[SR-Users] info: kamailio.org updates - letsencrypt for https and dkim for email
Hello, during the past few days I made some updates related to the security aspects of kamailio.org services. Two are relevant for the community. 1) First, kamailio.org uses now a TLS certificate signed by letsencrypt.org, a free trusted CA backed up by Mozilla and other internet companies, so browsing via HTTPS should no longer issue any warning of untrusted certificate (previously we used a CACert.org certificate which was not trusted automatically by browsers). Wiki and mailing lists portals use the letsencrypt certificate as well, so is no reason not to browse all kamailio.org and lists.sip-router.org pages only via HTTPS. Perhaps in the near future we will try to enable redirect of HTTP to HTTPS at least for the main page and login pages for wiki, mailing lists and other places that require sensitive data. Now SSLLabs test ranks https://kamailio.org with grade A: * https://www.ssllabs.com/ssltest/analyze.html?d=kamailio.org&latest As a side note, for those that haven't noticed it, for quite some time kamailio.org is available also over IPv6. 2) Second, emails forwarded by kamailio.org and lists.sip-router.org are having now a DKIM signature. Also, there are SPF records in DNS for these domains. Hopefully, those two will help getting the emails to be allowed by various spam filters out there, as their legit origin can be checked. If you check the sources of an email messages and the email server of receiving party is doing DKIM/SPF checks, you should see some headers like next (taken from an email I received to my gmail account from sr-users mailing list): """ Authentication-Results: mx.google.com; spf=pass (google.com: domain of sr-users-boun...@lists.sip-router.org designates 193.22.119.66 as permitted sender) smtp.mailfrom=sr-users-boun...@lists.sip-router.org; dkim=pass header.i=@lists.sip-router.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sip-router.org; s=20151206; h=Sender:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Reply-To:Subject:MIME-Version:Message-ID:To:From:Date; bh=lGjvCZYcxBHUHaJDnut1j2YTyPsXTnXHzUb0CgcDc1Q=; b=DlD+MKoEqyISB5Ba775t3zg70FC6ouC+tEo7j5zv4dn2Dhm4pWqkQXSfU4Kp1NqW1ZRYFC/mpg/7LEcGW2FlDL9J0FpUg1VjNmN7D1wvtW08hBBw91tsXImu9yf7KZjg/p4IbXu6vznldubrSxweIaV3q/xbrLgaqP5Dsrvs/9A=; """ Kamailio is not enforcing any of those policies on received email messages, so sending to the lists should not be affected. Should anyone discover problems when browsing the web portals or notices issues with emails from our mailing lists, report them to sr-dev mailing list. Also, if anyone has more hints on increasing the security/privacy for the web server and email systems we run for kamailio.org, do not hesitate to provide us suggestions. Cheers, Daniel -- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com http://miconda.eu ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Proposing new logo for Kamailio project
Hello, short update on the new logo -- based on the feedback so far, mainly over the social networking channels, nobody had a negative response to the proposal of the new logo, everyone liking it more than the existing one. I will wait for a few more days and then we will conclude the process and switch to the new logo, if the general opinion stays unchanged. Cheers, Daniel On 03/12/15 10:28, Daniel-Constantin Mierla wrote: > Hello, > > upon a process initiated before the summer during the IRC Devel Meeting, > when we started to look for refreshing the logo of Kamailio project, we > are now trying to finalize the decision and we are proposing a new logo > for Kamailio project. > > The new proposed logo, as well as more details, can be seen at: > > * > http://www.kamailio.org/w/2015/12/proposing-new-logo-for-kamailio-project/ > > We look forward to the feedback from community about this proposal - you > like it or not, is too similar with other logos, etc... > > This announcement was sent to few of our mailing lists, but please reply > to sr-users@lists.sip-router.org, being something concerning the > community and definitely not something about development. > > Cheers, > Daniel > -- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Book: SIP Routing With Kamailio - http://www.asipto.com http://miconda.eu ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] secure websocket error in kamailio
