From voransoy at gmail.com Sun Jun 1 21:05:56 2025 From: voransoy at gmail.com (Volkan Oransoy) Date: Sun, 1 Jun 2025 22:05:56 +0100 Subject: [OpenSIPS-Users] ACK request uri issue In-Reply-To: <34831A66-D744-4313-88E5-B5194E3813C8@ag-projects.com> References: <15E989C1-F11C-45A3-8C03-78225D250C91@ag-projects.com> <34831A66-D744-4313-88E5-B5194E3813C8@ag-projects.com> Message-ID: Hi Adrian It worked just as you described. Thanks a lot. On Sat, 31 May 2025 at 15:54, Adrian Georgescu wrote: > You can use store_dlg_value() to save the values of parsed headers like > Contact header $ct.fields(uri) and retrieve them later from $dlg_val > variable > > If you have configured a stateful proxy and have the dialog module loaded > the dialogs should be matched automatically. > > > > On May 31, 2025, at 11:58, Volkan Oransoy wrote: > > > > Hi Adrian > > > > Thank you for your reply. I've had a look at the documentation. Can > match_dialog function handle this case? > > > > Thanks > > > > On Sat, 31 May 2025 at 10:20, Adrian Georgescu > wrote: > > You can save using the dialog module, the Contact uri from the 200 OK, > then when the ACK comes in, you replace the $ru with the previously saved > value. > > > > > On May 31, 2025, at 10:07, Volkan Oransoy wrote: > > > > > > Hi all > > > > > > I am trying to integrate a 3rd party UAC with my Opensips box and have > an issue. > > > The UAC sends an INVITE with an initial request uri and my box replies > with 200 OK. > > > But the subsequent ACK sent by the UAC comes with the same request uri > with the INVITE. My box expects the ACK request uri to be the Contact field > of the 200 OK. So the ACK routing fails. > > > How can I rectify this on my end? > > > > > > Best > > > > > > -- > > > Volkan Oransoy > > > _______________________________________________ > > > Users mailing list > > > Users at lists.opensips.org > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > -- > > Volkan Oransoy > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Volkan Oransoy -------------- next part -------------- An HTML attachment was scrubbed... URL: From nzdealshelp at gmail.com Tue Jun 3 00:41:41 2025 From: nzdealshelp at gmail.com (nz deals) Date: Tue, 3 Jun 2025 12:41:41 +1200 Subject: [OpenSIPS-Users] Issue with proxy failover and uac_auth() In-Reply-To: References:

Message-ID: Is there anyone who has seen this issue? Seems like a bug to me. Thanks. Regards, Jason On Sun, 1 Jun 2025 at 06:06, Ben Newlin wrote: > Oh sorry I missed that in your email. I thought you were trying to avoid > the failover. > > > > Dropping the auth info on the DNS failover I don’t think is expected, > since a DNS failover doesn’t trigger failure_route so you can’t add it back. > > > > I’d recommend opening a bug for this on the Github, but maybe someone else > has ideas. > > > > Ben Newlin > > > > *From: *Users on behalf of nz deals < > nzdealshelp at gmail.com> > *Date: *Friday, May 30, 2025 at 10:49 PM > *To: *OpenSIPS users mailling list > *Subject: *Re: [OpenSIPS-Users] Issue with proxy failover and uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > > ------------------------------ > > Thank you for your response. > > The problem is, opensips sends the INVITE to secondary srv (failed over) > without Authorization. It makes sense that the dns failover is not managed > by opensips but atleast the same INVITE should be failover to the > secondary. Why the Authorization is removed when it goes to the secondary. > > > > Thanks > > > > On Sat, 31 May 2025 at 03:52, Ben Newlin wrote: > > The issue here is not really with the uac_auth module, as that module > isn’t sending the message only updating it with the correct authentication > info. > > > > This is normal and correct behavior. When you send the message the second > time using the same DNS, it will follow the same process as the first, > trying A then timing out and failing over to B. Standard DNS SRV doesn’t > include any behavior to try to avoid non-responding nodes. > > > > Ultimately what you need is to know the actual IP that elicited the 401 so > the next INVITE with the authentication can be sent to the same one, using > $du or $dd(:$dp). Have you tried to get the remote IP in onreply_route and > store it is an AVP using $si [1] or $socket_in [2]? I don’t think I’ve ever > used one of these in a reply route. The documentation doesn’t specify > whether it is valid and they will contain the source of the reply, not the > request. > > > > [1] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#si > > [2] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#socket_in > > > > Ben Newlin > > > > *From: *Users on behalf of nz deals < > nzdealshelp at gmail.com> > *Date: *Thursday, May 29, 2025 at 9:32 AM > *To: *OpenSIPS users mailling list > *Subject: *[OpenSIPS-Users] Issue with proxy failover and uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > > ------------------------------ > > Hi All, > > I'm using OpenSIPS 3.4 and managing carrier trunks via the registrant > table. In the table, I'm using a proxy value like sips:mysip.xx.x > > When the primary carrier A sbc SRV record becomes unreachable, OpenSIPS > correctly times out INVITE and attempts to fail over to the secondary A > record (via SRV). > > The secondary endpoint responds with a 401 Unauthorized and includes a > WWW-Authenticate header. At this point, I assume that opensips should not > try on the primary carrier A SRV record otherwise it will also timeout. but > it is trying to send another INVITE with Authorization to the primary. this > timeout because primary A SRV record is not responding. opensips sends > another INVITE to secondary and this time its without Authorization. > > Is there any way to fix this or work around it? Has anyone faced a similar > problem when using uac_auth() in combination with failover and the same > proxy domain? > > Any advice or suggestions would be greatly appreciated. > > > > > > > > Thank you > > > > Regards, > > Jason > > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From walter.schober at neotel.at Tue Jun 3 08:50:10 2025 From: walter.schober at neotel.at (Walter Schober) Date: Tue, 3 Jun 2025 08:50:10 +0000 Subject: [OpenSIPS-Users] Siprec subscribe-answer rtpengine flags Message-ID: <1AFD1281-CAED-4D0E-A0AA-51D5125054F2@neotel.eu> Hi! I’ve successfully managed to record a call via SIPREC module using OpenSIPS 3.6.0 and RTPEngine 13.2. But I needed to do a trick to have the subscribe-answer to allow transcoding: I used a template „default“ in the rtpengine.conf to set [templates] default = allow-transcoding asymmetric This is global unfortunately. I searched all the module documentations siprec, dialog, rtp_relay (I understood: rtpengine cannot be done directly in 3.6 with siprec). I looked even into source code. I haven’t found any hint how to add RTPEngine flag „allow-transcoding“ to the „subscribe answer“ command in opensips. Did I miss something or is this not possible? Thanks for help me understanding this! br Walter From bogdan at opensips.org Tue Jun 3 12:39:38 2025 From: bogdan at opensips.org (Bogdan-Andrei Iancu) Date: Tue, 3 Jun 2025 15:39:38 +0300 Subject: [OpenSIPS-Users] Domain module documentation for 3.6 In-Reply-To: References: Message-ID: Hi Ovidiu, Thanks for pointing this up. I updated the docs, but the online html will be re-generated by tomorrow. In terms of migration there is nothing to be mentioned IMHO - the "migrate" DB tool is taking care of that (by adding the new column). Also the presence of the column is backward compatible, you don;t even have to be aware of its existence. If you feel like something useful can be mentioned, please pass me the paragraph and I will copy it into the migration page. Thanks and regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 23.05.2025 19:32, Ovidiu Sas wrote: > The documentation for accept_subdomain column is missing from the README file. > Also, some notes should be added to the migration web page: > https://www.opensips.org/Documentation/Migration-3-5-0-to-3-6-0 > > -ovidiu > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users From bogdan at opensips.org Tue Jun 3 12:42:55 2025 From: bogdan at opensips.org (Bogdan-Andrei Iancu) Date: Tue, 3 Jun 2025 15:42:55 +0300 Subject: [OpenSIPS-Users] ACK request uri issue In-Reply-To: References: <15E989C1-F11C-45A3-8C03-78225D250C91@ag-projects.com> <34831A66-D744-4313-88E5-B5194E3813C8@ag-projects.com> Message-ID: <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> Hi Volkan, A simpler approach (with no manual storing) may be achieved via the fix_route_dialog() [1]. You can use this function after a match_dialog() on the ACK. [1] https://opensips.org/html/docs/modules/3.5.x/dialog.html#func_fix_route_dialog Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 02.06.2025 00:05, Volkan Oransoy wrote: > Hi Adrian > > It worked just as you described. > > Thanks a lot. > > On Sat, 31 May 2025 at 15:54, Adrian Georgescu wrote: > > You can use store_dlg_value() to save the values of parsed headers > like Contact header $ct.fields(uri) and retrieve them later from > $dlg_val variable > > If you have configured a stateful proxy and have the dialog module > loaded the dialogs should be matched automatically. > > > > On May 31, 2025, at 11:58, Volkan Oransoy > wrote: > > > > Hi Adrian > > > > Thank you for your reply. I've had a look at the documentation. > Can match_dialog function handle this case? > > > > Thanks > > > > On Sat, 31 May 2025 at 10:20, Adrian Georgescu > wrote: > > You can save using the dialog module, the Contact uri from the > 200 OK, then when the ACK comes in, you replace the $ru with the > previously saved value. > > > > > On May 31, 2025, at 10:07, Volkan Oransoy > wrote: > > > > > > Hi all > > > > > > I am trying to integrate a 3rd party UAC with my Opensips box > and have an issue. > > > The UAC sends an INVITE with an initial request uri and my box > replies with 200 OK. > > > But the subsequent ACK sent by the UAC comes with the same > request uri with the INVITE. My box expects the ACK request uri to > be the Contact field of the 200 OK. So the ACK routing fails. > > > How can I rectify this on my end? > > > > > > Best > > > > > > -- > > > Volkan Oransoy > > > _______________________________________________ > > > Users mailing list > > > Users at lists.opensips.org > > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > > > -- > > Volkan Oransoy > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > -- > Volkan Oransoy > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From wadii at evenmedia.fr Tue Jun 3 12:59:05 2025 From: wadii at evenmedia.fr (Wadii ELMAJDI | Evenmedia) Date: Tue, 3 Jun 2025 12:59:05 +0000 Subject: [OpenSIPS-Users] ACK request uri issue In-Reply-To: <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> References: <15E989C1-F11C-45A3-8C03-78225D250C91@ag-projects.com> <34831A66-D744-4313-88E5-B5194E3813C8@ag-projects.com> <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> Message-ID: [like] Wadii ELMAJDI | Evenmedia reacted to your message: ________________________________ From: Users on behalf of Bogdan-Andrei Iancu Sent: Tuesday, June 3, 2025 12:42:55 PM To: OpenSIPS users mailling list ; Volkan Oransoy Subject: Re: [OpenSIPS-Users] ACK request uri issue Hi Volkan, A simpler approach (with no manual storing) may be achieved via the fix_route_dialog() [1]. You can use this function after a match_dialog() on the ACK. [1] https://opensips.org/html/docs/modules/3.5.x/dialog.html#func_fix_route_dialog Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 02.06.2025 00:05, Volkan Oransoy wrote: Hi Adrian It worked just as you described. Thanks a lot. On Sat, 31 May 2025 at 15:54, Adrian Georgescu > wrote: You can use store_dlg_value() to save the values of parsed headers like Contact header $ct.fields(uri) and retrieve them later from $dlg_val variable If you have configured a stateful proxy and have the dialog module loaded the dialogs should be matched automatically. > On May 31, 2025, at 11:58, Volkan Oransoy > wrote: > > Hi Adrian > > Thank you for your reply. I've had a look at the documentation. Can match_dialog function handle this case? > > Thanks > > On Sat, 31 May 2025 at 10:20, Adrian Georgescu > wrote: > You can save using the dialog module, the Contact uri from the 200 OK, then when the ACK comes in, you replace the $ru with the previously saved value. > > > On May 31, 2025, at 10:07, Volkan Oransoy > wrote: > > > > Hi all > > > > I am trying to integrate a 3rd party UAC with my Opensips box and have an issue. > > The UAC sends an INVITE with an initial request uri and my box replies with 200 OK. > > But the subsequent ACK sent by the UAC comes with the same request uri with the INVITE. My box expects the ACK request uri to be the Contact field of the 200 OK. So the ACK routing fails. > > How can I rectify this on my end? > > > > Best > > > > -- > > Volkan Oransoy > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > -- > Volkan Oransoy > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Volkan Oransoy _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From wadii at evenmedia.fr Tue Jun 3 12:59:10 2025 From: wadii at evenmedia.fr (Wadii ELMAJDI | Evenmedia) Date: Tue, 3 Jun 2025 12:59:10 +0000 Subject: [OpenSIPS-Users] ACK request uri issue In-Reply-To: <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> References: <15E989C1-F11C-45A3-8C03-78225D250C91@ag-projects.com> <34831A66-D744-4313-88E5-B5194E3813C8@ag-projects.com> <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> Message-ID: [0] Wadii ELMAJDI | Evenmedia reacted to your message: ________________________________ From: Users on behalf of Bogdan-Andrei Iancu Sent: Tuesday, June 3, 2025 12:42:55 PM To: OpenSIPS users mailling list ; Volkan Oransoy Subject: Re: [OpenSIPS-Users] ACK request uri issue Hi Volkan, A simpler approach (with no manual storing) may be achieved via the fix_route_dialog() [1]. You can use this function after a match_dialog() on the ACK. [1] https://opensips.org/html/docs/modules/3.5.x/dialog.html#func_fix_route_dialog Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 02.06.2025 00:05, Volkan Oransoy wrote: Hi Adrian It worked just as you described. Thanks a lot. On Sat, 31 May 2025 at 15:54, Adrian Georgescu > wrote: You can use store_dlg_value() to save the values of parsed headers like Contact header $ct.fields(uri) and retrieve them later from $dlg_val variable If you have configured a stateful proxy and have the dialog module loaded the dialogs should be matched automatically. > On May 31, 2025, at 11:58, Volkan Oransoy > wrote: > > Hi Adrian > > Thank you for your reply. I've had a look at the documentation. Can match_dialog function handle this case? > > Thanks > > On Sat, 31 May 2025 at 10:20, Adrian Georgescu > wrote: > You can save using the dialog module, the Contact uri from the 200 OK, then when the ACK comes in, you replace the $ru with the previously saved value. > > > On May 31, 2025, at 10:07, Volkan Oransoy > wrote: > > > > Hi all > > > > I am trying to integrate a 3rd party UAC with my Opensips box and have an issue. > > The UAC sends an INVITE with an initial request uri and my box replies with 200 OK. > > But the subsequent ACK sent by the UAC comes with the same request uri with the INVITE. My box expects the ACK request uri to be the Contact field of the 200 OK. So the ACK routing fails. > > How can I rectify this on my end? > > > > Best > > > > -- > > Volkan Oransoy > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > -- > Volkan Oransoy > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Volkan Oransoy _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From wadii at evenmedia.fr Tue Jun 3 12:59:10 2025 From: wadii at evenmedia.fr (Wadii ELMAJDI | Evenmedia) Date: Tue, 3 Jun 2025 12:59:10 +0000 Subject: [OpenSIPS-Users] ACK request uri issue In-Reply-To: <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> References: <15E989C1-F11C-45A3-8C03-78225D250C91@ag-projects.com> <34831A66-D744-4313-88E5-B5194E3813C8@ag-projects.com> <67de5026-ec6f-4d7f-9cbe-16c63eeda9fc@opensips.org> Message-ID: [like] Wadii ELMAJDI | Evenmedia reacted to your message: ________________________________ From: Users on behalf of Bogdan-Andrei Iancu Sent: Tuesday, June 3, 2025 12:42:55 PM To: OpenSIPS users mailling list ; Volkan Oransoy Subject: Re: [OpenSIPS-Users] ACK request uri issue Hi Volkan, A simpler approach (with no manual storing) may be achieved via the fix_route_dialog() [1]. You can use this function after a match_dialog() on the ACK. [1] https://opensips.org/html/docs/modules/3.5.x/dialog.html#func_fix_route_dialog Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 02.06.2025 00:05, Volkan Oransoy wrote: Hi Adrian It worked just as you described. Thanks a lot. On Sat, 31 May 2025 at 15:54, Adrian Georgescu > wrote: You can use store_dlg_value() to save the values of parsed headers like Contact header $ct.fields(uri) and retrieve them later from $dlg_val variable If you have configured a stateful proxy and have the dialog module loaded the dialogs should be matched automatically. > On May 31, 2025, at 11:58, Volkan Oransoy > wrote: > > Hi Adrian > > Thank you for your reply. I've had a look at the documentation. Can match_dialog function handle this case? > > Thanks > > On Sat, 31 May 2025 at 10:20, Adrian Georgescu > wrote: > You can save using the dialog module, the Contact uri from the 200 OK, then when the ACK comes in, you replace the $ru with the previously saved value. > > > On May 31, 2025, at 10:07, Volkan Oransoy > wrote: > > > > Hi all > > > > I am trying to integrate a 3rd party UAC with my Opensips box and have an issue. > > The UAC sends an INVITE with an initial request uri and my box replies with 200 OK. > > But the subsequent ACK sent by the UAC comes with the same request uri with the INVITE. My box expects the ACK request uri to be the Contact field of the 200 OK. So the ACK routing fails. > > How can I rectify this on my end? > > > > Best > > > > -- > > Volkan Oransoy > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > -- > Volkan Oransoy > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- Volkan Oransoy _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From bogdan at opensips.org Tue Jun 3 14:22:58 2025 From: bogdan at opensips.org (Bogdan-Andrei Iancu) Date: Tue, 3 Jun 2025 17:22:58 +0300 Subject: [OpenSIPS-Users] Potential feature request: OpenSIPS security and concept of tainted variables In-Reply-To: References: <58d13f1c-da96-4b37-a536-dd54202743f0@switchtel.co.za> Message-ID: <97ed186c-5d88-4d3e-bc6a-4d124485e534@opensips.org> Hi all, While the idea is great, let's me come back with the feedback: 1) not all the values you are handling at script level may be "risky" or tainted ... Some may be loaded from DBs or other external services, so "trustful". Only what comes from signaling may be risky. 2) the escaping may not be required in all DB op cases - the injection is typical for raw queries, but for mysql OpenSIPS does statements. Or there are DB backends which are only statement (API) driven, no raw queries, like the dbtext for example. So, depending on the DB backend, the injection may or not be a problem. 3) while the $unsafe_fU was mentioned as alternative, I do not see the difference to using the escape transformation, if really the case. So whatever improvement we do consider, we need to take the above into consideration - there is no need to over complicate things ;) Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 29.05.2025 15:28, Sandro Gauci via Users wrote: > Thanks for this feedback! > > So Gary proposed two potential solutions - tainting and automatic > escaping. Thought I'd write a few paragraphs on this approach. > > The concept of tainting is appealing, as it resembles how static code > analyzers track data flow. Under this approach, user-controlled > pseudo-variables would initially be 'tainted.' They would then need to > be 'untainted' - effectively marked as safe - but only after > undergoing proper validation or another protective mechanism. > > Automatically escaping can be problematic and may not fully resolve > vulnerabilities, as its effectiveness is highly dependent on the > 'sink.' The 'sink' refers to the specific format or language of the > dangerous function or data consumer, such as SQL, shell commands, > NoSQL, or JSON. While attractive, such 'magical' security solutions > are bound to fail in specific cases. This inherent unreliability poses > a risk, as OpenSIPS operators would over-rely on them. > > Conversely, the optimal approach for building security-sensitive > content from user input - content that is subsequently passed to > security-sensitive functions - is to employ programmatic techniques > (e.g., parameterized queries for SQL) instead of string concatenation. > This method offers a more robust programming pattern than relying on > tainting or 'magical' solutions. > > Cheers! > > -- > Sandro Gauci, CEO at Enable Security GmbH > > Register of Companies: AG Charlottenburg HRB 173016 B > Company HQ: Neuburger Straße 101 b, 94036 Passau, Germany > RTCSec Newsletter: https://www.enablesecurity.com/subscribe/ > Our blog: https://www.enablesecurity.com/blog/ > Other points of contact: https://www.enablesecurity.com/contact/ > > > On Tue, 27 May 2025, at 12:15 PM, Gregory Massel via Users wrote: >> >> Hi all >> >> After listening to Sandro's presentation at OpenSIPS Summit, and >> further to posts I sent on 30 Nov 2023 and 5 Dec 2023 ("Help dropping >> SQL injection