[OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP -> SIP Server

Anil M Pannikode (hotmail) anilpannikode at hotmail.com
Fri Jun 19 11:58:57 CEST 2009


We are still not able to get TLS working. The OpsnSIPS logs shows the
following

Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:parse_to:
display={"Anonymous"}, ruri={sip:Anonymous at sip1.mydomain.com} 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: Method : INVITE
from 10.10.20.246 fd sip1.mydomain.com 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:maxfwd:is_maxfwd_present: value = 70  
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:tm:t_newtran:
transaction on entrance=0xffffffff 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:parse_headers: flags=ffffffffffffffff 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:parse_to_param: tag=772432463135364100001E34 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:parse_to:
end of header reached, state=29 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:parse_to:
display={}, ruri={sip:9999999999 at IPGateway.mydomain.com;user=phone} 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:get_hdr_field: <To> [86];
uri=[sip:9999999999 at IPGateway.mydomain.com;user=phone]  
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:get_hdr_field: to body
[<sip:9999999999 at IPGateway.mydomain.com;user=phone>] 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:get_hdr_field: cseq <CSeq>: <2> <INVITE> 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:get_hdr_field: content_length=401 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:get_hdr_field: found end of header 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:parse_headers: flags=78 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:tm:t_lookup_request: start searching: hash=39696, isACK=0 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:tm:matching_3261: RFC3261 transaction matching failed 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:tm:t_lookup_request: no transaction found 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:tm:run_reqin_callbacks: trans=0xb40250e8, callback type 1, id 0 entered 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:parse_headers: flags=ffffffffffffffff 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:check_via_address: params 10.10.20.246, 10.10.20.246, 0 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:_shm_resize: resize(0) called 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:tm:_reply_light: reply sent out. buf=0x82a30c0: SIP/2.0 1...,
shmem=0xb40141c8: SIP/2.0 1 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:tm:_reply_light: finished 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:mk_proxy:
doing DNS lookup... 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:parse_headers: flags=2000 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
no open tcp connection found, opening new one 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:print_ip:
tcpconn_new: new tcp connection to: 10.10.20.206 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tcpconn_new: on port 5061, type 3 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tls_tcpconn_init: entered: Creating a whole new ssl connection 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tls_tcpconn_init: TLS client domain AVP found = 'sip1.mydomain.com'

Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tls_find_client_domain_name: virtual TLS client domain found 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tls_tcpconn_init: found name based TLS client domain
'sip1.mydomain.com' 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tls_tcpconn_init: Setting in CONNECT mode (client) 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
sending... 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:tls_update_fd: New fd is 8 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
ERROR:core:tls_blocking_write: too many retries with no operation 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
after write: c= 0xb40284d8 n=-1 fd=8 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2114]:
DBG:core:handle_ser_child: read response= b40284d8, 2, fd 25 from 1 (2103) 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2114]:
DBG:core:tcpconn_add: hashes: 463, 36 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2114]:
DBG:core:io_watch_add: io_watch_add(0x826a9c0, 25, 2, 0xb40284d8), fd_no=17 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:core:tcp_send:
buf= INVITE sip:9999999999 at 10.10.20.206:5061;transport=tls SIP/2.0^M Via:
SIP/2.0/TLS 10.10.10.193:5061;branch=z9hG4bK01b9.1a760103.0^M Via:
SIP/2.0/UDP
10.10.20.246:5060;received=10.10.20.246;rport=5060;branch=z9hG4bK3270876536-
394448^M Route:
<sip:10.10.10.193;r2=on;lr=on>,<sip:10.10.10.193:5061;transport=tls;r2=on;lr
=on>^M Max-Forwards: 69^M Allow:
SUBSCRIBE,NOTIFY,REFER,INVITE,ACK,OPTIONS,CANCEL,BYE^M Supported:
timer,replaces,TIMER^M From: "Anonymous"
<sip:Anonymous at sip1.mydomain.com>;tag=Test_3270532536-328912^M To:
<sip:9999999999 at IPGateway.mydomain.com;user=phone>;tag=772432463135364100001
E34^M Call-ID: 01B2270F8E81400000000029 at IPGateway.mydomain.com^M CSeq: 2
INVITE^M Min-SE: 10^M Contact: <sip:Test at 10.10.20.246:5060>^M Content-Type:
application/sdp^M Content-Length: 401^M ^M v=0^M o=Test 256 3 IN IP4
10.10.20.246^M s=SipSession with Test^M i=Test^M u=http://www.Test.com^M
c=IN IP4 10.10.20.246^M t=0 0^M
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
ERROR:core:tcp_send: failed to send 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: ERROR:tm:msg_send:
tcp_send failed 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
ERROR:tm:t_forward_nonack: sending request failed 
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]: DBG:tm:t_relay_to:
t_forward_nonack returned error  
Jun 17 03:41:23 sip-proxy-dev2 /usr/sbin/opensips[2103]:
DBG:core:parse_headers: flags=ffffffffffffffff

