[OpenSER-Users] TLS problem.

Klaus Darilion klaus.mailinglists at pernau.at
Thu Jan 10 12:22:56 CET 2008


Can you show us the REGISTER request? (both, port 5060 and port 5061).

Further show use your openser config

regards
klaus

fengbin schrieb:
> 
> Hi,all
> I met a strange problem while I am testing TLS connection between 
> minisip and openser.
> The following is my openser.cfg (part of that)
> 
>     .........
>     fork=no
>     log_stderror=yes
> 
>     # Uncomment this to prevent the blacklisting of temporary not
>     available destinations
>     #disable_dns_blacklist=yes
> 
>     # # Uncomment this to prevent the IPv6 lookup after v4 dns lookup
>     failures
>     #dns_try_ipv6=no
> 
>     # uncomment the following lines for TLS support
>     disable_tls = 0
>     listen = tls:10.11.57.197:5060 <http://10.11.57.197:5060>
> 
> 
>     tls_verify_client = 1
>     tls_method = TLSv1
>     tls_certificate = "/usr/local/etc/openser//tls/user/user- cert.pem"
>     tls_private_key = "/usr/local/etc/openser//tls/user/user-privkey.pem"
>     tls_ca_list = "/usr/local/etc/openser//tls/user/user-calist.pem"
>     tls_ciphers_list="NULL-SHA:NULL-MD5:AES256-SHA:AES128-SHA"
>     ......
> 
> When I set "tls:10.11.57.197:5061 <http://10.11.57.197:5061>" the 
> registration never succeed. But if I set it to 5060 the registration 
> over TLS is OK.
> I compared the log of two scenarioes and found the TLS session both are 
> OK,but the difference is that:
> when the port is 5061 there is an error of forwarding. but the 
> forwarding is because openser think it's not the destination of
> the registration request. See bellow:
> 
>     Jan 10 16:46:56 [9199] DBG:rr:after_loose: No next URI found
>     Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if
>     host==us: 12==12 && [10.11.57.197 <http://10.11.57.197>] ==
>     [10.11.57.197 <http://10.11.57.197>]
>     Jan 10 16:46:56 [9199] DBG:core:grep_sock_info: checking if port
>     5061 matches port 5060
>     Jan 10 16:46:56 [9199] DBG:core:check_self: host != me
>     Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=ffffffffffffffff
>     Jan 10 16:46:56 [9199] DBG:tm:t_newtran: T on entrance=0xffffffff
>     Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=ffffffffffffffff
>     Jan 10 16:46:56 [9199] DBG:core:parse_headers: flags=78
>     Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: start searching:
>     hash=58073, isACK=0
>     Jan 10 16:46:56 [9199] DBG:tm:matching_3261: RFC3261 transaction
>     matching failed
>     Jan 10 16:46:56 [9199] DBG:tm:t_lookup_request: no transaction found
>     Jan 10 16:46:56 [9199] DBG:core:mk_proxy: doing DNS lookup...
>     Jan 10 16:46:56 [9199] ERROR:tm:update_uac_dst: failed to fwd to af
>     2, proto 1 (no corresponding listening socket)
>     Jan 10 16:46:56 [9199] ERROR:tm:t_forward_nonack: failure to add
>     branches
> 
> 
> 
> With comparition to that when the port is set to 5060 the trace is :
> 
>     Jan 10 17:07:59 [9410] DBG:rr:find_next_route: No next Route HF found
>     Jan 10 17:07:59 [9410] DBG:rr:after_loose: No next URI found
>     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if
>     host==us: 12==12 && [10.11.57.197 <http://10.11.57.197>] ==
>     [10.11.57.197 <http://10.11.57.197>]
>     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port
>     5060 matches port 5060
>     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if
>     host==us: 12==12 && [10.11.57.197 <http://10.11.57.197>] ==
>     [10.11.57.197 <http://10.11.57.197>]
>     Jan 10 17:07:59 [9410] DBG:core:grep_sock_info: checking if port
>     5060 matches port 5060
>     Jan 10 17:07:59 [9410] DBG:core:parse_headers: flags=ffffffffffffffff
>     Jan 10 17:07:59 [9410] DBG:core:parse_headers: flags=8000000
>     Jan 10 17:07:59 [9410] DBG:core:parse_headers: flags=ffffffffffffffff
>     Jan 10 17:07:59 [9410] DBG:registrar:build_contact: created Contact
>     HF: Contact: <sip:888 at 10.11.57.192:5061;transport=TLS>;expires=1000
> 
> 
> 
> And there is no fwd needed then.So the error didnt occur.
> 
> Its a little bit strange that when I set the port to 5061,why did 
> openser check the port 5060?????
> Can anyone help me to figure it out?
> THX
> BR
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Fengbin
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list