Re: [SR-Users] Unable to enable TLS on Kamailio

2017-12-12 Thread otron2...@gmail.com 

Broken is in the eyes of the beholder:  well designed cryptographic code wants 
to ensure that information (keys, cleartext) doesn't leak via unsanitized 
memory (there are many ways, both within and beyond calling programs); the easy 
and more foolproof way to do that for the cryptography programmer is often to 
use a memory manager that takes care of that, such as jemalloc (with 
appropriate configuration parameters).

If you make security representations (and the certificate is reasonably 
construed to make a security representation) you shouldn't bypass this unless 
you verify that you prevent all possible information leaks. 

From armslength, you might just try to use jemalloc as kamailio's mm library, 
but even there it would be necessary to be really careful about kamailio 
freeing sensitive memory immediately after use--everywhere that happens.   
That's why it's probably easier to just let a properly implemented crypto 
library do what it's designed to do. 


Sent from Samsung Mobile

 Original message 
From: Daniel-Constantin Mierla  
Date: 12/12/2017  2:26 AM  (GMT-06:00) 
To: "Kamailio (SER) - Users Mailing List" ,Tomi 
Hakkarainen  
Subject: Re: [SR-Users] Unable to enable TLS on Kamailio 
 
Hello,

there were some broken versions of openssl that didn't allow anymore to set 
custom memory manager. The only option is to upgrade libssl to a version that 
doesn't expose the issue. If you search on kamailio issues tracker on 
gihub.com, there should be one closed about this topic.

Cheers,
Daniel

On 11.12.17 22:20, Tomi Hakkarainen wrote:
Hi,
  
I have problem to enable TLS on just installed Kamailio server 
openSUSE 42.3 (x86_64)
VERSION = 42.3
CODENAME = Malachite

version: kamailio 5.0.4 (x86_64/linux) 
flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, 
USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, 
TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX,   FAST_LOCK-ADAPTIVE_WAIT, 
USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, 
MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown 
compiled on 18:06:25 Dec  3 2017 with gcc 4.8.5

I get this on debug log:

 0(11336) DEBUG:  [core/cfg.y:1642]: yyparse(): loading modules   
under /usr/lib64/kamailio/modules/
loading modules under config path: /usr/lib64/kamailio/modules/
 0(11336) DEBUG:  [core/cfg.y:1623]: yyparse(): loading module tls.so
 0(11336) DEBUG:  [core/sr_module.c:575]: load_module(): trying to load 

 0(11336) DEBUG:  [core/mem/q_malloc.c:189]: qm_malloc_init(): 
qm_malloc_init: QM_OPTIMIZE=16384, /ROUNDTO=2048
 0(11336) DEBUG:  [core/mem/q_malloc.c:191]: qm_malloc_init(): 
qm_malloc_init: QM_HASH_SIZE=2099, qm_block size=235152
 0(11336) DEBUG:  [core/mem/q_malloc.c:193]: qm_malloc_init(): 
qm_malloc_init(0x7f6e001cb000, 67108864), start=0x7f6e001cb000
 0(11336) DEBUG:  [core/mem/q_malloc.c:202]: qm_malloc_init(): 
qm_malloc_init: size= 67108864, init_overhead=235256
 0(11336) ERROR: tls [tls_init.c:595]: tls_pre_init(): Unable to set the memory 
allocation functions
 0(11336) ERROR: tls [tls_init.c:597]: tls_pre_init(): libssl current mem 
functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f: 0x7f6e055b39a0
 0(11336) ERROR: tls [tls_init.c:599]: tls_pre_init(): Be sure tls module is 
loaded before any other module using libssl (can be loaded first to be safe)
 0(11336) ERROR:  [core/sr_module.c:607]: load_module():   
/usr/lib64/kamailio/modules/tls.so: mod_register failed
 0(11336) CRITICAL:  [core/cfg.y:3411]: yyerror_at(): parse error in 
config file /etc/kamailio/kamailio.cfg, line 150, column 12-19: 
failed to load module

for resolving have compiled openssl from 1.0.2j-fips to

openssl version
OpenSSL 1.0.2n  7 Dec 2017




Is this information enough to see what we are missing 
Will provide more info if needed.
Any help and suggestions are appreciated.

Regards, 
T












___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - www.asipto.com
Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Exec - call python script with arguments

2017-12-11 Thread otron2...@gmail.com 
Probably not the problem though it could be. ...try:

"python /usr/local/etc/kamailio/script.py arg1 arg2 arg3"

instead--kamailio doesn't have your shell env and might not pass the script to 
python even if the script has the #! declaration. 

Also, if you pasted the exact command I think there's no space between .py and 
arg1 (or that could just be my phone).

Hth.


Sent from Samsung Mobile

 Original message 
From: "Daniel W. Graham"  
Date: 12/10/2017  1:04 PM  (GMT-06:00) 
To: "Kamailio (SER) - Users Mailing List"  
Subject: [SR-Users] Exec - call python script with arguments 
 
Trying to call a python script using exec_msg and haven’t had any luck.
 
The following works:
exec_msg("echo ‘TEST’ > /usr/local/etc/kamailio/test.txt");
 
The following works from shell:
/usr/local/etc/kamailio/script.py arg1 arg2 arg3
 
The following does not work from kamailio:
exec_msg("/usr/local/etc/kamailio/script.py arg1 arg2 arg3");
 
(The arguments are just strings for test purposes)
 
Kamailio is running as kamailio user

Permissions:
755 script.py
 
Any idea what could be going wrong?
 
-dan
 ___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Using SIP tools through Kamailio and Asterisk - chrome issue.

2017-11-28 Thread otron2...@gmail.com 
Through Firefox likely means via websockets (wss) rather than via the sip port. 
  Many things could interfere with the latter.   Take heart, though: websockets 
is harder to set up so you're likely through the worst.

Look at logs and see what iftop shows you about traffic on the server as you 
try to make sip connections.  Also try your sip client with a known-good sip 
server (e.g. Iptel) just to make sure the problem isn't with the client. 






 Original message 
From: "Wilkins, Steve"  
Date: 11/28/2017  6:39 AM  (GMT-08:00) 
To: "Kamailio (SER) - Users Mailing List"  
Subject: [SR-Users] Using SIP tools through Kamailio and Asterisk - chrome  
issue. 
 
Has anyone seen the issue where, when using a sip tool and going from Kamailio 
to Asterisk, that audio and video won’t work, yet it works fine through 
Firefox? I am almost sure this not an issue with Kamailio, but I am pretty new 
to SIP and don’t know 100% for sure.
 
Thank you___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] sipML5 through kamailio

2017-11-24 Thread otron2...@gmail.com 
"So, tls is required for wss?"

Yes, as of the last rfc.  It can work without it if the client software 
(browser) will accept it though by now most will treat it as insecure.  I 
forget whether sipML5 will but my guess would be no. 




 Original message 
From: "Wilkins, Steve"  
Date: 11/24/2017  9:57 AM  (GMT-08:00) 
To: "Kamailio (SER) - Users Mailing List"  
Subject: Re: [SR-Users] sipML5 through kamailio 
 
Hello SamyGo,
 
So, tls is required for wss?  I thought that when I set a listen to 
Kamailio-Server-IPAddress:10443 and I sent a request through that IP and Port, 
that Kamailio would at least see the request and attempt to do something with 
it.  I will go add tls and try again.  Thank you!
 
From: sr-users [mailto:sr-users-boun...@lists.kamailio.org] On Behalf Of SamyGo
Sent: Thursday, November 23, 2017 12:40 PM
To: Kamailio (SER) - Users Mailing List 
Subject: Re: [SR-Users] sipML5 through kamailio
 
Can you clarify the IP addressing scheme as you've mentioned. There is no TLS 
interface?
Advertised address for 5060 but not for WSS interface. Both listen and 
advertise are public IPs ?
Also,you're handling WSS requests. Do you've xlog ines in the 
route[xhttp:request] to view when a request lands.!
 
My config has this:
 
#!substdef "!MY_IP_ADDR!123.134.156.167!g"
#!substdef "!MY_WS_PORT!6010!g"
#!substdef "!MY_WSS_PORT!6011!g"
 
listen=tcp:MY_IP_ADDR:MY_WS_PORT
listen=tls:MY_IP_ADDR:MY_WSS_PORT
 
Then the xhttp event route:
 
```
event_route[xhttp:request] {
        set_reply_close();
        set_reply_no_connect();
 
        #Deny any HTTP requests on any port other than WS/WSS ports.
        if ($Rp != MY_WS_PORT && $Rp != MY_WSS_PORT ) {
                xlog("L_WARN", "HTTP request received on $Rp\n");
                xhttp_reply("403", "Forbidden", "", "");
                exit;
        }
 
        #Handle HTTP(s) onwards.
        xlog("L_INFO", "HTTP Request Received\n");
```
 
 
On Thu, Nov 23, 2017 at 12:18 PM, Wilkins, Steve  wrote:
Hi Sammy,
 
First of all, thank you for taking the time to respond.
 
Yes, port 10443 is opened.  I have used this port before as asterisk’s WebRTC 
port and iptables shows it as open.  No, I can’t even get a registration using 
the configuration I listed.  I have an xdbg log statement right after the 
request_route, and I see nothing.  I do know that my xdbg logs are working 
though because, if I register or make a call using any sip tool, I see all my 
logging and everything works correctly.
 
-Steve
 
From: sr-users [mailto:sr-users-boun...@lists.kamailio.org] On Behalf Of SamyGo
Sent: Thursday, November 23, 2017 12:00 PM
To: Kamailio (SER) - Users Mailing List 
Subject: Re: [SR-Users] sipML5 through kamailio
 
Hi Steve,
Can you confirm that port 10443 is reachable behind the NAT to Kamailio server, 
validate iptables too Does your SIPml5 demo client register successfully to 
Kamailio? are there enough xlog lines to print out if anything lands in 
Kamailio.
 
Regards,
Sammy
 
 
 
On Thu, Nov 23, 2017 at 11:34 AM, Wilkins, Steve  wrote:
Hello,
 
I am attempting to use sipML5 to test WebRTC.  I have not been successful in 
getting messages through to Kamailio though. I am running Kamailio 5.0.3 on 
Cento 7.
 
My listen’s in the kamailio configuration file are =>
listen=tcp:112.22.3.108:5060 advertise 34.226.187.61:5060
listen=udp:112.22.3.108:5060 advertise 34.226.187.61:5060
listen=tcp:112.22.3.108:10443 (which I will use in the sipML5 Expert mode)
 
My sipML5 settings are =>
Public Identity - sip:user1@112.22.3.108
Realm - 112.22.3.108
 
Export mode setting are =>
WebSocket Server URL - wss://112.22.3.108:10443 (I have also tried 
wss://112.22.3.108:10443/ws)
SIP outbound Proxy URL - udp://112.22.3.108:5060 (I have also left this blank)
 
When I make a call I see no Kamailio activity (I have logging at the start of 
request_route) so I am not sure where the configuration error is.  If I change 
the sipML5 configuration IP Address to use the asterisk IP Address, sipML5 
works.  My goal is to go WebRTC Client => Kamailio => Asterisk and eventually 
through some sort of media proxy.
 
Thank you,
-Steve
 
 

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

 

___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

 ___
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite

2017-11-24 Thread otron2...@gmail.com 
Just a guess but maybe later entries [like +HIGH:+MEDIUM:+LOW] put it back.  
Try switching the order so that !ECDHE and the others you're trying to exclude 
come after. 






Sent from Samsung Mobile

 Original message 
From: Ilyas Keskin  
Date: 11/24/2017  10:19 AM  (GMT-08:00) 
To: mico...@gmail.com,"Kamailio (SER) - Users Mailing List" 
 
Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite 
 
Hi Daniel,

yes I am using the tls.cfg file. I tried your suggestion to add the cipher 
suite string (notice the !EDCHE which I also added to the httpd ssl.conf) but 
nothing changed.
    [server:default]
    method = TLSv1
    cipher_list = 
!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    verify_certificate = no
    require_certificate = no
    private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem
    certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem
    #ca_list = ./modules/tls/cacert.pem
    #crl = ./modules/tls/crl.pem

Also here is a log snippet from tls module section of kamailio initialization. 
Notice first two lines. Also it seems to me the module actually ignores the 
local openssl installation and uses its own which has been compiled with the 
module itself (?). 
Other than that it seems to be accepting the cipher_list value just fine:
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_mod.c:355]: mod_init(): With ECDH-Support!
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_mod.c:358]: mod_init(): With Diffie Hellman
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_init.c:587]: init_tls_h(): tls: _init_tls_h:  compiled  with  openssl  
version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on, 
compression: on
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl library 
version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on,  
zlib compression:
    compiler: gcc -I. -I.. 
-I../include  -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT 
-DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall 
-Wp,-D_
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls 
[tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks on low 
memory) workaround enabled (on low memory   tls operations will fail 
preemptively) with free
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:  
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold1 
has been changed to 7864320
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:  
[cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold2 
has been changed to 3932160
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]: 
fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"): empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]: 
fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"): empty/non existing route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]: 
fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"): empty/non existing 
route
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:  
[udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO:  
[udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:275]: fill_missing(): TLSs: tls_method=12
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:287]: fill_missing(): TLSs: 
certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:294]: fill_missing(): TLSs: ca_list='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:301]: fill_missing(): TLSs: crl='(null)'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:305]: fill_missing(): TLSs: require_certificate=0
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:312]: fill_missing(): TLSs: 
cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:319]: fill_missing(): TLSs: 
private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem'
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:323]: fill_missing(): TLSs: verify_certificate=0
Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls 
[tls_domain.c:326]: fill_missing(): TLSs: verify_depth=9