Based on the wireshark traces.

- OpenSIPS sends a 'Client Helo' to Gateway
- Before it receives the 'Server Helo' back , it is sending '477 Send
failed' back to Media gateway.
- Gateway sends 'Server Helo' back to OpenSIPS.

In the config I have set the following values

tls_handshake_timeout=60    
tls_send_timeout=60   

However it looks like the OpenSIPS is returning failure way too early (in
less than 1 second)

And there are no firewalls between these two servers.

Any help will be appreciated.

Regards

Anil




-----Original Message-----
From: Bogdan-Andrei Iancu [mailto:bogdan at voice-system.ro] 
Sent: Wednesday, June 10, 2009 2:12 PM
To: Anil M Pannikode (hotmail)
Cc: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP -> SIP
Server

Hi Anil,

The error you get means opensips is unable to send the message out - 
typically this means so OS / network related issue. Like the connection 
could not be established because firewall, nat, etc...

Is the client where opensips tries to connect to behind a nat?

Regards,
Bogdan

Anil M Pannikode (hotmail) wrote:
>
> Here are the log files from opensips server.
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tcp_send: no open tcp connection found, opening new one
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:print_ip: tcpconn_new: new tcp connection to: 10.10.20.206
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tcpconn_new: on port 5061, type 3
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_tcpconn_init: entered: Creating a whole new ssl connection
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_tcpconn_init: name based TLS client domains are disabled
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_tcpconn_init: no TLS client doman AVP set, looking for 
> socket based TLS client domain
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_find_client_domain: virtual TLS client domain not found, 
> Using default TLS client domain settings
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_tcpconn_init: found socket based TLS client domain 
> [0.0.0.0:0]
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_tcpconn_init: Setting in CONNECT mode (client)
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7172]: 
> DBG:core:handle_ser_child: read response= b3f5b400, 2, fd 25 from 2 
> (7162)
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7172]: 
> DBG:core:tcpconn_add: hashes: 463, 2
>
> Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7172]: 
> DBG:core:io_watch_add: io_watch_add(0x826a9c0, 25, 2, 0xb3f5b400), 
> fd_no=17
>
> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tcp_send: sending... *
>
> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tls_update_fd: New fd is 9 *
>
> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> ERROR:core:tls_blocking_write: too many retries with no operation *
>
> *Jun 5 16:24:45 pc10-10-10-193 /usr/sbin/opensips[7162]: 
> DBG:core:tcp_send: after write: c= 0xb3f5b400 n=-1 fd=9 *
>
> * *
>
> * *
>
> Wireshark shows "SSL Client helo" to server and "SSL Server helo" back 
> from server.
>
> Is there a way to get more detailed error on the SSL Issues ?
>
> Anil
>
> *From:* users-bounces at lists.opensips.org 
> [mailto:users-bounces at lists.opensips.org] *On Behalf Of *Anil M 
> Pannikode (hotmail)
> *Sent:* Wednesday, June 03, 2009 10:01 AM
> *To:* users at lists.opensips.org
> *Subject:* [OpenSIPS-Users] SIP CLient <- TLS --> OpenSIPS <- UDP -> 
> SIP Server
>
> I am having the same issue as the following email which I found in the 
> archive, Do we know if there is solution to this issue ? I tried the 
> suggested solution , however still not working.
>
> Anil
>
> *Bogdan-Andrei Iancu* bogdan at voice-system.ro 
>
<mailto:users%40lists.opensips.org?Subject=%5BOpenSIPS-Users%5D%20Problem%20
in%20sending%20outbound%20SIP%20messages%20via%0A%20TLS&In-Reply-To=c443f41b
0808200558x3bb41aaft33d6c6a45aa7d9b%40mail.gmail.com>
