opensips.org>
> *Sent:* Friday, September 4, 2015 11:56 AM
> *To:* users at lists.opensips.org; mistral9999 at hotmail.com
> *Subject:* Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5
> Hi Matt,
>
> You mean the force_send_socket() you do for the initial INVITE ? or ?
>
> Regards,
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
> On 03.09.2015 17:19, Matt Hamilton wrote:
>>
>>
>> Hi Bogdan,
>>
>> This issue is seems to be related to force_send_socket which behaves 
>> differently in 1.11 vs 1.7.  To make it work, I had to explicitly 
>> specify the port and and the proto (for force_send_socket) based on 
>> "transport=tls" statement and the direction of the traffic.
>>
>> Matt
>>
>>
>> ------------------------------------------------------------------------
>> *From:* Bogdan-Andrei Iancu <bogdan at opensips.org>
>> *Sent:* Monday, August 31, 2015 4:19 PM
>> *To:* OpenSIPS users mailling list; Matt Hamilton
>> *Subject:* Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5
>> Hi Matt,
>>
>> Indeed, the SIP messages do look ok.
>>
>> Could you post the OpenSIPS logs (in debug 4) for processing the 
>> NOTIFY request ?
>>
>> Regards,
>> Bogdan-Andrei Iancu
>> OpenSIPS Founder and Developer
>> http://www.opensips-solutions.com
>> On 31.08.2015 20:07, Matt Hamilton wrote:
>>>
>>> Hi Bogdan,
>>>
>>>
>>> Pastebin link is http://pastebin.com/tM7zqTKX
>>>
>>>
>>> I included both 1.7.1 and 1.11 captures. I don't see a difference 
>>> between them other than 1.11 sending the NOTIFY to UAC unencrypted.
>>>
>>> Btw, INVITEs seems to be behaving the same way as NOTIFY (don't have 
>>> a capture for those - I assume the issue is the same).
>>>
>>>
>>> Btw, TLS works fine between Opensips 1.11 and the phone (OK 
>>> messages, etc. are encrypted).
>>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>>
>>> <http://pastebin.com/tM7zqTKX>
>>> 	
>>> Opensips TLS - Pastebin.com
>>> Read more... <http://pastebin.com/tM7zqTKX>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> *From:* Bogdan-Andrei Iancu <bogdan at opensips.org>
>>> *Sent:* Monday, August 31, 2015 5:21 AM
>>> *To:* OpenSIPS users mailling list; mistral9999 at hotmail.com
>>> *Subject:* Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 
>>> 1.11.5
>>> Hi Matt,
>>>
>>> Can you post of pastebin (or similar) the SIP capture showing the 
>>> incoming NOTIFY (via UDP) from Asterisk and the outgoing NOTIFY 
>>> (supposedly via TLS) to UAC ?
>>> Also the SUBSCRIBE request going from OpenSIPS to Asterisk will help 
>>> alot.
>>>
>>> Regards,
>>> Bogdan-Andrei Iancu
>>> OpenSIPS Founder and Developer
>>> http://www.opensips-solutions.com
>>> On 30.08.2015 18:22, Matt Hamilton wrote:
>>>>
>>>>
>>>>
>>>> We use Opensips (with TLS) as a dispatcher to multiple Asterisk 
>>>> servers.  Currently we are in the process of upgrading from 1.7.1 
>>>> to 1.11.5, and we ran into a discrepancy between 1.7.1 and 1.11.5 
>>>> regarding SIP NOTIFY messages.
>>>>
>>>>
>>>> Here is the flow (both ways):
>>>>
>>>> UAC    (TLS) ->     Opensips   (UDP)->     Asterisk
>>>> Asterisk  (UDP) ->     Opensips       (TLS)->    UAC
>>>>
>>>>
>>>> In 1.7.1,  all messages between Opensips and UAC were encrypted - 
>>>> didn't matter if it was originated at UAC or Asterisk.
>>>>
>>>> In 1.11.5, the SIP NOTIFY messages coming from Asterisk are sent to 
>>>> UAC unencrypted (and not accepted by UAC). Here is the request that 
>>>> Opensips receives and sends to the UAC in plaintext:
>>>>
>>>> Request-Line: NOTIFY sip:101 at 1.2.3.4:5075;transport=tls;nat=yes SIP/2.0
>>>>
>>>> Anything we can do to have that leg encrypted as well?
>>>>
>>>> Thanks,
>>>> Matt
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opensips.org
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150907/d6371c13/attachment-0001.htm>

More information about the Users mailing list