Re: [SR-Users] Unable to enable TLS on Kamailio
Broken is in the eyes of the beholder: well designed cryptographic code wants to ensure that information (keys, cleartext) doesn't leak via unsanitized memory (there are many ways, both within and beyond calling programs); the easy and more foolproof way to do that for the cryptography programmer is often to use a memory manager that takes care of that, such as jemalloc (with appropriate configuration parameters). If you make security representations (and the certificate is reasonably construed to make a security representation) you shouldn't bypass this unless you verify that you prevent all possible information leaks. From armslength, you might just try to use jemalloc as kamailio's mm library, but even there it would be necessary to be really careful about kamailio freeing sensitive memory immediately after use--everywhere that happens. That's why it's probably easier to just let a properly implemented crypto library do what it's designed to do. Sent from Samsung Mobile Original message From: Daniel-Constantin MierlaDate: 12/12/2017 2:26 AM (GMT-06:00) To: "Kamailio (SER) - Users Mailing List" ,Tomi Hakkarainen Subject: Re: [SR-Users] Unable to enable TLS on Kamailio Hello, there were some broken versions of openssl that didn't allow anymore to set custom memory manager. The only option is to upgrade libssl to a version that doesn't expose the issue. If you search on kamailio issues tracker on gihub.com, there should be one closed about this topic. Cheers, Daniel On 11.12.17 22:20, Tomi Hakkarainen wrote: Hi, I have problem to enable TLS on just installed Kamailio server openSUSE 42.3 (x86_64) VERSION = 42.3 CODENAME = Malachite version: kamailio 5.0.4 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled on 18:06:25 Dec 3 2017 with gcc 4.8.5 I get this on debug log: 0(11336) DEBUG: [core/cfg.y:1642]: yyparse(): loading modules under /usr/lib64/kamailio/modules/ loading modules under config path: /usr/lib64/kamailio/modules/ 0(11336) DEBUG: [core/cfg.y:1623]: yyparse(): loading module tls.so 0(11336) DEBUG: [core/sr_module.c:575]: load_module(): trying to load 0(11336) DEBUG: [core/mem/q_malloc.c:189]: qm_malloc_init(): qm_malloc_init: QM_OPTIMIZE=16384, /ROUNDTO=2048 0(11336) DEBUG: [core/mem/q_malloc.c:191]: qm_malloc_init(): qm_malloc_init: QM_HASH_SIZE=2099, qm_block size=235152 0(11336) DEBUG: [core/mem/q_malloc.c:193]: qm_malloc_init(): qm_malloc_init(0x7f6e001cb000, 67108864), start=0x7f6e001cb000 0(11336) DEBUG: [core/mem/q_malloc.c:202]: qm_malloc_init(): qm_malloc_init: size= 67108864, init_overhead=235256 0(11336) ERROR: tls [tls_init.c:595]: tls_pre_init(): Unable to set the memory allocation functions 0(11336) ERROR: tls [tls_init.c:597]: tls_pre_init(): libssl current mem functions - m: 0x7f6e055b33d0 r: 0x7f6e055b3a30 f: 0x7f6e055b39a0 0(11336) ERROR: tls [tls_init.c:599]: tls_pre_init(): Be sure tls module is loaded before any other module using libssl (can be loaded first to be safe) 0(11336) ERROR: [core/sr_module.c:607]: load_module(): /usr/lib64/kamailio/modules/tls.so: mod_register failed 0(11336) CRITICAL: [core/cfg.y:3411]: yyerror_at(): parse error in config file /etc/kamailio/kamailio.cfg, line 150, column 12-19: failed to load module for resolving have compiled openssl from 1.0.2j-fips to openssl version OpenSSL 1.0.2n 7 Dec 2017 Is this information enough to see what we are missing Will provide more info if needed. Any help and suggestions are appreciated. Regards, T ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio Advanced Training - www.asipto.com Kamailio World Conference - May 14-16, 2018 - www.kamailioworld.com___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Exec - call python script with arguments
Probably not the problem though it could be. ...try: "python /usr/local/etc/kamailio/script.py arg1 arg2 arg3" instead--kamailio doesn't have your shell env and might not pass the script to python even if the script has the #! declaration. Also, if you pasted the exact command I think there's no space between .py and arg1 (or that could just be my phone). Hth. Sent from Samsung Mobile Original message From: "Daniel W. Graham"Date: 12/10/2017 1:04 PM (GMT-06:00) To: "Kamailio (SER) - Users Mailing List" Subject: [SR-Users] Exec - call python script with arguments Trying to call a python script using exec_msg and haven’t had any luck. The following works: exec_msg("echo ‘TEST’ > /usr/local/etc/kamailio/test.txt"); The following works from shell: /usr/local/etc/kamailio/script.py arg1 arg2 arg3 The following does not work from kamailio: exec_msg("/usr/local/etc/kamailio/script.py arg1 arg2 arg3"); (The arguments are just strings for test purposes) Kamailio is running as kamailio user Permissions: 755 script.py Any idea what could be going wrong? -dan ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Using SIP tools through Kamailio and Asterisk - chrome issue.