attacks"), it struck me that the OpenSIPS script allows >> for unsafe variable references by default. >> >> While extremely powerful, this makes configuration implementations >> susceptible to oversights that result in potential injection >> vulnerabilities. >> >> The Exim project addressed this with the concept of "tainted" >> variables. In essence, by default, it prevents you to passing >> potentially unsafe variables to dangerous functions without first >> filtering or escapting. This may be worth consideration as a security >> feature in future versions of OpenSIPS. >> >> It may also be worth considering escaping certain variables by >> default and aliasing the originals. E.g. Instead of having to >> explicitly check variables as follows: >> >> if ( $fU != $(fU{s.escape.common}) || $tU != $(tU{s.escape.common}) ) { >> xlog ("Rejecting SQL injection attempt received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct)."); >> send_reply (403,"Forbidden"); >> exit; >> } >> if ( $fU != $(fU{s.escape.user}) || $tU != $(tU{s.escape.user}) ) { >> xlog ("Rejecting request with unusual characters received from $socket_in(proto):$si:$sp (Method: $rm; From: $fu; To: $tu; Contact: $ct)."); >> send_reply (403,"Forbidden"); >> exit; >> } >> >> if ( $(ct.fields(uri){uri.user}) != $(ct.fields(uri){uri.user}{s.escape.common}) ) { >> send_reply (403,"Forbidden"); >> exit; >> } >> There may be something to be said for having variables like $fU, $tU >> escaped by default and adding variables like $unsafe_fU, $unsafe_tU >> contain the original variables. Backwards compatibility could be >> achieved with a core configuration variable to disable this. >> >> Alternatively, as with Exim, if one tries to reference the variables >> within a database function or exec function, regard these variables >> as "tainted" and throw an error if the {s.escape.common} (or similar) >> isn't applied. >> >> Regards >> >> Greg >> >> _______________________________________________ >> Users mailing list >> Users at lists.opensips.org >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From bogdan at opensips.org Tue Jun 3 14:28:59 2025 From: bogdan at opensips.org (Bogdan-Andrei Iancu) Date: Tue, 3 Jun 2025 17:28:59 +0300 Subject: [OpenSIPS-Users] Understanding aliases core parameter versus domain module In-Reply-To: <4e288c86-463e-482f-83ea-f53c9e352afa@switchtel.co.za> References: <4e288c86-463e-482f-83ea-f53c9e352afa@switchtel.co.za> Message-ID: <3445ab9a-15ae-483c-802a-cbf9be00ddc6@opensips.org> Hi Gregory, in order to keep this simple. The "alias" parameter is the original, old and static way of configuring the SIP domains to be served by OpenSIPS. Later, the domain module took over that job, so you do not need the alias'ing anymore. We still keep it for simple setups where there is not DB support ;) Best regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 21.05.2025 18:05, Gregory Massel via Users wrote: > Hello all > > I'm trying to understand whether it is necessary to have a core > "alias" parameter for every name by which the OpenSIPS server is known > or if it's adequate to simple list these in the table that the domain > module reads? > > At present I have something similar to: > > socket=udp:1.2.3.4:5060 > > alias=udp:host1.domain.com:5060 > alias=udp:host2.domain2.com:5060 > alias=udp:host3.domain3.com:5060 > > loadmodule "domain.so" > modparam("domain", "db_url", > "mysql://opensips:password at localhost/opensips") > modparam("domain", "db_mode", 1) > > With all three of the domains associated with the aliases (i.e. > excluding protocol and port) also included in the 'domain' table in > the database. > > An "opensips-cli -x mi domain_reload" is an extremely quick and > non-disruptive way to add an additional domain to a live system, > however, adding an alias to opensips.cfg and restarting OpenSIPS is, > by contrast, a relatively slow and disruptive process (at least on > versions < 3.6 where, to the best of my understanding, an > "opensips-cli -x mi reload_routes" won't reload the aliases.) > > When I add a domain to the domains table, all appears to work > correctly, so I'm not seeing any specific reason why I need the > aliases, however, don't want to find out abruptly when something breaks. > > Are there specific circumstances in which, if one only adds the domain > to the domains table, and doesn't add an "alias=" to the core > configuration, it will break? Is it necessary to have an alias for > every domain, or only the primary hostname? > > Thanks > > Greg > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users From bogdan at opensips.org Tue Jun 3 14:32:18 2025 From: bogdan at opensips.org (Bogdan-Andrei Iancu) Date: Tue, 3 Jun 2025 17:32:18 +0300 Subject: [OpenSIPS-Users] Issue with proxy failover and uac_auth() In-Reply-To: References:

Message-ID: <674e9c9d-8b87-4e61-9b8a-bf83feae2a64@opensips.org> Hi, I hope I managed to get your report here. If so, take a look at the "no-dns-failover" option when doing the t_relay(). So you can instruct OpenSIPS not to do the automatic DNS based failover and give you full control via failure route. Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 03.06.2025 03:41, nz deals wrote: > Is there anyone who has seen this issue? Seems like a bug to me. > > Thanks. > > Regards, > Jason > > > On Sun, 1 Jun 2025 at 06:06, Ben Newlin wrote: > > Oh sorry I missed that in your email. I thought you were trying to > avoid the failover. > > Dropping the auth info on the DNS failover I don’t think is > expected, since a DNS failover doesn’t trigger failure_route so > you can’t add it back. > > I’d recommend opening a bug for this on the Github, but maybe > someone else has ideas. > > Ben Newlin > > *From: *Users on behalf of nz > deals > *Date: *Friday, May 30, 2025 at 10:49 PM > *To: *OpenSIPS users mailling list > *Subject: *Re: [OpenSIPS-Users] Issue with proxy failover and > uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > ------------------------------------------------------------------------ > > Thank you for your response. > > The problem is, opensips sends the INVITE to secondary srv (failed > over) without Authorization. It makes sense that the dns failover > is not managed by opensips but atleast the same INVITE should be > failover to the secondary. Why the Authorization is removed when > it goes to the secondary. > > Thanks > > On Sat, 31 May 2025 at 03:52, Ben Newlin > wrote: > > The issue here is not really with the uac_auth module, as that > module isn’t sending the message only updating it with the > correct authentication info. > > This is normal and correct behavior. When you send the message > the second time using the same DNS, it will follow the same > process as the first, trying A then timing out and failing > over to B. Standard DNS SRV doesn’t include any behavior to > try to avoid non-responding nodes. > > Ultimately what you need is to know the actual IP that > elicited the 401 so the next INVITE with the authentication > can be sent to the same one, using $du or $dd(:$dp). Have you > tried to get the remote IP in onreply_route and store it is an > AVP using $si [1] or $socket_in [2]? I don’t think I’ve ever > used one of these in a reply route. The documentation doesn’t > specify whether it is valid and they will contain the source > of the reply, not the request. > > [1] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#si > > [2] - > https://www.opensips.org/Documentation/Script-CoreVar-3-6#socket_in > > Ben Newlin > > *From: *Users on behalf of > nz deals > *Date: *Thursday, May 29, 2025 at 9:32 AM > *To: *OpenSIPS users mailling list > *Subject: *[OpenSIPS-Users] Issue with proxy failover and > uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > ------------------------------------------------------------------------ > > Hi All, > > I'm using OpenSIPS 3.4 and managing carrier trunks via the > registrant table. In the table, I'm using a proxy value like > sips:mysip.xx.x > > When the primary carrier A sbc SRV record becomes unreachable, > OpenSIPS correctly times out INVITE and attempts to fail over > to the secondary A record (via SRV). > > The secondary endpoint responds with a 401 Unauthorized and > includes a WWW-Authenticate header. At this point, I assume > that opensips should not try on the primary carrier A SRV > record otherwise it will also timeout. but it is trying to > send another INVITE with Authorization to the primary. this > timeout because primary A SRV record is not responding. > opensips sends another INVITE to secondary and this time its > without Authorization. > > Is there any way to fix this or work around it? Has anyone > faced a similar problem when using |uac_auth()| in combination > with failover and the same proxy domain? > > Any advice or suggestions would be greatly appreciated. > > Thank you > > Regards, > > Jason > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ben.Newlin at genesys.com Tue Jun 3 15:32:56 2025 From: Ben.Newlin at genesys.com (Ben Newlin) Date: Tue, 3 Jun 2025 15:32:56 +0000 Subject: [OpenSIPS-Users] Issue with proxy failover and uac_auth() In-Reply-To: <674e9c9d-8b87-4e61-9b8a-bf83feae2a64@opensips.org> References:

<674e9c9d-8b87-4e61-9b8a-bf83feae2a64@opensips.org> Message-ID: Bogdan, I’m not sure this completely solves the problem. Removing DNS failover from the TM module would make the script responsible for the failover. Given that they’ve indicated this is an SRV record, this would force them to make some sort of external call to resolve the SRV themselves, as I don’t think the ip.resolve transformation will handle SRV. That is a lot of work to solve the issue when compared to the question of why the Authenticate would be dropped by the TM module on DNS failover to begin with? Is there some use case for that which would make it not a bug? I don’t think the TM module should ever be changing the SIP message on DNS failover. Ben Newlin From: Users on behalf of Bogdan-Andrei Iancu Date: Tuesday, June 3, 2025 at 10:33 AM To: OpenSIPS users mailling list , nz deals Subject: Re: [OpenSIPS-Users] Issue with proxy failover and uac_auth() EXTERNAL EMAIL - Please use caution with links and attachments ________________________________ Hi, I hope I managed to get your report here. If so, take a look at the "no-dns-failover" option when doing the t_relay(). So you can instruct OpenSIPS not to do the automatic DNS based failover and give you full control via failure route. Regards, Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 03.06.2025 03:41, nz deals wrote: Is there anyone who has seen this issue? Seems like a bug to me. Thanks. Regards, Jason On Sun, 1 Jun 2025 at 06:06, Ben Newlin > wrote: Oh sorry I missed that in your email. I thought you were trying to avoid the failover. Dropping the auth info on the DNS failover I don’t think is expected, since a DNS failover doesn’t trigger failure_route so you can’t add it back. I’d recommend opening a bug for this on the Github, but maybe someone else has ideas. Ben Newlin From: Users > on behalf of nz deals > Date: Friday, May 30, 2025 at 10:49 PM To: OpenSIPS users mailling list > Subject: Re: [OpenSIPS-Users] Issue with proxy failover and uac_auth() EXTERNAL EMAIL - Please use caution with links and attachments ________________________________ Thank you for your response. The problem is, opensips sends the INVITE to secondary srv (failed over) without Authorization. It makes sense that the dns failover is not managed by opensips but atleast the same INVITE should be failover to the secondary. Why the Authorization is removed when it goes to the secondary. Thanks On Sat, 31 May 2025 at 03:52, Ben Newlin > wrote: The issue here is not really with the uac_auth module, as that module isn’t sending the message only updating it with the correct authentication info. This is normal and correct behavior. When you send the message the second time using the same DNS, it will follow the same process as the first, trying A then timing out and failing over to B. Standard DNS SRV doesn’t include any behavior to try to avoid non-responding nodes. Ultimately what you need is to know the actual IP that elicited the 401 so the next INVITE with the authentication can be sent to the same one, using $du or $dd(:$dp). Have you tried to get the remote IP in onreply_route and store it is an AVP using $si [1] or $socket_in [2]? I don’t think I’ve ever used one of these in a reply route. The documentation doesn’t specify whether it is valid and they will contain the source of the reply, not the request. [1] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#si [2] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#socket_in Ben Newlin From: Users > on behalf of nz deals > Date: Thursday, May 29, 2025 at 9:32 AM To: OpenSIPS users mailling list > Subject: [OpenSIPS-Users] Issue with proxy failover and uac_auth() EXTERNAL EMAIL - Please use caution with links and attachments ________________________________ Hi All, I'm using OpenSIPS 3.4 and managing carrier trunks via the registrant table. In the table, I'm using a proxy value like sips:mysip.xx.x When the primary carrier A sbc SRV record becomes unreachable, OpenSIPS correctly times out INVITE and attempts to fail over to the secondary A record (via SRV). The secondary endpoint responds with a 401 Unauthorized and includes a WWW-Authenticate header. At this point, I assume that opensips should not try on the primary carrier A SRV record otherwise it will also timeout. but it is trying to send another INVITE with Authorization to the primary. this timeout because primary A SRV record is not responding. opensips sends another INVITE to secondary and this time its without Authorization. Is there any way to fix this or work around it? Has anyone faced a similar problem when using uac_auth() in combination with failover and the same proxy domain? Any advice or suggestions would be greatly appreciated. Thank you Regards, Jason _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users _______________________________________________ Users mailing list Users at lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: From nzdealshelp at gmail.com Wed Jun 4 01:24:46 2025 From: nzdealshelp at gmail.com (nz deals) Date: Wed, 4 Jun 2025 13:24:46 +1200 Subject: [OpenSIPS-Users] Issue with proxy failover and uac_auth() In-Reply-To: References:

<674e9c9d-8b87-4e61-9b8a-bf83feae2a64@opensips.org> Message-ID: Thanks @Bogdan-Andrei Iancu and @Ben I got the same question, if we disable the failover then what's the benefit of having multiple SRV records for the proxy. Plus I think that the Authorization should not be dropped when it does the failover. Any recommendations to resolve this issue? Regards, Jason On Wed, 4 Jun 2025 at 03:33, Ben Newlin wrote: > Bogdan, > > > > I’m not sure this completely solves the problem. Removing DNS failover > from the TM module would make the script responsible for the failover. > Given that they’ve indicated this is an SRV record, this would force them > to make some sort of external call to resolve the SRV themselves, as I > don’t think the ip.resolve transformation will handle SRV. > > > > That is a lot of work to solve the issue when compared to the question of > why the Authenticate would be dropped by the TM module on DNS failover to > begin with? Is there some use case for that which would make it not a bug? > I don’t think the TM module should ever be changing the SIP message on DNS > failover. > > > > Ben Newlin > > > > *From: *Users on behalf of > Bogdan-Andrei Iancu > *Date: *Tuesday, June 3, 2025 at 10:33 AM > *To: *OpenSIPS users mailling list , nz deals < > nzdealshelp at gmail.com> > *Subject: *Re: [OpenSIPS-Users] Issue with proxy failover and uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > > ------------------------------ > > Hi, > > I hope I managed to get your report here. If so, take a look at the > "no-dns-failover" option when doing the t_relay(). So you can instruct > OpenSIPS not to do the automatic DNS based failover and give you full > control via failure route. > > Regards, > > Bogdan-Andrei Iancu > > > > OpenSIPS Founder and Developer > > https://www.opensips-solutions.com > > https://www.siphub.com > > On 03.06.2025 03:41, nz deals wrote: > > Is there anyone who has seen this issue? Seems like a bug to me. > > > > Thanks. > > > > Regards, > > Jason > > > > > > On Sun, 1 Jun 2025 at 06:06, Ben Newlin wrote: > > Oh sorry I missed that in your email. I thought you were trying to avoid > the failover. > > > > Dropping the auth info on the DNS failover I don’t think is expected, > since a DNS failover doesn’t trigger failure_route so you can’t add it back. > > > > I’d recommend opening a bug for this on the Github, but maybe someone else > has ideas. > > > > Ben Newlin > > > > *From: *Users on behalf of nz deals < > nzdealshelp at gmail.com> > *Date: *Friday, May 30, 2025 at 10:49 PM > *To: *OpenSIPS users mailling list > *Subject: *Re: [OpenSIPS-Users] Issue with proxy failover and uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > > ------------------------------ > > Thank you for your response. > > The problem is, opensips sends the INVITE to secondary srv (failed over) > without Authorization. It makes sense that the dns failover is not managed > by opensips but atleast the same INVITE should be failover to the > secondary. Why the Authorization is removed when it goes to the secondary. > > > > Thanks > > > > On Sat, 31 May 2025 at 03:52, Ben Newlin wrote: > > The issue here is not really with the uac_auth module, as that module > isn’t sending the message only updating it with the correct authentication > info. > > > > This is normal and correct behavior. When you send the message the second > time using the same DNS, it will follow the same process as the first, > trying A then timing out and failing over to B. Standard DNS SRV doesn’t > include any behavior to try to avoid non-responding nodes. > > > > Ultimately what you need is to know the actual IP that elicited the 401 so > the next INVITE with the authentication can be sent to the same one, using > $du or $dd(:$dp). Have you tried to get the remote IP in onreply_route and > store it is an AVP using $si [1] or $socket_in [2]? I don’t think I’ve ever > used one of these in a reply route. The documentation doesn’t specify > whether it is valid and they will contain the source of the reply, not the > request. > > > > [1] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#si > > [2] - https://www.opensips.org/Documentation/Script-CoreVar-3-6#socket_in > > > > Ben Newlin > > > > *From: *Users on behalf of nz deals < > nzdealshelp at gmail.com> > *Date: *Thursday, May 29, 2025 at 9:32 AM > *To: *OpenSIPS users mailling list > *Subject: *[OpenSIPS-Users] Issue with proxy failover and uac_auth() > > * EXTERNAL EMAIL - Please use caution with links and attachments * > > > ------------------------------ > > Hi All, > > I'm using OpenSIPS 3.4 and managing carrier trunks via the registrant > table. In the table, I'm using a proxy value like sips:mysip.xx.x > > When the primary carrier A sbc SRV record becomes unreachable, OpenSIPS > correctly times out INVITE and attempts to fail over to the secondary A > record (via SRV). > > The secondary endpoint responds with a 401 Unauthorized and includes a > WWW-Authenticate header. At this point, I assume that opensips should not > try on the primary carrier A SRV record otherwise it will also timeout. but > it is trying to send another INVITE with Authorization to the primary. this > timeout because primary A SRV record is not responding. opensips sends > another INVITE to secondary and this time its without Authorization. > > Is there any way to fix this or work around it? Has anyone faced a similar > problem when using uac_auth() in combination with failover and the same > proxy domain? > > Any advice or suggestions would be greatly appreciated. > > > > > > > > Thank you > > > > Regards, > > Jason > > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From manuel.tausendfreund at dtms.de Thu Jun 5 09:31:25 2025 From: manuel.tausendfreund at dtms.de (Manuel Tausendfreund) Date: Thu, 5 Jun 2025 09:31:25 +0000 Subject: [OpenSIPS-Users] RTP Port missmatch Message-ID: Hi , i have Playback part on my SBC (3.4.11 Opensips from The Debian Repo) rtpengine is 13.4.0.0 ua_session_server_init($var(key_ini), "t$var(time)arhb"); rtpengine_offer("in-iface=$var(interface) out-iface=$var(interface) ",$var(rtp_con),$var(sdp_data)); ua_session_reply($var(key_ini), "INVITE", 200, "OK", $var(sdp_data)); rtpengine_play_media("file=/net/audio/sound.wav from-tag=$ft ",$var(time),$var(rtp_con)); it works BUT when the other RTP Engine has a Strict Source active it is not working anymore. Opensips sends in the "200 OK" of the SDP part from the Port from The UA-Agent instead off the port from the Caller But the Sound is send from port of the Caller How can I Change this behavior ? Here look in my Log´s Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] Final packet stats: Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] --- Tag 'xx.xx.xx.xx', created 0:46 ago for branch '' Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] ------ Media #1 (audio over RTP/AVP) using unknown codec Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] --------- Port 10.250.56.103:65436 <> 10.249.152.95:28892 Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] --------- Port 10.250.56.103:65437 <> 10.249.152.95:28893 Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] --- Tag '', created 0:46 ago