[SR-Users] show final SIP INVITE before going out

[marek via sr-users]

hi,

i have kamailio with TLS
i dont have homer and voipmonitor with TLS decryption doesnt work

how can i check final SIP INVITE (after all rewrites/modifications) 
before is send to the peer?


tried
onsend_route {
  if ($rm == "INVITE") {
    xlog("L_INFO", "Final SIP Message before 
Sending: $mbu\n");

  }
}

but record-route/via are different than reality (checked with sngrep 
with TLS disabled)


kamailio log
 Record-Route:  Via: SIP/2.0/UDP 
9.9.9.9;branch=z9hG4bKsr-2y7Ud3XCMD4N6Vi8M-iCM-XGdWSBMDGzuhJZu-iGMh9ztEu7q.


10.10.10.10 - private kamailio ip (fictional)
30.30.30.30 - ip of  SIP PBX (caller)
9.9.9.9 - public kamailio ip

Marek
__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] Re: topology hiding with active dispatcher ip

[marek via sr-users]

thanks


because of "There is also a limitation regarding the use of the 
“msg_apply_changes()” function together with the “uac_replace_*” 
functions for messages that are loose-routed (e.g. Re-INVITE requests). 
In this case you need to call the “loose_route()” function after the 
replace and msg_apply_changes. Otherwise Kamailio can create replies 
with wrong From/To headers (e.g. for the 100 - Trying reply in the 
Re-INVITE example)."


can you confirm the correct practice is


   ...
  ds_select_dst(TRUNK, "6");
  uac_replace_to("sip:" + $tU + "@" + $dd);
  msg_apply_changes();
  loose_route();
  ...
  record_route();
  xlog("L_NOTICE", "tu $tu \n");
  route(RELAY);


or is it better use restore_mode =AUTO + dialog ?

Marek


Dne 2024-03-11 v 19:32 Alex Balashov via sr-users napsal(a):

You can obtain the destination set IP from $dd, or $(du{uri.host}). However, 
you can't just modify the To URI like that.

You will need to do it in a way that doesn't break standards-based proscriptions about 
what a proxy can do, otherwise endpoint A can look at the modified header received in 
responses from endpoint B and say, "I didn't send that!"

Kamailio provides such a mechanism. In brief, it conceals the in-flight 
alterations to the To URI from endpoint A:

https://kamailio.org/docs/modules/5.8.x/modules/uac.html#uac.f.uac_replace_to

-- Alex

On 11 Mar 2024, at 12:43, marek via sr-users  
wrote:


hi,

i have kamailio acting as SBC

i need hide topology like this

ds_select_dst(DSP_GRP_TRUNK, "6");

$tu = $(tu{re.subst,/PRIVATE_IP/IP_OF_CURRENT_SELECTED_DISPATCHER/g});


what is best way for IP extraction  from $du?

thanks

Marek

__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] topology hiding with active dispatcher ip

[marek via sr-users]

hi,

i have kamailio acting as SBC

i need hide topology like this

ds_select_dst(DSP_GRP_TRUNK, "6");

$tu = $(tu{re.subst,/PRIVATE_IP/IP_OF_CURRENT_SELECTED_DISPATCHER/g});


what is best way for IP extraction  from $du?

thanks

Marek

__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] dispatcher - sip options per gw

[marek via sr-users]

hi,

i have kamailio gw (5.6.x) for voxbone. dispatcher module

voxbone has separated inbound/outboud and prohibit sip options to 
"inbound" IP



#traffic from voxbone

20 sip:81.201.82.45:5060;transport=udp 1 0 duid=abc;socket=udp:x.x.x.x:5060

#traffic TO voxbone

30 sip:81.201.89.110:5060;transport=udp 0 0 duid=abc;socket=udp:x.x.x.x:5060


is it possible send sip options per GW with dispatcher module?

i tried flag "1 (bit at index 0 - 1 <<0) - inactive destination"

https://www.kamailio.org/docs/modules/devel/modules/dispatcher.html#idm1059


Marek

__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] Re: force TLS RSA cipher suite (SOLVED)

[marek via sr-users]

good catch. thanks

for the record

ECC

[root@sbc live]# openssl x509 -text -noout -in /etc/letsencrypt/live/domain>/fullchain.pem |grep -i "Public Key Algorithm"

    Public Key Algorithm: id-ecPublicKey

certbot certonly --key-type rsa --cert-name  --manual 
--preferred-challenges dns


RSA

[root@sbc live]# openssl x509 -text -noout -in /etc/letsencrypt/live/domain>/fullchain.pem |grep -i "Public Key Algorithm"

    Public Key Algorithm: rsaEncryption


but there was another problem

modparam("tls", "cipher_list", "RSA") from 
https://kamailio.org/docs/modules/5.7.x/modules/tls.html#tls.p.cipher_list


does nothing

 0(2294) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): 
TLSs: cipher_list='(null)'



valid option is in tls.cfg

cipher_list = RSA

0(2328) INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): 
TLSs: cipher_list='RSA'



  ServerHello
    Version 3.3
    session_id[0]=
    cipherSuite TLS_RSA_WITH_AES_256_GCM_SHA384

Marek Cervenka


Dne 2024-01-10 v 13:06 Lukas Tribus napsal(a):



On Wednesday 10 January 2024, marek via sr-users 
 wrote:


hi,

i'm trying force cipher list through options like

modparam("tls", "cipher_list", "TLS_RSA_WITH_AES_256_CBC_SHA256")

modparam("tls", "cipher_list", "RSA")


You are trying a RSA cipher.


...


but

ssldump -i enp2s0 port 5061  shows every time

  ServerHello
    Version 3.3


In TLS 1.2



    session_id[0]=
    cipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384


But the negotiated cipher suggest that you have an ECC certificate.

In TLSv1.2 and older, ciphers available are dependent on the 
certificate type (RSA vs ECC).


In TLSv1.3 its all different again and the certificate doesn't matter 
for cipher negotiation.


Get a RSA (2048bit) certificate instead of a ECC one from Let's 
Encrypt, then you should be able to use those ciphers.




Lukas__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] force TLS RSA cipher suite

[marek via sr-users]

hi,

i'm trying force cipher list through options like

modparam("tls", "cipher_list", "TLS_RSA_WITH_AES_256_CBC_SHA256")

modparam("tls", "cipher_list", "RSA")

...


but

ssldump -i enp2s0 port 5061  shows every time

  ServerHello
    Version 3.3
    session_id[0]=
    cipherSuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

i tried lower crypto policy to LEGACY. nothing changed

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening


certificates are from Lets Encrypt if that does matter

OS Rocky9(RHEL9), kamailio 5.7.3 from official repo


any ideas/tips?

thanks

Marek


__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] Re: kemi python3s - module 'KSR' has no attribute 'nathelper' (SOLVED)

[marek via sr-users]

it was my mistake

there must be

#!define WITH_NAT in downloaded 
https://github.com/kamailio/kamailio/blob/master/misc/examples/kemi/kamailio-basic-kemi.cfg



Marek

Dne 2023-12-22 v 11:36 marek napsal(a):

hi,

trying kamailio 5.7.3 with KEMI pythons3s

sample from 
https://github.com/kamailio/kamailio/blob/master/misc/examples/kemi/kamailio-basic-kemi-python3s.py


trying simple register with sipsak

sipsak -U  --sip-uri "sip:cerv...@kamailio.example.com"  -u cervajs -a 
top_secret



 4(28805) ERROR: PY8 {REGISTER}: app_python3s [apy3s_kemi.c:141]: 
apy3s_exec_func(): error exception occurred
 4(28805) ERROR: PY8 {REGISTER}: app_python3s [apy3s_exception.c:167]: 
apy3s_handle_exception(): apy3s_exec_func: ksr_request_route((null)): 
Unhandled exception in the Python code:

Traceback (most recent call last):
  File "/etc/kamailio/kamailio.py", line 31, in ksr_request_route
    if ksr_route_natdetect()==-255 :
  File "/etc/kamailio/kamailio.py", line 238, in ksr_route_natdetect
    if KSR.nathelper.nat_uac_test(19)>0 :
AttributeError: module 'KSR' has no attribute 'nathelper'


i see nat_uac_test in doc

https://kamailio.org/docs/tutorials/5.7.x/kamailio-kemi-framework/modules/#ksrnathelpernat_uac_test 




any tips/ideas?


happy christmas

Marek


__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] kemi python3s - module 'KSR' has no attribute 'nathelper'

[marek via sr-users]

hi,

trying kamailio 5.7.3 with KEMI pythons3s

sample from 
https://github.com/kamailio/kamailio/blob/master/misc/examples/kemi/kamailio-basic-kemi-python3s.py


trying simple register with sipsak

sipsak -U  --sip-uri "sip:cerv...@kamailio.example.com"  -u cervajs -a 
top_secret



 4(28805) ERROR: PY8 {REGISTER}: app_python3s [apy3s_kemi.c:141]: 
apy3s_exec_func(): error exception occurred
 4(28805) ERROR: PY8 {REGISTER}: app_python3s [apy3s_exception.c:167]: 
apy3s_handle_exception(): apy3s_exec_func: ksr_request_route((null)): 
Unhandled exception in the Python code:

Traceback (most recent call last):
  File "/etc/kamailio/kamailio.py", line 31, in ksr_request_route
    if ksr_route_natdetect()==-255 :
  File "/etc/kamailio/kamailio.py", line 238, in ksr_route_natdetect
    if KSR.nathelper.nat_uac_test(19)>0 :
AttributeError: module 'KSR' has no attribute 'nathelper'


i see nat_uac_test in doc

https://kamailio.org/docs/tutorials/5.7.x/kamailio-kemi-framework/modules/#ksrnathelpernat_uac_test


any tips/ideas?


happy christmas

Marek

__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:

[SR-Users] Re: RPM Repos Maintenance Needed

[marek via sr-users]

it looks like the service is completely down

[marek@gk:develop]$ telnet rpm.kamailio.org 443
Trying 76.9.245.163...
telnet: connect to address 76.9.245.163: Connection refused

Sergey, can you confirm that the problem is on hosting infrastructure side?

if so, do you have any idea when you'll get to it?

thanks

Marek


Dne 2023-10-26 v 20:27 tyler moore via sr-users napsal(a):


Hi All,

I started a discussion on the matrix channel about some 404 RPM repos 
and wanted to bring it here to further discuss.
We typically configure our various RPM-based package managers to allow 
patch updates from the repos.

As an example, if trying to install 5.7.x, can be done as follows:

|yum -y install yum-utils yum-config-manager --add-repo 
https://rpm.kamailio.org/centos/kamailio.repo yum-config-manager 
--disable \* yum-config-manager --enable kamailio-5.7 yum install 
kamailio |


This will fail though because 
https://rpm.kamailio.org/centos/7/5.7/5.7/x86_64/ does not exist.
Throughout the repos for centos/rhel/fedora I found the existence of 
packages is inconsistent.
We can tell the intention was to allow the above behavior as the 
kamailio.repo comes with the above configuration.

The above example will update /etc/yum.repos.d/kamailio.repo as follows:

|[kamailio-5.7] name=Kamailio - 5.7 - Packages for the latest Kamailio 
5.7 release 
baseurl=https://rpm.kamailio.org/centos/$releasever/5.7/5.7/$basearch/ 
enabled=1 metadata_expire=30d repo_gpgcheck=0 
gpgkey=https://rpm.kamailio.org/rpm-pub.key type=rpm 
skip_if_unavailable=True |


That is for centos though, and I found that some of the other distros 
have incomplete kamailio.repo files as well.
In example, the rhel kamailio.repo is missing separate entries for 
5.7, but it does exist in the centos version.


Looks like some small cleanup is in order to make the end user 
experience more consistent.
I believe sergey was maintaining those repos last, please chime in 
here if you can.

If needed I can pick up some of those responsibilities as well.

--

Regards,

*Tyler Moore* 
Full Stack Software Engineer 


Flyball Labs 
Office: 888-907-2085, ext: 34 
Cell: 248-909-2769 
Email: tmo...@goflyball.com

FLYBALL TECHNICAL SOLUTIONS, LLC 
​
--
Tyler Moore

Regards,

*Tyler Moore* 
Full Stack Software Engineer 


Flyball Labs 
Office: 888-907-2085, ext: 34 
Cell: 248-909-2769 
Email: tmo...@goflyball.com

FLYBALL TECHNICAL SOLUTIONS, LLC 

__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email tosr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe:__
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-le...@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the 
sender!
Edit mailing list options or unsubscribe: