Re: [SR-Users] tls with ubuntu 16.04

Hello, the issue was reported by others to ubuntu and a fix should be pushed these days, as I got it by reading: - https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1594748 There you can find also details of getting packages with the fix from ppa or proposed repository. There is nothing k

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, The latest stable release still shows up the TLS related problems. Is there a way to load tls modules such that these errors get corrected? - Jayesh On Mon, Aug 1, 2016 at 5:10 PM Daniel-Constantin Mierla wrote: > Hello, > > not yet ... I didn't get the chance before starting a rathe

Re: [SR-Users] tls with ubuntu 16.04

Hello, not yet ... I didn't get the chance before starting a rather long trip to download the image for ubuntu 16.04 to spin a vm and now I don't have the bandwidth for fetching it. Cheers, Daniel On 01/08/16 13:32, Jayesh Nambiar wrote: > Hi Daniel, > Just checking if you had a chance to look

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, Just checking if you had a chance to look at ssl libraries in Ubuntu16.04 to check the conflict with TLS module? Thanks. - Jayesh On Tue, Jul 19, 2016 at 6:11 PM Daniel-Constantin Mierla wrote: > Hello, > > following up -- apparently there is some issue with the lib in ubuntu > 16.04

Re: [SR-Users] tls with ubuntu 16.04

Hello, following up -- apparently there is some issue with the lib in ubuntu 16.04, same module working fine in 15.10, as reported on the tracker: - https://github.com/kamailio/kamailio/issues/714 When I get a chance I will install a ubuntu 16.04 myself and dig more into the libssl sources. C

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, Thanks for looking into this. I tried with this patch and still get the same error. Here are the relevant part of logs: 0(25032) DEBUG: [cfg.y:1603]: yyparse(): loading module tls.so 0(25032) DEBUG: [sr_module.c:575]: load_module(): trying to load 0(25032) DEBUG: [mem/q_malloc.

Re: [SR-Users] tls with ubuntu 16.04

Hello, no time over the weekend to look at logs, but I pushed just now a patch to try to see if the memory functions were set or something else prevented the set of memory functions. Can you try with the patch: - https://github.com/kamailio/kamailio/commit/966513b374eef598434c5310a43eac2735adf

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, Any idea of why TLS would not load based on the logs pasted? - Jayesh On Fri, Jul 15, 2016 at 4:46 PM Jayesh Nambiar wrote: > Hi Daniel, > Here are the logs: > http://pastebin.com/tGRWr9JS > > Thanks, > > - Jayesh > > On Fri, Jul 15, 2016 at 12:29 PM Daniel-Constantin Mierla < > mico

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, Here are the logs: http://pastebin.com/tGRWr9JS Thanks, - Jayesh On Fri, Jul 15, 2016 at 12:29 PM Daniel-Constantin Mierla wrote: > Yes, put them on pastebin. > > Daniel > > On 15/07/16 07:53, Jayesh Nambiar wrote: > > The libssl version is as follows: > > 1.0.2g-1ubuntu4.1 > > And

Re: [SR-Users] tls with ubuntu 16.04

Yes, put them on pastebin. Daniel On 15/07/16 07:53, Jayesh Nambiar wrote: > The libssl version is as follows: > > 1.0.2g-1ubuntu4.1 > > And openssl version shows this: > > OpenSSL 1.0.2g-fips 1 Mar 2016 > > As for the logs with debug 3, kamailio scans each and every line in > the config and ge

Re: [SR-Users] tls with ubuntu 16.04

The libssl version is as follows: 1.0.2g-1ubuntu4.1 And openssl version shows this: OpenSSL 1.0.2g-fips 1 Mar 2016 As for the logs with debug 3, kamailio scans each and every line in the config and generates a big file. You want me to send that in full. If yes, I'd put it in a pastebin and sen

Re: [SR-Users] tls with ubuntu 16.04

Are these all the logs from kamailio startup? It looks like only the ones from the moment it tries to load tls module ... Also, you haven't provided the version of libssl. Daniel On 14/07/16 17:08, Jayesh Nambiar wrote: > Hi Daniel, > It indeed disables TLS if written this way. Here are the log

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, It indeed disables TLS if written this way. Here are the logs when enable_tls is written on above the loadmodule and kamailio fails to load module: Jul 14 10:25:03 v38 kamailio: DEBUG: [sr_module.c:575]: load_module(): trying to load Jul 14 10:25:03 v38 kamailio: DEBUG: [mem/q_mallo

Re: [SR-Users] tls with ubuntu 16.04

Hello, this should not be needed and actually may lead to disabling tls support overall as it is enabled after tls module is loaded. Are you sure this really works and enabling tls before is not working? Send the log messages with debug=3. Cheers, Daniel On 14/07/16 16:11, Jayesh Nambiar wrote:

Re: [SR-Users] tls with ubuntu 16.04

Hi Daniel, I had enable_tls=yes written before loading any modules earlier and it was working good on 14.04. Now I just changed the sequence on 16.04 and it works as expected. Here is snippet below: loadmodule "tls.so" enable_tls=yes --- Jayesh On Thu, Jul 14, 2016 at 3:21 PM Daniel-Constantin

Re: [SR-Users] tls with ubuntu 16.04

Hello, don't really get what you did? Can you paste the relevant snippet of config? Cheers, Daniel On 14/07/16 07:40, Jayesh Nambiar wrote: > Hello, > Just did enable_tls after loadmodule "tls.so" and this now works. Thanks. > > - Jayesh > > On Thu, Jul 14, 2016 at 11:06 AM Jayesh Nambiar

Re: [SR-Users] tls with ubuntu 16.04

Hello, Just did enable_tls after loadmodule "tls.so" and this now works. Thanks. - Jayesh On Thu, Jul 14, 2016 at 11:06 AM Jayesh Nambiar wrote: > I did load the tls first but still get the same error. Here is the > loadmodule sequence: > > loadmodule "tls.so" > > loadmodule "mi_fifo.so" > > lo

Re: [SR-Users] tls with ubuntu 16.04

I did load the tls first but still get the same error. Here is the loadmodule sequence: loadmodule "tls.so" loadmodule "mi_fifo.so" loadmodule "kex.so" loadmodule "corex.so" loadmodule "tm.so" loadmodule "tmx.so" loadmodule "sl.so" loadmodule "rr.so" loadmodule "pv.so" loadmodule "maxfwd.

Re: [SR-Users] tls with ubuntu 16.04

Hello, load first the tls module and then the others. Cheers, Daniel On 13/07/16 19:54, Jayesh Nambiar wrote: > Opensl Version: > > OpenSSL 1.0.2g-fips 1 Mar 2016 > > > Order of loadmodules: > > loadmodule"mi_fifo.so" > > loadmodule"kex.so" > > loadmodule"corex.so" > > loadmodule"tm.so" > > lo

Re: [SR-Users] tls with ubuntu 16.04

Opensl Version: OpenSSL 1.0.2g-fips 1 Mar 2016 Order of loadmodules: loadmodule "mi_fifo.so" loadmodule "kex.so" loadmodule "corex.so" loadmodule "tm.so" loadmodule "tmx.so" loadmodule "sl.so" loadmodule "rr.so" loadmodule "pv.so" loadmodule "maxfwd.so" loadmodule "dialog.so" loadmodu

Re: [SR-Users] tls with ubuntu 16.04

Hello, can you provide details about: - order of loaded modules: grep "loadmodule" kamailio.cfg - the version of libssl Cheers, Daniel On 13/07/16 16:48, Jayesh Nambiar wrote: > Hi, > Trying kamailio with Ubuntu 16.04 and I'm getting errors as follows: > > ERROR: tls [tls_init.c:490]: tls_

[SR-Users] tls with ubuntu 16.04

Hi, Trying kamailio with Ubuntu 16.04 and I'm getting errors as follows: ERROR: tls [tls_init.c:490]: tls_pre_init(): Unable to set the memory allocation functions The error is identical to the one mentioned here: https://bugs.launchpad.net/ubuntu/+source/kamailio/+bug/1591992 Is there a soluti

Re: [SR-Users] TLS not enough memory issue with git master

Le Tue, 24 Nov 2015 09:49:36 -0600, Anthony Messina a écrit : > When the close_expired_tcp modparam was disabled, Kamailio never > displayed this warning and continued to process all TLS connections > from 2015-11-19 through 2015-11-23, when I re-enabled the > close_expired_tcp modparam for

Re: [SR-Users] TLS not enough memory issue with git master

Le Tue, 24 Nov 2015 09:49:36 -0600, Anthony Messina a écrit : > After having re-enabled the close_expired_tcp modparam, Kamailio > made it about 12hours before giving the following warning and > blocking new TLS connections again: > > ERROR: tls [tls_server.c:189]: tls_complete_init(): tls: ssl

Re: [SR-Users] TLS not enough memory issue with git master

After having re-enabled the close_expired_tcp modparam, Kamailio made it about 12hours before giving the following warning and blocking new TLS connections again: ERROR: tls [tls_server.c:189]: tls_complete_init(): tls: ssl bug #1491 workaround: not enough memory for safe operation: 8870536

Re: [SR-Users] TLS not enough memory issue with git master

I have re-enabled the close_expired_tcp modparam and will report back when I have results. Thanks Camille. -A -- Anthony - https://messinet.com/ On November 23, 2015 3:46:55 AM CST, Camille Oudot wrote: >Le Sun, 22 Nov 2015 15:22:06 -0600, >Anthony Messina a écrit : > >> I did tow things on

Re: [SR-Users] TLS not enough memory issue with git master

Le Sun, 22 Nov 2015 15:22:06 -0600, Anthony Messina a écrit : > I did tow things on 2015-11-19 which seem to have (at least > temporarily) resolved this issue: > > 1. Upgraded to git master@b056aed > > 2. Commented out #modparam("usrloc", "close_expired_tcp", 1) based on > http://lists.sip-rou

Re: [SR-Users] TLS not enough memory issue with git master

I did tow things on 2015-11-19 which seem to have (at least temporarily) resolved this issue: 1. Upgraded to git master@b056aed 2. Commented out #modparam("usrloc", "close_expired_tcp", 1) based on http://lists.sip-router.org/pipermail/sr-users/2015-November/090733.html -A On Wednesday, Novem

Re: [SR-Users] TLS not enough memory issue with git master

I was just letting you know how I build it, but yes, I will test with just the bare master branch this weekend. After a restart, this issue takes a few hours to happen, making it difficult to reproduce in testing. -A On Wednesday, November 18, 2015 10:30:16 AM Daniel-Constantin Mierla wrote: >

Re: [SR-Users] TLS not enough memory issue with git master

It is not clear how what sources you are using, what does it mean 'latest release tarball' -- version 4.3.3? Then did you take all the patches from master since version 4.3.0? I tested master with 2 registrations over TLS sent by sipp, but I couldn't spot any leak there. Can you test with bar

Re: [SR-Users] TLS not enough memory issue with git master

Sorry for the delay, I just got home from my $PAYINGJOB. And thanks a lot for helping figure this out. I build Kamailio RPMs from the latest release tarball, with the changes between the release and git master applied via patch, but here is the version output: # kamailio -v version: kamailio

Re: [SR-Users] TLS not enough memory issue with git master

Looking at the logs of last commits, I couldn't spot the change that would add the leak. What is the exact version you are running (kamailio -v)? Are you using any of the functions exported by tcpops? Cheers, Daniel On 17/11/15 15:24, Anthony Messina wrote: > I wish that were the case... > > #

Re: [SR-Users] TLS not enough memory issue with git master

I wish that were the case... # kamcmd core.tcp_info { readers: 2 max_connections: 2048 max_tls_connections: 2048 opened_connections: 0 opened_tls_connections: 0 write_queued_bytes: 0 } # kamcmd tls.info { max_connections: 2048 opened

Re: [SR-Users] TLS not enough memory issue with git master

Looks like a lot of connections being open, can you get the output for: kamcmd core.tcp_info kamcmd tls.info Cheers, Daniel On 17/11/15 14:59, Anthony Messina wrote: > Attached. -A > > On Tuesday, November 17, 2015 02:50:21 PM Daniel-Constantin Mierla wrote: >> Can you run the following comman

Re: [SR-Users] TLS not enough memory issue with git master

Attached. -A On Tuesday, November 17, 2015 02:50:21 PM Daniel-Constantin Mierla wrote: > Can you run the following commands: > > kamcmd cfg.set_now_int core memlog 1 > kamcmd corex.shm_summary > > Then grab the log messages from syslog related to shared memory summary > and send them over here. >

Re: [SR-Users] TLS not enough memory issue with git master

Can you run the following commands: kamcmd cfg.set_now_int core memlog 1 kamcmd corex.shm_summary Then grab the log messages from syslog related to shared memory summary and send them over here. Cheers, Daniel On 17/11/15 14:31, Anthony Messina wrote: > After I reported last night, I restarted

Re: [SR-Users] TLS not enough memory issue with git master

After I reported last night, I restarted Kamailio and even though the 5 UACs did nothing but ensure they had a registration overnight, this morning the issue has recurred. The following is the output you requested. Not sure how the memory is being used up by Kamailio. # kamctl stats shmem shm

Re: [SR-Users] TLS not enough memory issue with git master

As you are using the master branch (development), do you run latest version? Can you look at available shared memory? kamctl stats shmem Check it over time and see if the free memory is decreasing. Cheers, Daniel On 17/11/15 00:44, Anthony Messina wrote: > I have noticed the following issue wh

[SR-Users] TLS not enough memory issue with git master

I have noticed the following issue which began with builds somewhere between git master commits bff0a08 and 6173ef7. I did not see this issue with my previous builds and haven't been able to pin down the problem, which is why I haven't formally filed a bug. Any help or guidance is appreciated,

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hello, tls module does some initialization of libssl when it is loaded, otherwise other modules that link against libssl can initialize the lib before, making it unusable with shared memory. Although is not a constraint, core parameters should be before module parameters, otherwise the module mig

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hi, thanks for the patience. We finally found it. Starting it with debug info to stdout didn't show much more, but it again showed the "is disabled" message was still there. So I moved the "enable_tls" line and the "listen:" line up before loading the module. And that changed everything. Now Kamai

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hello, run with -E -ddd command line parameters, some of the messages are in stderror. The error is somewhere else, because the the one related to tls is during shutdown process, therefore something else was detected before. Cheers, Daniel On 16/11/15 09:53, Sebastian Damm wrote: > Hi Daniel, >

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hi Daniel, as I wrote, I copied the last log line from shutdown and the first lines from the start. That was just to show that those lines really are the first lines that appear in the log. You can see the PID change and the 5sec gap between the shutdown and start. There are no error messages, o

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hello, the following log message: Nov 13 17:29:37 lasola /usr/sbin/kamailio[3536]: DEBUG: [mem/shm_mem.c:235]: shm_mem_destroy(): destroying the shared memory lock indicates that Kamailio is shutting down already. Can you check up in the logs and see if there are other error messages? Do you h

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hi Daniel, I just moved the TLS config lines up top even before sl and tm module. Also moved the modparam stuff up there. When starting, Kamailio says, it is listening on a TLS socket, but netstat says, it isn't. It's basically the same behavior as before. (This is the last log line from shutting

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hello, it could be related to the fact that a lot of internal things are initialized when the first modparam is found in config, but I thought that change was done in 3.x. Can you put the tls module config part being the first? The other modules don't need to be initialized before, actually tls n

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hi Daniel, yes, we see this message. Nov 13 11:44:42 lasola /usr/sbin/kamailio[16113]: DEBUG: [sr_module.c:959]: init_mod(): tls Nov 13 11:44:42 lasola /usr/sbin/kamailio[16113]: WARNING: tls [tls_mod.c:287]: mod_init(): tls support is disabled (set enable_tls=1 in the config to enable it) Nov 1

Re: [SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hello, if you start with debug=3, do you see the message: DEBUG: [sr_module.c:959]: init_mod(): tls Cheers, Daniel On 13/11/15 12:17, Sebastian Damm wrote: > Hello, > > we just updated one kamailio server from 4.1.5 to 4.3.3, and although > the config file is correct and kamailio starts up, it

[SR-Users] TLS module not initialized in 4.3.3, worked in 4.1.5

Hello, we just updated one kamailio server from 4.1.5 to 4.3.3, and although the config file is correct and kamailio starts up, it doesn't initialize TLS and says " tls support enabled, but no tls engine available (forgot to load the tls module?)" In the log I see: Old shutdown (last lines): No

Re: [SR-Users] TLS certificate verification failed

Hello, On 25/06/15 15:06, Austin Einter wrote: > Hi All > I am having a sip client, I am using GNU tls for transport layer security. > > I am using Kamailio (TLS enabled) to test all the functionalities. > > I did registration over TLS. It was fine. > > I tried to make call. > I was able to send I

[SR-Users] TLS certificate verification failed

Hi All I am having a sip client, I am using GNU tls for transport layer security. I am using Kamailio (TLS enabled) to test all the functionalities. I did registration over TLS. It was fine. I tried to make call. I was able to send INVITE. Kamaiio trying to connect to called party (which is agai

Re: [SR-Users] TLS & log files

Hello, On 11/04/15 14:54, Tributh wrote: > Hi, > is there any way to configure the tls curve like secp384r1 in the config? > I use actually version 4.2.4 > On the other side i can't see any connection Information in the logs. > I would like to see something like: "Connected with TLSv1.1 using ciph

[SR-Users] TLS & log files

Hi, is there any way to configure the tls curve like secp384r1 in the config? I use actually version 4.2.4 On the other side i can't see any connection Information in the logs. I would like to see something like: "Connected with TLSv1.1 using cipher ECDHE-RSA-AES256-GCM-SHA384 and curve secp384r1"

Re: [SR-Users] TLS conversion

It is visible on the other kamailio. I did this to be sure onreply_route[MANAGE_REPLY] { xlog("L_NOTICE","record route 1 $(hdr(Record-route)[0])"); xlog("L_NOTICE","record route 2 $(hdr(Record-route)[1])"); xlog("L_NOTICE","record route 3 $(hdr(Record-route)[2])");

Re: [SR-Users] TLS conversion

Record-Route is not yet visible at that moment. Maybe a solution is to use record_route_preset(..) with parameters instead of record_route(). Cheers, Daniel On 04/03/15 09:00, Kelvin Chua wrote: > i was thinking of changing the record-route before sending out. > I tried it, but it's not working >

Re: [SR-Users] TLS conversion

i was thinking of changing the record-route before sending out. I tried it, but it's not working subst_hf("Record-route", "/^ wrote: > just an idea, will it work if i used subst_hf? > > Kelvin Chua > > On Tue, Mar 3, 2015 at 5:16 PM, Daniel-Constantin Mierla < > mico...@gmail.com> wrote:

Re: [SR-Users] TLS conversion

just an idea, will it work if i used subst_hf? Kelvin Chua On Tue, Mar 3, 2015 at 5:16 PM, Daniel-Constantin Mierla wrote: > Hello, > > We need to review this in rr. > > Meanwhile you can use s.substr transformation to get whats after sips and > prefix it with sip in r-uri. > > Cheers, > Daniel

Re: [SR-Users] TLS conversion

Hello, We need to review this in rr. Meanwhile you can use s.substr transformation to get whats after sips and prefix it with sip in r-uri. Cheers, Daniel On Tuesday, March 3, 2015, Kelvin Chua wrote: > Found the problem, on the 200 OK, I have this record route list > > Record-Route: IP>:605

Re: [SR-Users] TLS conversion

Found the problem, on the 200 OK, I have this record route list Record-Route: :6056;transport=tls;r2=on;lr;ftag=as620b910c;did=242.fd92;nat=yes>. Record-Route: :6055;r2=on;lr;ftag=as620b910c;did=242.fd92;nat=yes>. Record-Route: :5080;lr=on;did=242.968> the second entry is wrong. it should be sip:

Re: [SR-Users] TLS conversion

Hello, doesn't the ACK have a Route header for K1 and double Route headers for K2? K1 should use the first Route of K2 for routing, not the R-URI. Cheers, Daniel On 03/03/15 05:14, Kelvin Chua wrote: > I have 2 kamailio servers and 1 asterisk server. > > 1. asterisk calls kamailio1 > 2. kamailio

[SR-Users] TLS conversion

I have 2 kamailio servers and 1 asterisk server. 1. asterisk calls kamailio1 2. kamailio1 relays INVITE to kamailio2 3. kamailio2 relays INVITE to client registered using TLS 4. client answers with 200 OK, sends to kamailio2 5. kamailio2 relays 200 OK to kamailio1 6. kamailio1 relays 200 OK to ast

Re: [SR-Users] TLS t_replicate

too fast to the keyboard. nevermind this. working now Kelvin Chua On Wed, Feb 25, 2015 at 11:54 AM, Kelvin Chua wrote: > serverA listens on both UDP and TLS > serverB listens on UDP only > > client registers to serverA via UDP. > serverA uses t_replicate (;transport=udp) sends register to serve

[SR-Users] TLS t_replicate

serverA listens on both UDP and TLS serverB listens on UDP only client registers to serverA via UDP. serverA uses t_replicate (;transport=udp) sends register to serverB all looks good client registers to serverA via TLS serverA uses t_replicate (;transport=udp) but no packet comes out of kamailio

Re: [SR-Users] TLS certificates per domain

This is excellent news. The support for service side connections is good enough for me. I will test and let you know if i face any problems. Thank you very much for your help and cooperation. On Tue, Feb 17, 2015 at 12:38 AM, Daniel-Constantin Mierla < mico...@gmail.com> wrote: > Hello, > > th

Re: [SR-Users] TLS certificates per domain

Hello, the SNI (server name indication) support was available in kamailio v1.5 and then lost when the code was integrated with ser. It was on my to-do to re-add it but no time for it in the past. I just pushed a partial patch that allows to set a server_name for each TLS server domain (context) co

[SR-Users] TLS certificates per domain

Hi, I want to deploy a kamailio v4.2.x setup with multiple domains, all resolve to same IPv4 address kamailio is listening on. I am bit confused about how to configure TLS certificates using tls config file as mentioned here, http://kamailio.org/docs/modules/4.2.x/modules/tls.html#tls.p.config T

Re: [SR-Users] TLS capture with sip_trace()

Hello, On 13/01/15 00:30, Mikko Lehto wrote: > Hi > > I am getting incorrect source port to Homer web while tracking > outgoing request from my proxy to remote SIP server. > > > Juha Heinanen wrote in another thread: > >> in case of tcp (and tls) the source port is always a random one. >> only th

[SR-Users] TLS capture with sip_trace()

Hi I am getting incorrect source port to Homer web while tracking outgoing request from my proxy to remote SIP server. Juha Heinanen wrote in another thread: > in case of tcp (and tls) the source port is always a random one. > only the destination port can be predetermined. Interface capture

Re: [SR-Users] TLS enable false.

On Thu, Dec 18, 2014 at 9:35 AM, Thanh Truong wrote: > Hi Rob Moore, > > Yes, I have intended to use TLS in client side to verify with server side. > > I have tried to create cert files as : > Quick Certificate Howto > in http://kamailio.org/docs/modules/stable/modules/tls.html#tls.debugging > >

Re: [SR-Users] TLS enable false.

gt; TLS setup you are trying to achieve. > > > > *From:* sr-users [mailto:sr-users-boun...@lists.sip-router.org] *On > Behalf Of *Thanh Truong > *Sent:* 18 December 2014 15:28 > *To:* kamailio > *Subject:* [SR-Users] TLS enable false. > > > > Hi all, > > > &

Re: [SR-Users] TLS enable false.

e client. I’m not an expert with TLS, but this may help depending on what type of TLS setup you are trying to achieve. From: sr-users [mailto:sr-users-boun...@lists.sip-router.org] On Behalf Of Thanh Truong Sent: 18 December 2014 15:28 To: kamailio Subject: [SR-Users] TLS enable false. Hi all,

[SR-Users] TLS enable false.

Hi all, I have tried several configure TLS in kamailio but no luck. Please give me some suggestion that I can make it work correctly. This is my configure in TLS module. modparam("tls", "tls_method", "SSLv23") modparam("tls", "private_key", "/usr/local/etc/kamailio/ca/privkey.pem") modparam("

[SR-Users] TLS/TCP sipping

Hello, Base on my testing OPTION pings  can be sent only to UDP nated clients. So it is impossible with kamailio to send OPTION pings to TCP/TLS nated clients? I found doc for some version of nathelper module  where the natping _tcp parameter can be set by modparam("nathelper", "natping_

Re: [SR-Users] TLS Handshake failing with WSS

Daniel-Constantin Mierla writes: > > Are you sure you are using WSS with that config or just WS? > > The problem is I cant debug since I have no errors in regular log :( > > just seems a handshake issue > One thing I also noticed lately, if I am on https page and try to make a > ws (tcp) connec

Re: [SR-Users] TLS Handshake failing with WSS

On 11/09/14 16:53, Manuel Camarg wrote: Daniel, websocket is not "downgradeable" under https, that's why I'm trying to make this work As I said in the first message here is the error log in the browser: In the Chrome console: /*__tsip_transport_ws_onerror */ /*__tsip_transport_ws_onclose */

Re: [SR-Users] TLS Handshake failing with WSS

Hello, On 10/09/14 23:15, Manuel Camarg wrote: Hello Juha They why you think i'm encountering this issue based on the beginning of this topic? http://lists.sip-router.org/pipermail/sr-users/2014-September/084699.html Daniel: > However, more recent versions of browsers don't work with that an

Re: [SR-Users] TLS Handshake failing with WSS

Daniel, websocket is not "downgradeable" under https, that's why I'm trying to make this work As I said in the first message here is the error log in the browser: In the Chrome console: *__tsip_transport_ws_onerror * *__tsip_transport_ws_onclose * Regards, Manuel *Manuel Camargo* Teléfono: 6

Re: [SR-Users] TLS Handshake failing with WSS

On 11/09/14 16:30, Manuel Camarg wrote: I used jssip during testing. It doesn't differ much from sipml5 from regular operations, but it does not work with wss (at least with my current config, the mentioned before) Are you sure you are using WSS with that config or just WS? The problem is I c

Re: [SR-Users] TLS Handshake failing with WSS

I used jssip during testing. It doesn't differ much from sipml5 from regular operations, but it does not work with wss (at least with my current config, the mentioned before) Are you sure you are using WSS with that config or just WS? The problem is I cant debug since I have no errors in regular l

Re: [SR-Users] TLS Handshake failing with WSS

On 10/09/14 19:05, Juha Heinanen wrote: Daniel-Constantin Mierla writes: On the other hand, I remember that I tested with default example some time ago and worked. However, more recent versions of browsers don't work with that anymore. What browser (or wss client) are you using? i have used j

Re: [SR-Users] TLS Handshake failing with WSS

nt it. Regards, Hugh -Original Message- From: sr-users-boun...@lists.sip-router.org [mailto:sr-users-boun...@lists.sip-router.org] On Behalf Of Daniel-Constantin Mierla Sent: 10 September 2014 18:00 To: Juha Heinanen; Kamailio (SER) - Users Mailing List Cc: Manuel Camarg Subject: Re: [SR-

Re: [SR-Users] TLS Handshake failing with WSS

Manuel Camarg writes: > They why you think i'm encountering this issue based on the beginning of > this topic? > http://lists.sip-router.org/pipermail/sr-users/2014-September/084699.html perhaps it has something to do with sipml5. i'm using jssip based ws client. try with the jssip demo client to

Re: [SR-Users] TLS Handshake failing with WSS

Hello Juha They why you think i'm encountering this issue based on the beginning of this topic? http://lists.sip-router.org/pipermail/sr-users/2014-September/084699.html Daniel: > However, more recent versions of browsers don't work with that anymore Do you have an example of some functional wss

Re: [SR-Users] TLS Handshake failing with WSS

Daniel-Constantin Mierla writes: > On the other hand, I remember that I tested with default example some > time ago and worked. However, more recent versions of browsers don't > work with that anymore. What browser (or wss client) are you using? i have used jsip based web client both with firef

Re: [SR-Users] TLS Handshake failing with WSS

On 10/09/14 18:43, Juha Heinanen wrote: Daniel-Constantin Mierla writes: The set_reply_close() should be removed from there. why is that? my wss clients are they ws (over tcp) or wss (over tls)? work fine even when i have: event_route[xhttp:request] { # Handle HTTP requests se

Re: [SR-Users] TLS Handshake failing with WSS

Daniel-Constantin Mierla writes: > The set_reply_close() should be removed from there. why is that? my wss clients work fine even when i have: event_route[xhttp:request] { # Handle HTTP requests set_reply_close(); set_reply_no_connect(); this was included in the original instr

Re: [SR-Users] TLS Handshake failing with WSS

The set_reply_close() should be removed from there. For digest authentication, simply use the same functions as for sip (e.g., from auth/auth_db modules). Cheers, Daniel On 09/09/14 16:49, Manuel Camarg wrote: According to this article I mentioned in the beginning: http://nil.uniza.sk/sip/k

Re: [SR-Users] TLS Handshake failing with WSS

According to this article I mentioned in the beginning: http://nil.uniza.sk/sip/kamailio/configuring-kamailio-4x-websocket In http:request they do straight away the set_reply_close(); I don't know exactly if this kamailio.cfg implementation may be useful for working with WSS: event_route[xhttp:

Re: [SR-Users] TLS Handshake failing with WSS

Hello, from the logs you sent now, it appears that you have set_reply_close() in config, therefore the connection is closed after sending the reply. Cheers, Daniel On 08/09/14 20:10, Manuel Camarg wrote: Hello Daniel: Trying it, accessing via Browser here is the log, similarities with the

Re: [SR-Users] TLS Handshake failing with WSS

Hello Daniel: Trying it, accessing via Browser here is the log, similarities with the access via SIPML5, no errors, no warnings (at least as far as I can see): DEBUG: [ip_addr.c:243]: print_ip(): tcpconn_new: new tcp connection: 123.123.123.123 DEBUG: [tcp_main.c:1096]: tcpconn_new(): tcpcon

Re: [SR-Users] TLS Handshake failing with WSS

Hello, if you run latest versions of web browsers, they become more restrictive on wss connection. Be sure that the cetificate is also trusted by the web browser. You can go with the web browser to https://ipofkamailio:portforwss and see if you get any warnings there. Cheers, Daniel On 06

[SR-Users] TLS Handshake failing with WSS

I'm trying to implement WSS with Kamailio Thing is that WS works fine, I've followed: http://nil.uniza.sk/sip/kamailio/configuring-kamailio-4x-websocket modparam("tls", "config", "webrtc/tls.cfg") In a tls.cfg file I have : [server:default] method = SSLv23 verify_certificate = no require_certific

Re: [SR-Users] TLS and SIP

On Fri, May 23, 2014 at 3:10 PM, James Cloos wrote: >> "FC" == Frank Carmickle writes: > > FC> Freeswitch does support most new features of openssl 1.0.1 branch. I > FC> believe it defaults to tls1.1 currently but I believe the goal is to > FC> only enable tls1.2, with ECDHE+AES128 by defaul

Re: [SR-Users] TLS and SIP

> "FC" == Frank Carmickle writes: FC> Freeswitch does support most new features of openssl 1.0.1 branch. I FC> believe it defaults to tls1.1 currently but I believe the goal is to FC> only enable tls1.2, with ECDHE+AES128 by default. You can certainly FC> ask it to do what ever openssl supp

Re: [SR-Users] TLS and SIP

> "JC" == James Cloos writes: JC> Good point. A quick test shows that contacting asterisk-11 over tls/tcp JC> negotiates rsa key exchange; kamailio does better and agrees to ECDHE-RSA. JC> If the trace is of kama talking to asterisk ephemeral is not likely. Sorry. I forgot which thread th

Re: [SR-Users] TLS and SIP

On May 23, 2014, at 12:43 PM, James Cloos wrote: >> "FC" == Frank Carmickle writes: > > JC>> If you record the full packet trace, wireshark can use your privkey.pem > JC>> to decode the tls handshake, recover the session key, and use that to > JC>> decode the payload packets. > > FC> This

Re: [SR-Users] TLS and SIP

> "FC" == Frank Carmickle writes: JC>> If you record the full packet trace, wireshark can use your privkey.pem JC>> to decode the tls handshake, recover the session key, and use that to JC>> decode the payload packets. FC> This is true if you are not using an ephemeral Diffie Hellman cypher

Re: [SR-Users] TLS and SIP

On May 22, 2014, at 6:46 PM, James Cloos wrote: > > If you record the full packet trace, wireshark can use your privkey.pem > to decode the tls handshake, recover the session key, and use that to > decode the payload packets. > > Cf http://wiki.wireshark.org/SSL for details. This is true if y

Re: [SR-Users] TLS and SIP

> "FB" == Fabian Borot writes: FB> modparam("tls", "private_key", "./privkey.pem") FB> I see some encrypted packets from kamailio to the client but I don't FB> know what is inside. Any help would be very appreciated. If you record the full packet trace, wireshark can use your privkey.pem t

[SR-Users] TLS connection with short lifetime - how to handle it?

Greetings. I have the next problem: iOS based clients connect via TLS to kamailio server. They run mostly in background mode - it means connection refresh interval is ~10 minutes. Some of clients reside behind paranoidal routers which considers such idle connections as lost and closes them. I see o

  1   2   >