for branch '' Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] ------ Media #1 (audio over RTP/AVP) using G722/8000 Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] --------- Port 10.250.56.103:36098 <> :0 Jun 03 14:06:06 rtp-test-bln rtpengine[786225]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx]: [core] --------- Port 10.250.56.103:36099 <> :0 Jun 03 14:06:16 rtp-test-bln rtpengine[786225]: INFO: [a000e80f7f061fdcf69525ef9e7fd77f at xx.xx.xx.xx]: [core] Final packet stats: v=0 o=- 23915705085026 23915705085026 IN IP4 10.249.152.95 s=- t=0 0 m=audio 36098 RTP/AVP 9 8 0 101 c=IN IP4 10.250.56.103 a=rtpmap:9 G722/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=msi:mavodi-8-159-31-d-ffffffff-25cb306d- at 87.137.153.236 a=sendrecv a=rtcp:36099 a=ptime:20 a=maxptime:60 Jun 03 14:05:20 rtp-out-hh3 rtpengine[1159]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx/xx.xx.xx.xx port 37868]: [core] Kernelizing media stream: yy.yy.yy.yy:65198 -> zz.zz.zz.zz:37868 | 10.249.152.95:28892 -> 10.250.56.103:36098 Jun 03 14:05:20 rtp-out-hh3 rtpengine[1159]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx/xx.xx.xx.xx port 37868]: [core] Kernelizing media stream: yy.yy.yy.yy:65198 -> zz.zz.zz.zz:37868 | 10.249.152.95:28893 -> 10.250.56.103:36099 Jun 03 14:05:20 rtp-out-hh3 rtpengine[1159]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx port 28892]: [core] Drop due to strict-source attribute; got 10.250.56.103:65436, expected 10.250.56.103:36098 Jun 03 14:05:20 rtp-out-hh3 rtpengine[1159]: INFO: [c16a0ad430a825c669e432f19b83e956 at xx.xx.xx.xx port 28893]: [core] Drop due to strict-source attribute; got 10.250.56.103:65437, expected 10.250.56.103:36099 BR Manuel From Johan at democon.be Thu Jun 5 10:00:21 2025 From: Johan at democon.be (Johan De Clercq) Date: Thu, 5 Jun 2025 12:00:21 +0200 Subject: [OpenSIPS-Users] sip question. Message-ID: in a bye message, is the contact header mandatory or not ? BR, JOhan. -------------- next part -------------- An HTML attachment was scrubbed... URL: From walter.schober at neotel.at Thu Jun 5 10:49:16 2025 From: walter.schober at neotel.at (Walter Schober) Date: Thu, 5 Jun 2025 10:49:16 +0000 Subject: [OpenSIPS-Users] sip question. In-Reply-To: References: Message-ID: IMHO: No, it is not. > Am 05.06.2025 um 12:01 schrieb Johan De Clercq : > > > in a bye message, is the contact header mandatory or not ? > From bogdan at opensips.org Thu Jun 5 11:54:32 2025 From: bogdan at opensips.org (Bogdan-Andrei Iancu) Date: Thu, 5 Jun 2025 14:54:32 +0300 Subject: [OpenSIPS-Users] sip question. In-Reply-To: References:

Message-ID: <5d40bba7-28e6-4611-86f0-05af554a1915@opensips.org> :+1: Bogdan-Andrei Iancu OpenSIPS Founder and Developer https://www.opensips-solutions.com https://www.siphub.com On 05.06.2025 13:49, Walter Schober wrote: > IMHO: No, it is not. > >> Am 05.06.2025 um 12:01 schrieb Johan De Clercq : >> >> >> in a bye message, is the contact header mandatory or not ? >> > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users From ag at ag-projects.com Thu Jun 5 11:53:39 2025 From: ag at ag-projects.com (Adrian Georgescu) Date: Thu, 5 Jun 2025 13:53:39 +0200 Subject: [OpenSIPS-Users] sip question. In-Reply-To: References: Message-ID: <5BE5CD35-36B2-44C0-932E-C02C4F0185F2@ag-projects.com> Yes.Without the correct URI learnt from the contact header of the INVITE or 200 OK respectively, it is not possible to match the call on the receiving device of the call. If there is a phone that supports one call at the time, perhaps it will handle it, but if the BYE is for an intermediate gateway, it needs a proper request URI to target the end device. > On Jun 5, 2025, at 12:00, Johan De Clercq wrote: > > in a bye message, is the contact header mandatory or not ? > > BR, JOhan. > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users From walter.schober at neotel.at Thu Jun 5 12:22:09 2025 From: walter.schober at neotel.at (Walter Schober) Date: Thu, 5 Jun 2025 12:22:09 +0000 Subject: [OpenSIPS-Users] SIPREC start on 18x/SDP too early Message-ID: Hi! Acc to the docs https://opensips.org/docs/modules/3.5.x/siprec.html#func_siprec_start_recording the INVITE to the SRS should start on connect 200 OK. But it starts as soon as a SDP body is replied in the recorded call. E.g. in the 183/SDP or 180/SDP. Is this intensionally and the documentation is wrong? Can this be tweaked somehow to start on 200 OK? Unfortunately our SRS cannot handle the call that early since it hasn’t got all information to record the call at that moment. Gladly the SIPREC Modul does another INVITE on 200 OK if the first one got rejected - but I’m afraid that leads to some race conditions in some scenarios. I’m using 3.5.5. Script is straight forward: create_dialog(); $siprec(group) = "webrtc-loop-out"; $rtp_relay_ctx(callid) = "srs-o-"+$ci; route(do_rec); route[do_rec] { # https://www.opensips.org/Documentation/Tutorials-SIPREC-2-4 # is not sent to „subscribe answer" anyway # $rtp_relay(flags) = "callid="+$ci+" allow-transcoding asymmetric"; # $rtp_relay_peer(flags) = "callid="+$ci+" allow-transcoding asymmetric"; # is not sent to „subscribe answer" anyway # $rtp_relay_ctx(flags) = "allow-transcoding asymmetric"; # $rtp_relay_ctx(flags) = "template=siprec"; # flags "siprec" only in subscribe request, not in subscribe answer rtp_relay_engage("rtpengine"); # https://opensips.org/docs/modules/3.6.x/siprec.html#func_siprec_start_recording $siprec(headers) = "X-Call-ID: "+$ci+"\r\n"; $xml(caller_xml) = ""; $xml(caller_xml/nameID.attr/aor) = $fU+"@"+$fd"; # Communi5 does not want any sip:, nor ports if ($(fn{s.len})) $xml(caller_xml/nameID) = ""+$fn+""; $siprec(caller) = $xml(caller_xml/nameID); $xml(callee_xml) = ""; $xml(callee_xml/nameID.attr/aor) = $tU+"@"+$td"; # Communi5 does not want any sip:, nor ports #$xml(callee_xml/nameID) = ""; $siprec(callee) = $xml(callee_xml/nameID); $siprec(from_uri) = $fu; $siprec(to_uri) = $tu; siprec_start_recording("sip:opensips-srs at 192.168.48.161:5060;x-system=$(ru{uri.param,x-system}), sip:opensips-srs at 192.168.48.162:5060;x-system=$(ru{uri.param,x-system})"); } br Walter P.S:: tried 3.6.0-beta, too. But 3.6.0 crashes on BYE and other situations, yet. P.P.S.: 3.6.0 got events. Can I do something in those event_routes? This is not clearly documented. From david.villasmil.work at gmail.com Thu Jun 5 18:36:14 2025 From: david.villasmil.work at gmail.com (David Villasmil) Date: Thu, 5 Jun 2025 20:36:14 +0200 Subject: [OpenSIPS-Users] sip question. In-Reply-To: <5BE5CD35-36B2-44C0-932E-C02C4F0185F2@ag-projects.com> References: <5BE5CD35-36B2-44C0-932E-C02C4F0185F2@ag-projects.com> Message-ID: +1 The BYE request is constructed as would any other request within a dialog, as described in Section 8.1.1. […] The Request-URI, To, From, Call-ID, CSeq, Max-Forwards, and Via header fields MUST be included in a BYE request. A Contact header field MAY be included in a BYE request. Regards, David Villasmil email: david.villasmil.work at gmail.com On Thu, Jun 5, 2025 at 1:57 PM Adrian Georgescu wrote: > Yes.Without the correct URI learnt from the contact header of the INVITE > or 200 OK respectively, it is not possible to match the call on the > receiving device of the call. If there is a phone that supports one call at > the time, perhaps it will handle it, but if the BYE is for an intermediate > gateway, it needs a proper request URI to target the end device. > > > On Jun 5, 2025, at 12:00, Johan De Clercq wrote: > > > > in a bye message, is the contact header mandatory or not ? > > > > BR, JOhan. > > _______________________________________________ > > Users mailing list > > Users at lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > _______________________________________________ > Users mailing list > Users at lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ben.Laing at dals.co.uk Fri Jun 6 13:25:11 2025 From: Ben.Laing at dals.co.uk (Ben Laing) Date: Fri, 6 Jun 2025 13:25:11 +0000 Subject: [OpenSIPS-Users] Setting up dialog replication Message-ID: Hello! I am trying to set up an active/active OpenSIPS pair in AWS. The AWS set up is two OpenSIPs (V3.4.12) running on EC2 instances in two different availability zones. There is then a network load balancer (NLB) in each availability zone that distributes traffic to the two OpenSIPs nodes. I am trying to set up dialog sharing between the two nodes. The cluster appears to be healthy: * both nodes are in cluster 1 with flag set to `seed`. * opensips-cli -x mi clusterer_list_cap shows dialog-dlg-repl / state Ok / enabled Yes * opensips-cli -x mi clusterer_list – shows other node with link_state up, state enabled. My test to make a call through node 1, kill node 1, end the call with the BYE then going through node 2. When I try this, node 2 isn’t finding the dialog. If I run dlg_list during the call (before killing node 1) the dlg is present on node 1 but not node 2. So it looks like the dialog replication isn’t working. The dialog clustering manual suggests reading https://blog.opensips.org/2018/03/23/clustering-ongoing-calls-with-opensips-2-4/ which references dlg_sharing_tag which has since been deprecated. I don’t think I need tags, though potentially that’s where I’m going wrong. I’ve been down a few rabbit holes looking at out of date manuals for some of the modules! The relevant config for node 1 is as follows: loadmodule "proto_udp.so" socket = udp:10.4.60.11 # NLB 1 socket = udp:10.4.60.11 as 10.4.38.178 # NLB 2 socket = udp:10.4.60.11 as 10.4.63.19 # Tried setting tag public here but didn’t help #### DIALOG module loadmodule "dialog.so" modparam("dialog", "dlg_match_mode", 1) modparam("dialog", "default_timeout", 600) # 6 hours timeout modparam("dialog", "db_mode", 2) modparam("dialog", "db_url", "mysql://opensips:opensipsrw at 10.4.40.21/opensips") modparam("dialog", "dialog_replication_cluster", 1) ### CLUSTERING socket = bin:10.4.60.12:5566 # bin listener for OpenSIPS clustering loadmodule "proto_bin.so" loadmodule "clusterer.so" modparam("clusterer", "db_mode", 1) modparam("clusterer", "db_url", "mysql://opensips:opensipsrw at 10.4.40.21/opensips") modparam("clusterer", "my_node_id", 2) # node_id for OpenSIPS 1 route { … # handle the initial INVITE to create a dialog if (is_method("INVITE")) { … if ( !create_dialog("B") ) { send_reply(500,"Internal Server Error"); exit; } } Any suggestions on how to debug or glaring omissions would be very helpful. Best, Ben Laing Classified - General ‑‑‑‑‑ Ben Laing He/Him Senior Software Developer Email: Ben.Laing at dals.co.uk Website: www.dals.co.uk Dals, Statham House, Talbot Rd, Stretford, Manchester, M32 0FP Classified - General -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ben.Newlin at genesys.com Fri Jun 6 14:37:26 2025 From: Ben.Newlin at genesys.com (Ben Newlin) Date: Fri, 6 Jun 2025 14:37:26 +0000 Subject: [OpenSIPS-Users] Setting up dialog replication In-Reply-To: References: Message-ID: Have you checked the logs on node 2 from the time the call was placed? When we tried this we found that node 2 was refusing the dialog because the IP address of the socket for the dialog was not configured locally. There was a log printed indicating this. It seems the dialog replication assumes a VIP/anycast setup where in order to “take over” the dialog the node has to also have a socket with the same IP. It was a while ago we tried this though so maybe that has changed. Ben Newlin From: Users on behalf of Ben Laing via Users Date: Friday, June 6, 2025 at 9:26 AM To: users at lists.opensips.org Subject: [OpenSIPS-Users] Setting up dialog replication EXTERNAL EMAIL - Please use caution with links and attachments ________________________________ Hello! I am trying to set up an active/active OpenSIPS pair in AWS. The AWS set up is two OpenSIPs (V3.4.12) running on EC2 instances in two different availability zones. There is then a network load balancer (NLB) in each availability zone that distributes traffic to the two OpenSIPs nodes. I am trying to set up dialog sharing between the two nodes. The cluster appears to be healthy: · both nodes are in cluster 1 with flag set to `seed`. * opensips-cli -x mi clusterer_list_cap shows dialog-dlg-repl / state Ok / enabled Yes * opensips-cli -x mi clusterer_list – shows other node with link_state up, state enabled. My test to make a call through node 1, kill node 1, end the call with the BYE then going through node 2. When I try this, node 2 isn’t finding the dialog. If I run dlg_list during the call (before killing node 1) the dlg is present on node 1 but not node 2. So it looks like the dialog replication isn’t working. The dialog clustering manual suggests reading https://blog.opensips.org/2018/03/23/clustering-ongoing-calls-with-opensips-2-4/ which references dlg_sharing_tag which has since been deprecated. I don’t think I need tags, though potentially that’s where I’m going wrong. I’ve been down a few rabbit holes looking at out of date manuals for some of the modules! The relevant config for node 1 is as follows: loadmodule "proto_udp.so" socket = udp:10.4.60.11 # NLB 1 socket = udp:10.4.60.11 as 10.4.38.178 # NLB 2 socket = udp:10.4.60.11 as 10.4.63.19 # Tried setting tag public here but didn’t help #### DIALOG module loadmodule "dialog.so" modparam("dialog", "dlg_match_mode", 1) modparam("dialog", "default_timeout", 600) # 6 hours timeout modparam("dialog", "db_mode", 2) modparam("dialog", "db_url", "mysql://opensips:opensipsrw at 10.4.40.21/opensips") modparam("dialog", "dialog_replication_cluster", 1) ### CLUSTERING socket = bin:10.4.60.12:5566 # bin listener for OpenSIPS clustering loadmodule "proto_bin.so" loadmodule "clusterer.so" modparam("clusterer", "db_mode", 1) modparam("clusterer", "db_url", "mysql://opensips:opensipsrw at 10.4.40.21/opensips") modparam("clusterer", "my_node_id", 2) # node_id for OpenSIPS 1 route { … # handle the initial INVITE to create a dialog if (is_method("INVITE")) { … if ( !create_dialog("B") ) { send_reply(500,"Internal Server Error"); exit; } } Any suggestions on how to debug or glaring omissions would be very helpful. Best, Ben Laing Classified - General ‑‑‑‑‑ Ben Laing He/Him Senior Software Developer Email: Ben.Laing at dals.co.uk Website: www.dals.co.uk Dals, Statham House, Talbot Rd, Stretford, Manchester, M32 0FP Classified - General -------------- next part -------------- An HTML attachment was scrubbed... URL: