Hi,Klaus Thank you for your reply. The enclosed is the config file ,the pcap between client and server and the log on the openser 's console. Could you please take a look at them for me?
THX BR On 1/10/08, Klaus Darilion <[EMAIL PROTECTED]> wrote: > > Can you show us the REGISTER request? (both, port 5060 and port 5061). > > Further show use your openser config > > regards > klaus > > fengbin schrieb: > > > > Hi,all > > I met a strange problem while I am testing TLS connection between > > minisip and openser. > > The following is my openser.cfg (part of that) > > > > ......... > > fork=no > > log_stderror=yes > > > > # Uncomment this to prevent the blacklisting of temporary not > > available destinations > > #disable_dns_blacklist=yes > > > > # # Uncomment this to prevent the IPv6 lookup after v4 dns lookup > > failures > > #dns_try_ipv6=no > > > > # uncomment the following lines for TLS support > > disable_tls = 0 > > listen = tls:10.11.57.197:5060 <http://10.11.57.197:5060> > > > > > > tls_verify_client = 1 > > tls_method = TLSv1 > > tls_certificate = "/usr/local/etc/openser//tls/user/user- cert.pem" > > tls_private_key = "/usr/local/etc/openser//tls/user/user-privkey.pem > " > > tls_ca_list = "/usr/local/etc/openser//tls/user/user-calist.pem" > > tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA" > > ...... > > > > When I set "tls:10.11.57.197:5061 <http://10.11.57.197:5061>" the > > registration never succeed. But if I set it to 5060 the registration > > over TLS is OK. > > I compared the log of two scenarioes and found the TLS session both are > > OK,but the difference is that: > > when the port is 5061 there is an error of forwarding. but the > > forwarding is because openser think it's not the destination of > > the registration request. See bellow: > > > > Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI found > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197>] == > > [10.11.57.197 <http://10.11.57.197>] > > Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if port > > 5061 matches port 5060 > > Jan 10 16:46:56 [9199] DBG:core:check_self: host != me > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on entrance=0xffffffff > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78 > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start searching: > > hash=58073, isACK=0 > > Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261 transaction > > matching failed > > Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no transaction found > > Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS lookup... > > Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed to fwd to af > > 2, proto 1 (no corresponding listening socket) > > Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack: failure to add > > branches > > > > > > > > With comparition to that when the port is set to 5060 the trace is : > > > > Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next Route HF > found > > Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI found > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197>] == > > [10.11.57.197 <http://10.11.57.197>] > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port > > 5060 matches port 5060 > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if > > host==us: 12==12 && [10.11.57.197 <http://10.11.57.197>] == > > [10.11.57.197 <http://10.11.57.197>] > > Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port > > 5060 matches port 5060 > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: flags=8000000 > > Jan 10 17:07:59 [9410] DBG:core:parse_headers: > flags=ffffffffffffffff > > Jan 10 17:07:59 [9410] DBG:registrar:build_contact: created Contact > > HF: Contact: <sip:[EMAIL PROTECTED]:5061;transport=TLS>;expires=1000 > > > > > > > > And there is no fwd needed then.So the error didnt occur. > > > > Its a little bit strange that when I set the port to 5061,why did > > openser check the port 5060????? > > Can anyone help me to figure it out? > > THX > > BR > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > Fengbin > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Users mailing list > > [email protected] > > http://lists.openser.org/cgi-bin/mailman/listinfo/users > -- Fengbin
Jan 11 11:05:21 [7160] DBG:core:print_ip: tcpconn_new: new tcp connection to:
10.11.57.192
Jan 11 11:05:21 [7160] DBG:core:tcpconn_new: on port 1365, type 3
Jan 11 11:05:21 [7160] DBG:core:tls_tcpconn_init: entered: Creating a whole new
ssl connection
Jan 11 11:05:21 [7160] DBG:core:tls_tcpconn_init: looking up socket based TLS
server domain [10.11.57.197:5061]
Jan 11 11:05:21 [7160] DBG:core:tls_find_server_domain: virtual TLS server
domain not found, Using default TLS server domain settings
Jan 11 11:05:21 [7160] DBG:core:tls_tcpconn_init: found socket based TLS server
domain [0.0.0.0:0]
Jan 11 11:05:21 [7160] DBG:core:tls_tcpconn_init: Setting in ACCEPT mode
(server)
Jan 11 11:05:21 [7160] DBG:core:tcpconn_add: hashes: 607, 1
Jan 11 11:05:21 [7160] DBG:core:handle_new_connect: new connection: 0xb5daf208
15 flags: 0002
Jan 11 11:05:21 [7160] DBG:core:send2child: to tcp child 0 0(7156), 0xb5daf208
Jan 11 11:05:21 [7156] DBG:core:handle_io: received n=4 con=0xb5daf208, fd=10
Jan 11 11:05:21 [7156] DBG:core:io_watch_add: io_watch_add(0x8163f60, 10, 2,
0xb5daf208), fd_no=1
Jan 11 11:05:23 [7156] DBG:core:tls_update_fd: New fd is 10
Jan 11 11:05:23 [7156] DBG:core:tls_update_fd: New fd is 10
Jan 11 11:05:23 [7156] NOTICE:core:verify_callback: depth = 1
Jan 11 11:05:23 [7156] NOTICE:core:verify_callback: preverify is good: verify
return: 1
Jan 11 11:05:23 [7156] NOTICE:core:verify_callback: depth = 0
Jan 11 11:05:23 [7156] NOTICE:core:verify_callback: preverify is good: verify
return: 1
Jan 11 11:05:23 [7156] DBG:core:tls_accept: TLS handshake successful
Jan 11 11:05:23 [7156] DBG:core:tls_accept: new connection from
10.11.57.192:1365 using TLSv1/SSLv3 AES256-SHA 256
Jan 11 11:05:23 [7156] DBG:core:tls_accept: local socket: 10.11.57.197:5061
Jan 11 11:05:23 [7156] DBG:core:tls_dump_cert_info: tls_accept: client
certificate
subject:/C=CN/ST=beijing/O=THOMSON/OU=APDG/CN=dongfb.thomson.com/[EMAIL
PROTECTED]
Jan 11 11:05:23 [7156] DBG:core:tls_dump_cert_info: tls_accept: client
certificate issuer: /CN=openserca/ST=beijing/C=CN/[EMAIL PROTECTED]/O=OPENSERCA
Jan 11 11:05:23 [7156] DBG:core:tls_dump_cert_info: tls_accept: local (server)
certificate
subject:/C=CN/ST=beijing/O=THOMSON/OU=APDG/CN=dongfb.thomson.com/[EMAIL
PROTECTED]
Jan 11 11:05:23 [7156] DBG:core:tls_dump_cert_info: tls_accept: local (server)
certificate issuer: /CN=openserca/ST=beijing/C=CN/[EMAIL PROTECTED]/O=OPENSERCA
Jan 11 11:05:23 [7156] DBG:core:tls_update_fd: New fd is 10
Jan 11 11:05:23 [7156] DBG:core:tls_update_fd: New fd is 10
Jan 11 11:05:23 [7156] DBG:core:_tls_read: 377 bytes read
Jan 11 11:05:23 [7156] DBG:core:tcp_read_req: content-length= 0
Jan 11 11:05:23 [7156] DBG:core:parse_msg: SIP Request:
Jan 11 11:05:23 [7156] DBG:core:parse_msg: method: <REGISTER>
Jan 11 11:05:23 [7156] DBG:core:parse_msg: uri: <sip:10.11.57.197>
Jan 11 11:05:23 [7156] DBG:core:parse_msg: version: <SIP/2.0>
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=2
Jan 11 11:05:23 [7156] DBG:core:parse_to: end of header reached, state=10
Jan 11 11:05:23 [7156] DBG:core:parse_to: display={}, ruri={sip:[EMAIL
PROTECTED]
Jan 11 11:05:23 [7156] DBG:core:get_hdr_field: <To> [24]; uri=[sip:[EMAIL
PROTECTED]
Jan 11 11:05:23 [7156] DBG:core:get_hdr_field: to body [<sip:[EMAIL PROTECTED]>]
Jan 11 11:05:23 [7156] DBG:core:get_hdr_field: cseq <CSeq>: <901> <REGISTER>
Jan 11 11:05:23 [7156] DBG:core:parse_via_param: found param type 235, <rport>
= <n/a>; state=6
Jan 11 11:05:23 [7156] DBG:core:parse_via_param: found param type 232, <branch>
= <z9hG4bK26500>; state=16
Jan 11 11:05:23 [7156] DBG:core:parse_via: end of header reached, state=5
Jan 11 11:05:23 [7156] DBG:core:parse_headers: via found, flags=2
Jan 11 11:05:23 [7156] DBG:core:parse_headers: this is the first via
Jan 11 11:05:23 [7156] DBG:core:receive_msg: After parse_msg...
Jan 11 11:05:23 [7156] DBG:core:receive_msg: preparing to run routing scripts...
Jan 11 11:05:23 [7156] DBG:maxfwd:is_maxfwd_present: value = 70
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=200
Jan 11 11:05:23 [7156] DBG:rr:is_preloaded: is_preloaded: Yes
Jan 11 11:05:23 [7156] DBG:core:grep_sock_info: checking if host==us: 12==12 &&
[10.11.57.197] == [10.11.57.197]
Jan 11 11:05:23 [7156] DBG:core:grep_sock_info: checking if port 5061 matches
port 5061
Jan 11 11:05:23 [7156] DBG:rr:after_loose: Topmost route URI:
'sip:10.11.57.197:5061;transport=TLS;lr' is me
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=200
Jan 11 11:05:23 [7156] DBG:core:get_hdr_field: content_length=0
Jan 11 11:05:23 [7156] DBG:core:get_hdr_field: found end of header
Jan 11 11:05:23 [7156] DBG:rr:find_next_route: No next Route HF found
Jan 11 11:05:23 [7156] DBG:rr:after_loose: No next URI found
Jan 11 11:05:23 [7156] DBG:core:grep_sock_info: checking if host==us: 12==12 &&
[10.11.57.197] == [10.11.57.197]
Jan 11 11:05:23 [7156] DBG:core:grep_sock_info: checking if port 5061 matches
port 5060
Jan 11 11:05:23 [7156] DBG:core:check_self: host != me
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 11:05:23 [7156] DBG:tm:t_newtran: T on entrance=0xffffffff
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=78
Jan 11 11:05:23 [7156] DBG:tm:t_lookup_request: start searching: hash=58073,
isACK=0
Jan 11 11:05:23 [7156] DBG:tm:matching_3261: RFC3261 transaction matching failed
Jan 11 11:05:23 [7156] DBG:tm:t_lookup_request: no transaction found
Jan 11 11:05:23 [7156] DBG:core:mk_proxy: doing DNS lookup...
Jan 11 11:05:23 [7156] ERROR:tm:update_uac_dst: failed to fwd to af 2, proto 1
(no corresponding listening socket)
Jan 11 11:05:23 [7156] ERROR:tm:t_forward_nonack: failure to add branches
Jan 11 11:05:23 [7156] DBG:tm:t_relay_to: t_forward_nonack returned error
Jan 11 11:05:23 [7156] DBG:core:parse_headers: flags=ffffffffffffffff
Jan 11 11:05:23 [7156] DBG:core:check_via_address: params 10.11.57.192,
10.11.57.192, 0
Jan 11 11:05:23 [7156] DBG:core:_shm_resize: resize(0) called
Jan 11 11:05:23 [7156] DBG:tm:cleanup_uac_timers: RETR/FR timers reset
Jan 11 11:05:23 [7156] DBG:tm:insert_timer_unsafe: [2]: 0xb5dd3228 (110)
Jan 11 11:05:23 [7156] DBG:core:tcp_send: tcp connection found (0xb5daf208),
acquiring fd
Jan 11 11:05:23 [7156] DBG:core:tcp_send: c= 0xb5daf208, n=8
Jan 11 11:05:23 [7160] DBG:core:handle_ser_child: read response= b5daf208, 1,
fd -1 from 2 (7156)
Jan 11 11:05:23 [7156] DBG:core:tcp_send: after receive_fd: c= 0xb5daf208 n=4
fd=11
Jan 11 11:05:23 [7156] DBG:core:tcp_send: sending...
Jan 11 11:05:23 [7156] DBG:core:tls_update_fd: New fd is 11
Jan 11 11:05:23 [7156] DBG:core:tls_write: write was successful (325 bytes)
Jan 11 11:05:23 [7156] DBG:core:tcp_send: after write: c= 0xb5daf208 n=325 fd=11
Jan 11 11:05:23 [7156] DBG:core:tcp_send: buf=
SIP/2.0 500 Server error occurred (7/TM)
From: <sip:[EMAIL PROTECTED]>
To: <sip:[EMAIL PROTECTED]>;tag=6de70244a9439b1a95183831634130e2-feb6
Call-ID: [EMAIL PROTECTED]
CSeq: 901 REGISTER
Via: SIP/2.0/TLS 10.11.57.192:5061;rport=1365;branch=z9hG4bK26500
Server: OpenSER (1.3.0-pre1-tls (i386/linux))
Content-Length: 0
# # $Id: openser.cfg 2825 2007-09-27 09:05:52Z henningw $ # # simple quick-start config script # Please refer to the Core CookBook at http://www.openser.org/dokuwiki/doku.php # for a explanation of possible statements, functions and parameters. # # ----------- global configuration parameters ------------------------ debug=4 # debug level (cmd line: -dddddddddd) fork=yes log_stderror=no # (cmd line: -E) children=4 #listen = 10.11.57.197 #port=5061 # Uncomment these lines to enter debugging mode #fork=no log_stderror=yes # Uncomment this to prevent the blacklisting of temporary not available destinations #disable_dns_blacklist=yes # # Uncomment this to prevent the IPv6 lookup after v4 dns lookup failures #dns_try_ipv6=no # uncomment the following lines for TLS support disable_tls = 0 listen = tls:10.11.57.197:5061 #port=5060 #tls_server_domain[10.11.57.197:5061]{ #tls_verify_server = 1 tls_verify_client = 1 #tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate = "/usr/local/etc/openser//tls/user/user-cert.pem" tls_private_key = "/usr/local/etc/openser//tls/user/user-privkey.pem" tls_ca_list = "/usr/local/etc/openser//tls/user/user-calist.pem" tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA" #} # ------------------ module loading ---------------------------------- #set module path mpath="/usr/local/lib/openser/modules/" # Uncomment this if you want to use SQL database #loadmodule "mysql.so" loadmodule "sl.so" loadmodule "tm.so" loadmodule "rr.so" loadmodule "maxfwd.so" loadmodule "usrloc.so" loadmodule "registrar.so" loadmodule "textops.so" loadmodule "mi_fifo.so" # Uncomment this if you want digest authentication # mysql.so must be loaded ! #loadmodule "auth.so" #loadmodule "auth_db.so" # ----------------- setting module-specific parameters --------------- # -- mi_fifo params -- modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo") # -- usrloc params -- modparam("usrloc", "db_mode", 0) # Uncomment this if you want to use SQL database # for persistent storage and comment the previous line #modparam("usrloc", "db_mode", 2) # -- auth params -- # Uncomment if you are using auth module # #modparam("auth_db", "calculate_ha1", yes) # # If you set "calculate_ha1" parameter to yes (which true in this config), # uncomment also the following parameter) # #modparam("auth_db", "password_column", "password") # -- rr params -- # add value to ;lr param to make some broken UAs happy modparam("rr", "enable_full_lr", 1) # ------------------------- request routing logic ------------------- # main routing logic route{ # initial sanity checks -- messages with # max_forwards==0, or excessively long requests if (!mf_process_maxfwd_header("10")) { sl_send_reply("483","Too Many Hops"); exit; }; if (msg:len >= 2048 ) { sl_send_reply("513", "Message too big"); exit; }; # we record-route all messages -- to make sure that # subsequent messages will go through our proxy; that's # particularly good if upstream and downstream entities # use different transport protocol if (!method=="REGISTER") record_route(); # subsequent messages withing a dialog should take the # path determined by record-routing if (loose_route()) { # mark routing logic in request append_hf("P-hint: rr-enforced\r\n"); route(1); }; if (!uri==myself) { # mark routing logic in request append_hf("P-hint: outbound\r\n"); # if you have some interdomain connections via TLS #if(uri=~"@tls_domain1.net") { # t_relay("tls:domain1.net"); # exit; #} else if(uri=~"@tls_domain2.net") { # t_relay("tls:domain2.net"); # exit; #} route(1); }; # if the request is for other domain use UsrLoc # (in case, it does not work, use the following command # with proper names and addresses in it) if (uri==myself) { if (method=="REGISTER") { # Uncomment this if you want to use digest authentication #if (!www_authorize("openser.org", "subscriber")) { # www_challenge("openser.org", "0"); # exit; #}; save("location"); exit; }; lookup("aliases"); if (!uri==myself) { append_hf("P-hint: outbound alias\r\n"); route(1); }; # native SIP destinations are handled using our USRLOC DB if (!lookup("location")) { sl_send_reply("404", "Not Found"); exit; }; append_hf("P-hint: usrloc applied\r\n"); }; route(1); } route[1] { # send it out now; use stateful forwarding as it works reliably # even for UDP2TCP if (!t_relay()) { sl_reply_error(); }; exit; }
minisip_openser_TLS_reg_port5061_KO.cap
Description: Binary data
_______________________________________________ Users mailing list [email protected] http://lists.openser.org/cgi-bin/mailman/listinfo/users