Through Firefox likely means via websockets (wss) rather than via the sip port. Many things could interfere with the latter. Take heart, though: websockets is harder to set up so you're likely through the worst. Look at logs and see what iftop shows you about traffic on the server as you try to make sip connections. Also try your sip client with a known-good sip server (e.g. Iptel) just to make sure the problem isn't with the client. Original message From: "Wilkins, Steve"Date: 11/28/2017 6:39 AM (GMT-08:00) To: "Kamailio (SER) - Users Mailing List" Subject: [SR-Users] Using SIP tools through Kamailio and Asterisk - chrome issue. Has anyone seen the issue where, when using a sip tool and going from Kamailio to Asterisk, that audio and video won’t work, yet it works fine through Firefox? I am almost sure this not an issue with Kamailio, but I am pretty new to SIP and don’t know 100% for sure. Thank you___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] sipML5 through kamailio
"So, tls is required for wss?" Yes, as of the last rfc. It can work without it if the client software (browser) will accept it though by now most will treat it as insecure. I forget whether sipML5 will but my guess would be no. Original message From: "Wilkins, Steve"Date: 11/24/2017 9:57 AM (GMT-08:00) To: "Kamailio (SER) - Users Mailing List" Subject: Re: [SR-Users] sipML5 through kamailio Hello SamyGo, So, tls is required for wss? I thought that when I set a listen to Kamailio-Server-IPAddress:10443 and I sent a request through that IP and Port, that Kamailio would at least see the request and attempt to do something with it. I will go add tls and try again. Thank you! From: sr-users [mailto:sr-users-boun...@lists.kamailio.org] On Behalf Of SamyGo Sent: Thursday, November 23, 2017 12:40 PM To: Kamailio (SER) - Users Mailing List Subject: Re: [SR-Users] sipML5 through kamailio Can you clarify the IP addressing scheme as you've mentioned. There is no TLS interface? Advertised address for 5060 but not for WSS interface. Both listen and advertise are public IPs ? Also,you're handling WSS requests. Do you've xlog ines in the route[xhttp:request] to view when a request lands.! My config has this: #!substdef "!MY_IP_ADDR!123.134.156.167!g" #!substdef "!MY_WS_PORT!6010!g" #!substdef "!MY_WSS_PORT!6011!g" listen=tcp:MY_IP_ADDR:MY_WS_PORT listen=tls:MY_IP_ADDR:MY_WSS_PORT Then the xhttp event route: ``` event_route[xhttp:request] { set_reply_close(); set_reply_no_connect(); #Deny any HTTP requests on any port other than WS/WSS ports. if ($Rp != MY_WS_PORT && $Rp != MY_WSS_PORT ) { xlog("L_WARN", "HTTP request received on $Rp\n"); xhttp_reply("403", "Forbidden", "", ""); exit; } #Handle HTTP(s) onwards. xlog("L_INFO", "HTTP Request Received\n"); ``` On Thu, Nov 23, 2017 at 12:18 PM, Wilkins, Steve wrote: Hi Sammy, First of all, thank you for taking the time to respond. Yes, port 10443 is opened. I have used this port before as asterisk’s WebRTC port and iptables shows it as open. No, I can’t even get a registration using the configuration I listed. I have an xdbg log statement right after the request_route, and I see nothing. I do know that my xdbg logs are working though because, if I register or make a call using any sip tool, I see all my logging and everything works correctly. -Steve From: sr-users [mailto:sr-users-boun...@lists.kamailio.org] On Behalf Of SamyGo Sent: Thursday, November 23, 2017 12:00 PM To: Kamailio (SER) - Users Mailing List Subject: Re: [SR-Users] sipML5 through kamailio Hi Steve, Can you confirm that port 10443 is reachable behind the NAT to Kamailio server, validate iptables too Does your SIPml5 demo client register successfully to Kamailio? are there enough xlog lines to print out if anything lands in Kamailio. Regards, Sammy On Thu, Nov 23, 2017 at 11:34 AM, Wilkins, Steve wrote: Hello, I am attempting to use sipML5 to test WebRTC. I have not been successful in getting messages through to Kamailio though. I am running Kamailio 5.0.3 on Cento 7. My listen’s in the kamailio configuration file are => listen=tcp:112.22.3.108:5060 advertise 34.226.187.61:5060 listen=udp:112.22.3.108:5060 advertise 34.226.187.61:5060 listen=tcp:112.22.3.108:10443 (which I will use in the sipML5 Expert mode) My sipML5 settings are => Public Identity - sip:user1@112.22.3.108 Realm - 112.22.3.108 Export mode setting are => WebSocket Server URL - wss://112.22.3.108:10443 (I have also tried wss://112.22.3.108:10443/ws) SIP outbound Proxy URL - udp://112.22.3.108:5060 (I have also left this blank) When I make a call I see no Kamailio activity (I have logging at the start of request_route) so I am not sure where the configuration error is. If I change the sipML5 configuration IP Address to use the asterisk IP Address, sipML5 works. My goal is to go WebRTC Client => Kamailio => Asterisk and eventually through some sort of media proxy. Thank you, -Steve ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users ___ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite
Just a guess but maybe later entries [like +HIGH:+MEDIUM:+LOW] put it back. Try switching the order so that !ECDHE and the others you're trying to exclude come after. Sent from Samsung Mobile Original message From: Ilyas KeskinDate: 11/24/2017 10:19 AM (GMT-08:00) To: mico...@gmail.com,"Kamailio (SER) - Users Mailing List" Subject: Re: [SR-Users] Cannot disable EC Diffie Hellman cipher suite Hi Daniel, yes I am using the tls.cfg file. I tried your suggestion to add the cipher suite string (notice the !EDCHE which I also added to the httpd ssl.conf) but nothing changed. [server:default] method = TLSv1 cipher_list = !DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL verify_certificate = no require_certificate = no private_key = /etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem certificate = /etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem #ca_list = ./modules/tls/cacert.pem #crl = ./modules/tls/crl.pem Also here is a log snippet from tls module section of kamailio initialization. Notice first two lines. Also it seems to me the module actually ignores the local openssl installation and uses its own which has been compiled with the module itself (?). Other than that it seems to be accepting the cipher_list value just fine: Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_mod.c:355]: mod_init(): With ECDH-Support! Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_mod.c:358]: mod_init(): With Diffie Hellman Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_init.c:587]: init_tls_h(): tls: _init_tls_h: compiled with openssl version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on, compression: on Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_init.c:595]: init_tls_h(): tls: init_tls_h: installed openssl library version "OpenSSL 1.0.1e-fips 11 Feb 2013" (0x1000105f), kerberos support: on, zlib compression: compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_ Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tls [tls_init.c:649]: init_tls_h(): tls: openssl bug #1491 (crash/mem leaks on low memory) workaround enabled (on low memory tls operations will fail preemptively) with free Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold1 has been changed to 7864320 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: [cfg/cfg_ctx.c:613]: cfg_set_now(): INFO: cfg_set_now(): tls.low_mem_threshold2 has been changed to 3932160 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]: fixup_routes(): WARNING: t_on_branch("MANAGE_BRANCH"): empty/non existing route Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]: fixup_routes(): WARNING: t_on_reply("MANAGE_REPLY"): empty/non existing route Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: WARNING: tm [tm.c:594]: fixup_routes(): WARNING: t_on_failure("MANAGE_FAILURE"): empty/non existing route Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: [udp_server.c:175]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: [udp_server.c:225]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:275]: fill_missing(): TLSs: tls_method=12 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:287]: fill_missing(): TLSs: certificate='/etc/letsencrypt/live/webrtc.ddnss.de/fullchain.pem' Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:294]: fill_missing(): TLSs: ca_list='(null)' Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:301]: fill_missing(): TLSs: crl='(null)' Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:305]: fill_missing(): TLSs: require_certificate=0 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:312]: fill_missing(): TLSs: cipher_list='!DH:!ECDHE:!EDH:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL' Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:319]: fill_missing(): TLSs: private_key='/etc/letsencrypt/live/webrtc.ddnss.de/privkey.pem' Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:323]: fill_missing(): TLSs: verify_certificate=0 Nov 24 18:56:20 kamailio-sip /usr/sbin/kamailio[2864]: INFO: tls [tls_domain.c:326]: fill_missing(): TLSs: verify_depth=9