Hi Daniel, I am using version of kamailio 4.2.3 in ubuntu-14.04 LTS OS. I had changed below configuration before getting the error. tcp_max_connections=6 tls_max_connections=6 tcp_connection_lifetime=3604 tcp_accept_no_cl=yes tcp_rd_buf_size=16384 I have attached the the kamailio.cfg file for more information. Could you please suggest me what needs to be change in kamailio.cfg file ? On Tue, Dec 8, 2015 at 12:05 PM, Daniel-Constantin Mierla wrote: > Hello, > > what version of kamailio are you using? > > Have you increased the value for core parameter tcp_max_connections? > > http://www.kamailio.org/wiki/cookbooks/4.3.x/core#tcp_max_connections > > Cheers, > Daniel > > > On 07/12/15 09:32, Priyaranjan Nayak wrote: > > > Hi All, > > I am running the kamailio for secure websocket (WSS). While running > traffic testing the kamailio is not able to take beyond 2300 connection. I > am getting below error. > > 45(12831) ERROR: tls [tls_server.c:243]: tls_fix_connection_unsafe(): tls: > ssl bug #1491 workaround: not enough memory for safe operation: 208 > 45(12831) ERROR: sl [../../forward.h:247]: msg_send(): tcp_send failed > 45(12831) ERROR: websocket [ws_handshake.c:113]: ws_send_reply(): sending > reply > 46(12832) ERROR: [tcp_main.c:3577]: handle_ser_child(): received > CON_ERROR for 0x7f03e0b0fa18 (id 651), refcnt 3, flags 0x4018 > 45(12831) WARNING: [tcp_read.c:1642]: handle_io(): F_TCPCONN > connection marked as bad: 0x7f03e0b0fa18 id 651 refcnt 1 > 44(12830) ERROR: tls [tls_server.c:154]: tls_complete_init(): tls: ssl bug > #1491 workaround: not enough memory for safe operation: 304 > 44(12830) ERROR: [tcp_read.c:1326]: tcp_read_req(): ERROR: > tcp_read_req: error reading > > I have seen below data in kamailio at the time of getting error. > shmem:fragments = 57 > shmem:free_size = 16986416784 > shmem:max_used_size = 193649976 > shmem:real_used_size = 193452400 > shmem:total_size = 17179869184 > shmem:used_size = 188516920 > > Could you please suggest me how can I get more performance from kamailio > while using WSS ? > > Thanks > Priyaranjan > > > ___ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing > listsr-us...@lists.sip-router.orghttp://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > > -- > Daniel-Constantin Mierlahttp://twitter.com/#!/miconda - > http://www.linkedin.com/in/miconda > Book: SIP Routing With Kamailio - http://www.asipto.comhttp://miconda.eu > > > ___ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > -- Thanks Priyaranjan kamailio.cfg Description: Binary data ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] random incorrect method parsing
Hi folk! Have a strange issue, and cannot understand what is wrong. Test scheme UA(sip) -> INVITE -> Kamailio The transport protocol used is TCP. The issue is reproduced randomly, in case of wrong INVITE, Kamailio does not parse Method from R-URI and answer "400 CSeq method does not match request method". The log with debug level 3 for such INVITE: https://gist.github.com/vance-od/c4e1c783adba02d80c58 my first confuse is why in line 2 different number of bytes: "read= 1025 bytes, parsed=1037" the second is in line 12: Method value is empty after this everithing brokes and kamailio answers 400. Just another call: the same setup (same device, kamailio instance etc), same conditions, just another call. Everything is OK, similar part for good call: https://gist.github.com/vance-od/01b5dff2d81f0878cff4 All my attempts to find the diff between to messages goes to nothing, the 2 INVITEs looks similar, the wireshark analyse of TCP level - also had no result (all is similar) The issue happens only with one of our devices and only in case of TCP/TLS (UDP constantly ok, this is why I am assured the problem is in device, but I need proofs) version: kamailio 4.2.5 (i386/linux) flags: STATS: Off, EXTRA_DEBUG, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. will appreciate any help or idea ,with such a mess! Cheers! -- View this message in context: http://sip-router.1086192.n5.nabble.com/random-incorrect-method-parsing-tp143749.html Sent from the Users mailing list archive at Nabble.com. ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Kamailio Redundancy Models
Hi, I'm new to Kamailio and I'm trying to understand the architectural options and levels of redundancy that can be attained with Kamailio. In my particular scenario I would be using Kamailio as proxy server (no user registrations) to handle global prefix routing between 3 major regions; Americas, EMEA, and Aisa-Pacific. The idea would be to create a pool of Kamailio servers in each region. The pool would consist of two HA pairs. The HA pairs would be placed in two separate datacenter, and sessions would be distributed between the datacenter. In the event the Kamailio server failed it would have a local backup in the datacneter. In the event a datacenter failed, there would be an alternate datacenter available in the region. Can the LCR feature/module share a database, so that each kamailio server in the region have the same call routing information? Is there a feature or a way to automate the configuration of several Kamailio servers, when you want them to have the same routing logic/configuration. Is there a module, feature or API that would allow Kamailio to fetch a config, or possibly push the config via an API when the application is initialized. What is the best method for establishing a 1:1 back up with Kamailio? If we use TCP and route-via headers, the SIP session would be pinned through the active proxy server. Is there away to provide stateful failover so that the session state is maintained between primary and the backup server? Any pointers or recommendations would be highly appreciated. Regards, Frank ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] issue with BYE
Hi
I seem to be having the problem when the BYE comes from callee. The BYE doesn't
get forward to the callee from kamailio.
As I'm using PATH module to send the calls onward to an asterisk server that
ive looked up in the dispatcher table is there any options I need to set in the
onreply route block. Do I have an error in the block below?
onreply_route {
if (af==INET)
{
if(src_ip != BACKEND_NET4)
{
# SIP reply packet client->backend
rtpproxy_manage("cwie");
fix_nated_contact();
}
else
{
# SIP reply packet backend->client
xlog("L_NOTICE", "FROM BACKEND(onreply_route): Method: $rm From:
$ru To: $tu Recieved on: $Ri ");
xlog("L_NOTICE", "FROM BACKEND(onreply_route): source address: $si
SIP request's method: $rm SIP Request's URI: $ru \n");
#loose_route();
rtpproxy_manage("cwei");
#fix_nated_contact();
#record_route();
}
}
Gerry Kernan
Infinity IT | 17 The Mall | Beacon Court | Sandyford | Dublin
D18 E3C8 | Ireland
Tel: +353 - (0)1 - 293 0090 | E-Mail: gerry.ker...@infinityit.ie
Managed IT Services Infinity IT - www.infinityit.ie
IP TelephonyAsterisk Consulting - www.asteriskconsulting.com
Contact CentreTotal Interact - www.totalinteract.com
From: sr-users [mailto:sr-users-boun...@lists.sip-router.org] On Behalf Of
gerry kernan
Sent: Friday 4 December 2015 17:26
To: 'Kamailio (SER) - Users Mailing List'
Subject: Re: [SR-Users] issue with BYE
Hi
>From a trace I can see that the BYE was received from 10001 and sent to
>asterisk(192.10.10.213) , but the kamailio(192.10.10.202) doesn't forward the
>BYE back out to 10002@X.X.X.X
4 3.870042 X.X.X.X -> 212.126.39.60 SIP/SDP 1163 Request: INVITE
sip:10...@sip.xyz.ie;user=phone |
6 3.870688 192.10.10.202 -> 192.10.10.213 SIP/SDP 1445 Request: INVITE
sip:10...@sip.xyz.ie;user=phone |
11 3.873831 192.10.10.213 -> 192.10.10.202 SIP 703 Status: 401 Unauthorized |
15 3.875223 212.126.39.60 -> X.X.X.X SIP 594 Status: 401 Unauthorized |
17 3.894614 X.X.X.X -> 212.126.39.60 SIP 575 Request: ACK
sip:10...@sip.xyz.ie;user=phone |
19 3.895036 192.10.10.202 -> 192.10.10.213 SIP 857 Request: ACK
sip:10...@sip.xyz.ie;user=phone |
21 3.898506 X.X.X.X -> 212.126.39.60 SIP/SDP 1338 Request: INVITE
sip:10...@sip.xyz.ie;user=phone |
24 3.899177 192.10.10.202 -> 192.10.10.213 SIP/SDP 140 Request: INVITE
sip:10...@sip.xyz.ie;user=phone |
27 3.904115 192.10.10.213 -> 192.10.10.202 SIP 741 Status: 100 Trying |
29 3.904322 212.126.39.60 -> X.X.X.X SIP 632 Status: 100 Trying |
33 3.925201 192.10.10.213 -> 192.10.10.202 SIP/SDP 1018 Request: INVITE
sip:10001@192.168.200.112:5062 |
35 3.925485 192.10.10.213 -> 192.10.10.202 SIP 757 Status: 180 Ringing |
36 3.92 192.10.10.202 -> 192.168.200.112 SIP/SDP 1156 Request: INVITE
sip:10001@192.168.200.112:5062 |
38 3.925686 212.126.39.60 -> X.X.X.X SIP 648 Status: 180 Ringing |
41 3.945324 192.168.200.112 -> 192.10.10.202 SIP 607 Status: 100 Trying |
43 3.945516 192.10.10.202 -> 192.10.10.213 SIP 521 Status: 100 Trying |
45 3.988254 192.168.200.112 -> 192.10.10.202 SIP 644 Status: 180 Ringing |
47 3.988485 192.10.10.202 -> 192.10.10.213 SIP 558 Status: 180 Ringing |
49 4.064562 192.10.10.213 -> 192.10.10.202 SIP 757 Status: 180 Ringing |
51 4.064845 212.126.39.60 -> X.X.X.X SIP 648 Status: 180 Ringing |
20 70 5.194932 192.168.200.112 -> 192.10.10.202 SIP/SDP 979 Status: 200 OK |
74 5.195587 192.10.10.202 -> 192.10.10.213 SIP/SDP 893 Status: 200 OK |
76 5.198424 192.10.10.213 -> 192.10.10.202 SIP 483 Request: ACK
sip:10001@192.168.200.112:5062 |
78 5.198750 192.10.10.202 -> 192.168.200.112 SIP 621 Request: ACK
sip:10001@192.168.200.112:5062 |
80 5.199155 192.10.10.213 -> 192.10.10.202 SIP/SDP 1117 Status: 200 OK |
84 5.199750 212.126.39.60 -> X.X.X.X SIP/SDP 1008 Status: 200 OK |
86 5.224751 X.X.X.X -> 212.126.39.60 SIP 645 Request: ACK
sip:10001@192.10.10.213:5060 |
88 5.225136 192.10.10.202 -> 192.10.10.213 SIP 854 Request: ACK
sip:10001@192.10.10.213:5060 |
28 112 7.960369 192.168.200.112 -> 192.10.10.202 SIP 548 Request: BYE
sip:10002@192.10.10.213:5060 |
114 7.960889 192.10.10.202 -> 192.10.10.213 SIP 716 Request: BYE
sip:10002@192.10.10.213:5060 |
116 7.963035 192.10.10.213 -> 192.10.10.202 SIP 655 Status: 200 OK |
120 7.963501 192.10.10.202 -> 192.168.200.112 SIP 546 Status: 200 OK |
122 8.038144 192.10.10.213 -> 192.10.10.202 SIP 697 Request: BYE
sip:10002@X.X.X.X:16082 |
124 8.137929 192.10.10.213 -> 192.10.10.202 SIP 697 Request: BYE
sip:10002@X.X.X.X:16082 |
126 8.338033 192.10.10.213 -> 192.10.10.202 SIP 697 Request: BYE
sip:10002@X.X.X.X:16082 |
35 140 8.737860 192.10.10.213 -> 192.10.10.202 SIP 697 Request: BYE
sip:10002@X.X.X.X:16082 |
36 149 9.537899 192.10
Re: [SR-Users] Kamailio Redundancy Models
I created a repository that consists of a set of Ansible playbooks that can automatically deploy an Active-Passive Kamailio cluster with a cluster of RTPProxy servers. These playbooks may help you in automatic deployment of your system. They are also a good starting point for seeing how can you create a simple two node redundancy. I also created an Ansible role for deploying Kamailio. You can find them here: https://github.com/ghrst/Kamailio-HA https://github.com/ghrst/Ansible-Kamailio-Role On Tue, Dec 8, 2015 at 8:11 PM, Frank Costeira <486b...@gmail.com> wrote: > Hi, > > I'm new to Kamailio and I'm trying to understand the architectural options > and levels of redundancy that can be attained with Kamailio. > > In my particular scenario I would be using Kamailio as proxy server (no > user registrations) to handle global prefix routing between 3 major > regions; Americas, EMEA, and Aisa-Pacific. The idea would be to create a > pool of Kamailio servers in each region. The pool would consist of two HA > pairs. The HA pairs would be placed in two separate datacenter, and > sessions would be distributed between the datacenter. In the event the > Kamailio server failed it would have a local backup in the datacneter. In > the event a datacenter failed, there would be an alternate datacenter > available in the region. > > Can the LCR feature/module share a database, so that each kamailio server > in the region have the same call routing information? > > Is there a feature or a way to automate the configuration of several > Kamailio servers, when you want them to have the same routing > logic/configuration. Is there a module, feature or API that would allow > Kamailio to fetch a config, or possibly push the config via an API when the > application is initialized. > > What is the best method for establishing a 1:1 back up with Kamailio? If > we use TCP and route-via headers, the SIP session would be pinned through > the active proxy server. Is there away to provide stateful failover so that > the session state is maintained between primary and the backup server? > > Any pointers or recommendations would be highly appreciated. > > Regards, > > Frank > > ___ > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list > sr-users@lists.sip-router.org > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users > > ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] random incorrect method parsing
Hello,
can you change the sources and replace:
DBG(" method: <%.*s>\n",fl->u.request.method.len,
ZSW(fl->u.request.method.s));
with:
DBG(" method: <%.*s> (%d)\n",fl->u.request.method.len,
ZSW(fl->u.request.method.s), fl->u.request.method.len);
inside parser/msg_parser.c +625
Then recompile, reinstall and wait for same case again.
Maybe there is a '\0', although the logs are not showing it. Or the
length is not properly set.
Cheers,
Daniel
On 08/12/15 16:21, Vasiliy Ganchev wrote:
> Hi folk!
>
> Have a strange issue, and cannot understand what is wrong.
> Test scheme UA(sip) -> INVITE -> Kamailio
> The transport protocol used is TCP.
> The issue is reproduced randomly, in case of wrong INVITE, Kamailio does not
> parse Method from R-URI and answer "400 CSeq method does not match request
> method".
> The log with debug level 3 for such INVITE:
> https://gist.github.com/vance-od/c4e1c783adba02d80c58
>
> my first confuse is why in line 2 different number of bytes: "read= 1025
> bytes, parsed=1037"
> the second is in line 12: Method value is empty
> after this everithing brokes and kamailio answers 400.
>
> Just another call: the same setup (same device, kamailio instance etc), same
> conditions, just another call. Everything is OK, similar part for good call:
> https://gist.github.com/vance-od/01b5dff2d81f0878cff4
>
> All my attempts to find the diff between to messages goes to nothing, the 2
> INVITEs looks similar, the wireshark analyse of TCP level - also had no
> result (all is similar)
>
> The issue happens only with one of our devices and only in case of TCP/TLS
> (UDP constantly ok, this is why I am assured the problem is in device, but I
> need proofs)
>
> version: kamailio 4.2.5 (i386/linux)
> flags: STATS: Off, EXTRA_DEBUG, USE_TCP, USE_TLS, TLS_HOOKS, USE_RAW_SOCKS,
> DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC,
> F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE,
> USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
> ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16,
> MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
> poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
>
> will appreciate any help or idea ,with such a mess!
>
> Cheers!
>
>
>
> --
> View this message in context:
> http://sip-router.1086192.n5.nabble.com/random-incorrect-method-parsing-tp143749.html
> Sent from the Users mailing list archive at Nabble.com.
>
> ___
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio - http://www.asipto.com
http://miconda.eu
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
