[Users] Allow only TLS connections

Daniel-Constantin Mierla daniel at voice-system.ro
Thu Apr 13 12:05:21 CEST 2006


I got an idea, set

alias="your domain"

in the config file. I guess the client does not set any port and 
protocol in the R-URI and since OpenSER listen only on 5061, 
"uri==myself" does not match.

Try this, and let me know if it works.

Cheers,
Daniel


On 04/13/06 12:55, Daniel-Constantin Mierla wrote:
>
>
> On 04/13/06 12:52, Daniel-Constantin Mierla wrote:
>> Hello,
>>
>> could you send a network trace (ngrep)?
> actually, ssldump to sniff tls connections.
>
> Cheers,
> Daniel
>
>> Another case when the request is forwarded in your script, is for the 
>> messages outside of your domain (not matching uri==myself).
>>
>> Cheers,
>> Daniel
>>
>>
>> On 04/13/06 12:32, Christoph Fürstaller wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Hi,
>>>
>>> The contact and socket in the location table is only TLS. No entry 
>>> for UDP.
>>>
>>> And I don't have any entries in alias table.
>>>
>>> chris...
>>>
>>> Daniel-Constantin Mierla wrote:
>>>  
>>>> Hello,
>>>>
>>>> maybe the clients register non-TLS contacts, take a look in the 
>>>> location
>>>> table. Also, in aliases, you may have some addresses that point to
>>>> external domains.
>>>>
>>>> Cheers,
>>>> Daniel
>>>>
>>>>
>>>> On 04/13/06 12:05, Christoph Fürstaller wrote:
>>>>
>>>> Hi Daniel,
>>>>
>>>> Daniel-Constantin Mierla wrote:
>>>>  
>>>>
>>>>   
>>>>>>> Hello,
>>>>>>>
>>>>>>> On 04/13/06 11:52, Christoph Fürstaller wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I tried that out. I check if proto is TLS:
>>>>>>> if (proto != TLS) {
>>>>>>>     sl_send_reply("403", "Forbidden");
>>>>>>>     exit;
>>>>>>> };
>>>>>>>
>>>>>>> But I get this error:
>>>>>>>  3(28893) ERROR:tm:add_uac: can't fwd to af 2, proto 1  (no
>>>>>>> corresponding listening socket)
>>>>>>>  3(28893) ERROR:tm:t_forward_nonack: failure to add branches
>>>>>>>  3(28893) ERROR:tm:t_relay_to:  t_forward_nonack returned error
>>>>>>>
>>>>>>> What does it mean? What I'm doing wrong?
>>>>>>> My SER is only listening on tls port 5061. Do I still have to 
>>>>>>> open udp
>>>>>>> 5060 ?
>>>>>>>  
>>>>>>>           
>>>>>>>> it seems that you try to forward on UDP.
>>>>>>>>                   
>>>> I figured that out too. But I don't know which part forwardes 
>>>> something
>>>> on UDP? I attached my conf. Can you give it a quick look?
>>>>
>>>>  
>>>>
>>>>   
>>>>>>>> You can configure openser to
>>>>>>>> listen on UDP as well, and drop messages coming on UDP, if you 
>>>>>>>> want to
>>>>>>>> accept only TLS. (as you have in above snippet). If all peers you
>>>>>>>> connect to support TLS, then you can forse sending over TLS all 
>>>>>>>> the
>>>>>>>> time.
>>>>>>>>       Cheers,
>>>>>>>> Daniel
>>>>>>>>                   
>>>> chris...
>>>>  
>>>>
>>>>   
>>>>>>> Cesc wrote:
>>>>>>>  
>>>>>>>
>>>>>>>           
>>>>>>>>>> http://openser.org/dokuwiki/doku.php?id=openser_core_cookbook&DokuWiki=6c17b007ea61fa37b86b391ce1b2a80f#tcp 
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>
>>>>>>>>>>                         
>>>>>>>>>>> I searched for this function, but I didn't found it :-(
>>>>>>>>>>> Knows anyone the correct code, not only pseudo-code?
>>>>>>>>>>>
>>>>>>>>>>> Torsten
>>>>>>>>>>>
>>>>>>>>>>> -----Ursprüngliche Nachricht-----
>>>>>>>>>>> Von: Cesc [mailto:cesc.santa at gmail.com]
>>>>>>>>>>> Gesendet: Dienstag, 11. April 2006 14:03
>>>>>>>>>>> An: Haupt, Thorsten
>>>>>>>>>>> Cc: users at openser.org
>>>>>>>>>>> Betreff: Re: [Users] Allow only TLS connections
>>>>>>>>>>>
>>>>>>>>>>> I think in openser there is a function to check what 
>>>>>>>>>>> transport the
>>>>>>>>>>> message came in ... you can do something like:
>>>>>>>>>>> if ( transport != TLS ) {
>>>>>>>>>>>          send error to UA
>>>>>>>>>>>          break;
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> Cesc
>>>>>>>>>>>
>>>>>>>>>>> On 4/11/06, Thorsten.Haupt at t-systems.com
>>>>>>>>>>> <Thorsten.Haupt at t-systems.com> wrote:
>>>>>>>>>>>
>>>>>>>>>>>                               
>>>>>>>>>>>> Hello,
>>>>>>>>>>>>
>>>>>>>>>>>> I use OpenSER in a testing environment for VoIP security. My
>>>>>>>>>>>> clients
>>>>>>>>>>>> connect via TLS. If I deactivate UDP/5060 on the server, it 
>>>>>>>>>>>> doesn't
>>>>>>>>>>>> work correct.
>>>>>>>>>>>> Some Clients can't connect and others can't establish calls. I
>>>>>>>>>>>> read in
>>>>>>>>>>>> another thread, that UDP is mandatory for SIP and that the 
>>>>>>>>>>>> server
>>>>>>>>>>>> need it.
>>>>>>>>>>>>
>>>>>>>>>>>> But how can I prevent users from connecting via UDP and force
>>>>>>>>>>>> them to
>>>>>>>>>>>> use TLS? I tried a firewall, blocking UDP and TCP on port 
>>>>>>>>>>>> 5060.
>>>>>>>>>>>> But is
>>>>>>>>>>>> this the correct way? Are there any parameters server-side 
>>>>>>>>>>>> to force
>>>>>>>>>>>> users to connect via TLS?
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks for response.
>>>>>>>>>>>> Torsten
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Users mailing list
>>>>>>>>>>>> Users at openser.org
>>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>                                           
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Users mailing list
>>>>>>>>>>> Users at openser.org
>>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>>
>>>>>>>>>>>                                     
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Users mailing list
>>>>>>>>>> Users at openser.org
>>>>>>>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>>>>>>>                               
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at openser.org
>>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>>  
>>>>     
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (GNU/Linux)
>>> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>>>
>>> iD8DBQFEPhq7R0exH8dhr/YRAl59AKCX48Li98lcSElrrbtDTOdl1QeJIwCgkcnQ
>>> IH4j1N1grf2PVLeEYJ0Nvfs=
>>> =tsRB
>>> -----END PGP SIGNATURE-----
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at openser.org
>>> http://openser.org/cgi-bin/mailman/listinfo/users
>>>
>>>   
>>
>> _______________________________________________
>> Users mailing list
>> Users at openser.org
>> http://openser.org/cgi-bin/mailman/listinfo/users
>>
>
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>




More information about the Users mailing list