> /Sun Aug 31 01:10:56 CEST 2008/
>
>     * Previous message: [OpenSIPS-Users] Problem in sending outbound
>       SIP messages via TLS
>       <http://www.openser.org/pipermail/users/2008-August/000193.html>
>     * Next message: [OpenSIPS-Users] Simple question: Asterisk with
>       Zoiper (no sound).
>       <http://www.openser.org/pipermail/users/2008-August/000194.html>
>     * *Messages sorted by:* [ date ]
>       <http://www.openser.org/pipermail/users/2008-August/date.html#369>
>       [ thread ]
>       <http://www.openser.org/pipermail/users/2008-August/thread.html#369>
>       [ subject ]
>
<http://www.openser.org/pipermail/users/2008-August/subject.html#369>
>       [ author ]
>       <http://www.openser.org/pipermail/users/2008-August/author.html#369>
>
>
> ------------------------------------------------------------------------
> Hi,
>  
> have you tried with:
>  
> tls_verify_server = 0
> tls_verify_client = 0
> tls_require_client_certificate = 0
>  
> Regards,
> Bogdan
>  
> Nachiket Tarate wrote:
> >/ /
> >/ Hi,/
> >/ /
> >/ I am currently trying to make Secure RTP calls between my SIP client /
> >/ and the eyeBeam. When eyeBeam is configured for encrypted calls, it /
> >/ uses Secure RTP for media and TLS for SIP signalling./
> >/ /
> >/ I have configured the OpenSIPs server with TLS support./
> >/ /
> >/ The scenario is as shown below:/
> >/ /
> >/ /
> >/  ----------------    UDP      ------------------    TLS
-------------/
> >/ |  My SIP Client |  <----->  |  OpenSIPs Server | <-----> | eyeBeam 1.5
|/
> >/  ----------------             ------------------
-------------/
> >/   Linux Machine                Linux Machine             Widows XP /
> >/ machine/
> >/ /
> >/ When a call is made from eyeBeam to My SIP client the call gets /
> >/ established properly and the OpenSIPs server acts as a gateway./
> >/ /
> >/ But when a call is made from My SIP client to eyeBeam the OpenSIPs /
> >/ returns the *477 Send failed* response to My SIP client./
> >/ /
> >/ By enabling the debug informaiton on OpenSIPs server, I found that it /
> >/ couldn't do TLS handshake with the eyeBeam and so couldn't send the /
> >/ SIP Request from My SIP client to the eyeBeam./
> >/ /
> >/ In brief the OpenSIPs server can accept the inbound messages via TLS /
> >/ but *it can't send outbound messages via TLS*./
> >/ /
> >/ Can anybody help me to resolve this problem? Please see my /
> >/ opensips.cfg file and OpenSIPs server logs attached with this mail./
> >/ /
> >/ Thanks,/
> >/ NT/
> >/  /
> >/ /
> >/
------------------------------------------------------------------------/
> >/ /
> >/ _______________________________________________/
> >/ Users mailing list/
> >/ Users at lists.opensips.org
<http://lists.opensips.org/cgi-bin/mailman/listinfo/users>/
> >/ http://lists.opensips.org/cgi-bin/mailman/listinfo/users/
>  
>  
> ------------------------------------------------------------------------
>
>     * Previous message: [OpenSIPS-Users] Problem in sending outbound
>       SIP messages via TLS
>       <http://www.openser.org/pipermail/users/2008-August/000193.html>
>     * Next message: [OpenSIPS-Users] Simple question: Asterisk with
>       Zoiper (no sound).
>       <http://www.openser.org/pipermail/users/2008-August/000194.html>
>     * *Messages sorted by:* [ date ]
>       <http://www.openser.org/pipermail/users/2008-August/date.html#369>
>       [ thread ]
>       <http://www.openser.org/pipermail/users/2008-August/thread.html#369>
>       [ subject ]
>
<http://www.openser.org/pipermail/users/2008-August/subject.html#369>
>       [ author ]
>       <http://www.openser.org/pipermail/users/2008-August/author.html#369>
>
>
> ------------------------------------------------------------------------
>
> More information about the Users mailing list 
> <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   





More information about the Users mailing list