[OpenSIPS-Users] !rest_get behavior

[Tito Cumpen]

Group

I am using the latest opensips 2.3 and I am wondering why a 404 response
doesn't invoke this block ?


  if
(!rest_get("http://$avp(api)/cc/authorized/$fU/$rU",
"$json(authresponse)", "$var(ct)", "$var(rcode)")) {

 xlog("Error code $var(rcode) in HTTP GET!\n");


 xlog("on account of admittance error we are sending the call to the AS
server for processing");

 route(ASroute);

 }



the far end response looks like this.


HTTP/1.1 404 Not Found.

X-Powered-By: Express.

Vary: Origin, Accept-Encoding.

Access-Control-Allow-Credentials: true.

Content-Type: text/plain; charset=utf-8.

Content-Length: 9.

ETag: W/"9-nR6tc+Z4+i9RpwqTOwvwFw".

Date: Tue, 25 Jul 2017 18:11:39 GMT.

Connection: keep-alive.

.

Not Found

from the example it looks like other 4XX responses are considered.


Thanks,
Tito
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

[Callum Guy]

It's always easy to overlook the content in errors that haven't been seen
before, I agree that on reflection this should have been looked into in
more detail as it does cover the scenario. In the context of a Comodo
certificate (which we use regularly) it sounded implausible that we
wouldn't be able to validate it. TIL - intermediate certificates matter.



On Tue, Jul 25, 2017 at 4:27 PM Bogdan-Andrei Iancu 
wrote:

> I have to admit that you have to "know how to read the SSL errors" in
> order to really understand the root problem :) . Now that you find the
> issue and if we look back at the error description "verify
> error:num=20:unable to get local issuer certificate", it make sense - SSL
> complains it did not find the comodo CA in order to validate the
> certificate presented by the TLS client (which was probably signed by
> Comodo).
>
> Best regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 05:27 PM, Callum Guy wrote:
>
> Hi Bogdan,
>
> Thanks for your response, based on your advice I performed a full packet
> capture on the handshake and established that a certificate was indeed
> being presented.
>
> Following up on this I managed to establish that the problem was a missing
> intermediary CA in the certificate chain, specifically:
>
>
> https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca
>
> The error message presented by OpenSIPs was certainly misleading in this
> case. For others benefit the approach for installing a new CA is super
> simple:
>
>1. create the file in /etc/pki/ca-trust/source/anchors
>(i.e. comodo-ca-rsa-ev-secure-server.pem)
>2. run "update-ca-trust" with root privs
>
> Problem solved.
>
> Have a good day all!
>
> Callum
>
> On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
> wrote:
>
>> Hi Callum,
>>
>> The error may indicate the fact that the TLS client does not present a
>> TLS certificate while connection to your OpenSIPS. This has nothing to do
>> with the TLS multi domain, which anyhow is supported. As the test, you can
>> create a separate TLS domain (server) bound to the IP of that TLS client,
>> TLS domain having the require_certificate option turned off.
>>
>> Best Regards,
>>
>> Bogdan-Andrei Iancu
>>   OpenSIPS Founder and Developer
>>   http://www.opensips-solutions.com
>>
>> OpenSIPS Bootcamp 2017, Houston, US
>>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>>
>> On 07/25/2017 03:26 PM, Callum Guy wrote:
>>
>> Hi All,
>>
>> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>>
>> I have been working with new TLS connection and have been having problems
>> validating their client certificate. My OpenSIPs configuration works fine
>> for other providers (i.e. Twilio) however I am seeing the following error
>> messages reported while verify_cert is enabled:
>>
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: depth = 0
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: subject =
>> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
>> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
>> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
>> issuer certificate
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
>> code is 20 (check x509_vfy.h)
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> NOTICE:tls_mgm:verify_callback: verify return:0
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
>> New TLS connection from 178.22.140.34:34281 failed to accept
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
>> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>>
>> Part of my reason for resorting to the mailing list are old mailing list
>> emails discussing that multi-domain certificates are not supported by
>> OpenSIPs - is anyone able to confirm if this remains a problem?
>>
>> The openssl error code 20 is translated as
>> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>>
>> I have seen other reports that this issue may be related to an improperly
>> chained certificate - does this sound at all likely?
>>
>> Any tips on debugging would be greatly appreciated, thanks.
>>
>> Callum
>> --
>> Callum Guy
>> Head of Information Security
>> X-on
>>
>>
>> *0333 332   |  www.x-on.co.uk   |   **
>> 

Re: [OpenSIPS-Users] OpenSIPS reseting issue with $T_fr_inv_timeout while forwarding

[Bogdan-Andrei Iancu]

Hi Ravi,

Before each t_rely() you have to set the your custom $T_fr_inv_timeout 
and $T_fr_timeout, otherwise the default values will be used.  As you 
have a serial forking scenario, you do a new t_relay() at each step.


Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 05:34 PM, Ravi Patel wrote:

Hi Team,

What is the right way to reset timers *$T_fr_inv_timeout* and 
*$T_fr_timeout* ??


I am using OpenSIPS-2.2 version
The below scenario will help to understand issue,

There are 4 SIP users,
,,,

What I want to achieve is:
 --->  (FORWARD ON NOANSWER) --->  (FORWARD ON NOANSWER) 
---> 


*1st Test Case Scenario:*


 (fr_inv_timeout 20 sec)
 (fr_inv_timeout 25 sec)
 (fr_inv_timeout 30 sec)


when  calls  : OpenSIPS generates CANCEL at 20 secs (thats 
working proper as expexted) and forwards call to  as per my 
configuration.
so in -->  : OpenSIPS generates CANCEL at *20 secs instead of 25 
secs* and send 408 to . and not processing the 2nd forwarding.


*2nd Test Case Scenario:*

 (fr_inv_timeout 20 sec)
 (fr_inv_timeout 15 sec)
 (fr_inv_timeout 30 sec)

when  calls  : OpenSIPS generates CANCEL at 20 secs (that is 
working proper as expexted) and forwards call to  as per my 
configuration.
now -->  : OpenSIPS generates CANCEL at 15 secs and forwards the 
call to , Here OpenSIPS generates CANCEL *after 5 secs instead of 
30 secs.*



We set timeout by using $T_fr_inv_timeout.

route[ring_timeout]{
xlog("L_INFO","--- RING_TIMEOUT 
---\n");

if (!is_method("INVITE"))
return;
avp_db_load("$rU","$avp(ringtimeout)/usr_preferences");
if($avp(ringtimeout)!=null)
{
$T_fr_inv_timeout = NULL;
xlog("L_INFO","$rU: Ring timeout : 
$avp(ringtimeout)");
$T_fr_inv_timeout =$(avp(ringtimeout){s.int 
}) ;
xlog("L_INFO","$rU: Ring timeout is setted: 
[$T_fr_inv_timeout]");

}
else
{
xlog("L_INFO","$rU: Ring timeout is NOT setted");
}
}
--

From both the scenarios what we found, it sticks to the first timeout 
of ,that is 20secs in our case.
In first scenario it generates CANCEL on  at 20 secs instead of 25 
that is 's Timeout.
In second scenario it generates CANCEL on  at 15sec and on  at 
5 sec (15 + 5 = 20 sec) that is also 's timeout.



Can I know the right method to set $T_fr_inv_timeout ?

Let me know if any other information is needed.


Thanks,
Ravi



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

[Bogdan-Andrei Iancu]

I have to admit that you have to "know how to read the SSL errors" in 
order to really understand the root problem :) . Now that you find the 
issue and if we look back at the error description "verify 
error:num=20:unable to get local issuer certificate", it make sense - 
SSL complains it did not find the comodo CA in order to validate the 
certificate presented by the TLS client (which was probably signed by 
Comodo).


Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 05:27 PM, Callum Guy wrote:

Hi Bogdan,

Thanks for your response, based on your advice I performed a full 
packet capture on the handshake and established that a certificate was 
indeed being presented.


Following up on this I managed to establish that the problem was a 
missing intermediary CA in the certificate chain, specifically:


https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca

The error message presented by OpenSIPs was certainly misleading in 
this case. For others benefit the approach for installing a new CA is 
super simple:


 1. create the file in /etc/pki/ca-trust/source/anchors
(i.e. comodo-ca-rsa-ev-secure-server.pem)
 2. run "update-ca-trust" with root privs

Problem solved.

Have a good day all!

Callum

On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
> wrote:


Hi Callum,

The error may indicate the fact that the TLS client does not
present a TLS certificate while connection to your OpenSIPS. This
has nothing to do with the TLS multi domain, which anyhow is
supported. As the test, you can create a separate TLS domain
(server) bound to the IP of that TLS client, TLS domain having the
require_certificate option turned off.

Best Regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 03:26 PM, Callum Guy wrote:

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having
problems validating their client certificate. My OpenSIPs
configuration works fine for other providers (i.e. Twilio)
however I am seeing the following error messages reported while
verify_cert is enabled:

Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2
Venture Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain
SSL/CN=simwood.com 
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: verify
error:num=20:unable to get local issuer certificate
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: something wrong
with the cert ... error code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: ERROR:proto_tls:tls_accept: New TLS connection
from 178.22.140.34:34281  failed to
accept
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: ERROR:proto_tls:tls_print_errstack: TLS errstack:
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no
certificate returned
Jul 25 13:10:32 proxy.ex.com 
opensips[4881]: ERROR:proto_tls:tls_read_req: failed to do
pre-tls reading

Part of my reason for resorting to the mailing list are old
mailing list emails discussing that multi-domain certificates are
not supported by OpenSIPs - is anyone able to confirm if this
remains a problem?

The openssl error code 20 is translated as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

I have seen other reports that this issue may be related to an
improperly chained certificate - does this sound at all likely?

Any tips on debugging would be greatly appreciated, thanks.

Callum
-- 
Callum Guy

Head of Information Security
X-on


*^0333 332   | www.x-on.co.uk   |
_**_^
  *
X-on is a trading name of Storacall Technology Ltd a limited
company 

[OpenSIPS-Users] OpenSIPS reseting issue with $T_fr_inv_timeout while forwarding

[Ravi Patel]

Hi Team,

What is the right way to reset timers *$T_fr_inv_timeout* and
*$T_fr_timeout* ??

I am using OpenSIPS-2.2 version
The below scenario will help to understand issue,

There are 4 SIP users,
,,,

What I want to achieve is:
 --->  (FORWARD ON NOANSWER) --->  (FORWARD ON NOANSWER) --->


*1st Test Case Scenario:*


 (fr_inv_timeout 20 sec)
 (fr_inv_timeout 25 sec)
 (fr_inv_timeout 30 sec)


when  calls  : OpenSIPS generates CANCEL at 20 secs (thats working
proper as expexted) and forwards call to  as per my configuration.
so in -->  : OpenSIPS generates CANCEL at *20 secs instead of 25 secs*
and send 408 to . and not processing the 2nd forwarding.

*2nd Test Case Scenario:*

 (fr_inv_timeout 20 sec)
 (fr_inv_timeout 15 sec)
 (fr_inv_timeout 30 sec)

when  calls  : OpenSIPS generates CANCEL at 20 secs (that is
working proper as expexted) and forwards call to  as per my
configuration.
now -->  : OpenSIPS generates CANCEL at 15 secs and forwards the call
to , Here OpenSIPS generates CANCEL *after 5 secs instead of 30 secs.*


We set timeout by using $T_fr_inv_timeout.

route[ring_timeout]{
xlog("L_INFO","--- RING_TIMEOUT
---\n");
if (!is_method("INVITE"))
return;
avp_db_load("$rU","$avp(ringtimeout)/usr_preferences");
if($avp(ringtimeout)!=null)
{
$T_fr_inv_timeout = NULL;
xlog("L_INFO","$rU: Ring timeout :
$avp(ringtimeout)");
$T_fr_inv_timeout =$(avp(ringtimeout){s.int}) ;
xlog("L_INFO","$rU: Ring timeout is setted:
[$T_fr_inv_timeout]");
}
else
{
xlog("L_INFO","$rU: Ring timeout is NOT setted");
}
}
--

>From both the scenarios what we found, it sticks to the first timeout of
,that is 20secs in our case.
In first scenario it generates CANCEL on  at 20 secs instead of 25 that
is 's Timeout.
In second scenario it generates CANCEL on  at 15sec and on  at 5
sec (15 + 5 = 20 sec) that is also 's timeout.


Can I know the right method to set $T_fr_inv_timeout ?

Let me know if any other information is needed.


Thanks,
Ravi
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

[Callum Guy]

Hi Bogdan,

Thanks for your response, based on your advice I performed a full packet
capture on the handshake and established that a certificate was indeed
being presented.

Following up on this I managed to establish that the problem was a missing
intermediary CA in the certificate chain, specifically:

https://support.comodo.com/index.php?/Knowledgebase/Article/View/975/108/intermediate-2-sha-2-comodo-rsa-extended-validation-secure-server-ca

The error message presented by OpenSIPs was certainly misleading in this
case. For others benefit the approach for installing a new CA is super
simple:

   1. create the file in /etc/pki/ca-trust/source/anchors
   (i.e. comodo-ca-rsa-ev-secure-server.pem)
   2. run "update-ca-trust" with root privs

Problem solved.

Have a good day all!

Callum

On Tue, Jul 25, 2017 at 2:48 PM Bogdan-Andrei Iancu 
wrote:

> Hi Callum,
>
> The error may indicate the fact that the TLS client does not present a TLS
> certificate while connection to your OpenSIPS. This has nothing to do with
> the TLS multi domain, which anyhow is supported. As the test, you can
> create a separate TLS domain (server) bound to the IP of that TLS client,
> TLS domain having the require_certificate option turned off.
>
> Best Regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 03:26 PM, Callum Guy wrote:
>
> Hi All,
>
> *Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7
>
> I have been working with new TLS connection and have been having problems
> validating their client certificate. My OpenSIPs configuration works fine
> for other providers (i.e. Twilio) however I am seeing the following error
> messages reported while verify_cert is enabled:
>
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: depth = 0
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: subject =
> /serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
> Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
> Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
> issuer certificate
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
> code is 20 (check x509_vfy.h)
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> NOTICE:tls_mgm:verify_callback: verify return:0
> Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
> New TLS connection from 178.22.140.34:34281 failed to accept
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> Jul 25 13:10:32 proxy.ex.com opensips[4881]:
> ERROR:proto_tls:tls_read_req: failed to do pre-tls reading
>
> Part of my reason for resorting to the mailing list are old mailing list
> emails discussing that multi-domain certificates are not supported by
> OpenSIPs - is anyone able to confirm if this remains a problem?
>
> The openssl error code 20 is translated as
> X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
>
> I have seen other reports that this issue may be related to an improperly
> chained certificate - does this sound at all likely?
>
> Any tips on debugging would be greatly appreciated, thanks.
>
> Callum
> --
> Callum Guy
> Head of Information Security
> X-on
>
>
> *0333 332   |  www.x-on.co.uk   |   **
>    
>    *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332  <+44%20333%20332%20> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. 
> Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>
>
>
> ___
> Users mailing 
> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

Re: [OpenSIPS-Users] I have a query regarding loadbalance of opensips .

[Bogdan-Andrei Iancu]

If you have the same kind of network constraints (UAC behind NAT), then 
in it not work for UDP either. If the UAC is nated, in 99% of the cases, 
it is able to be reached back only by the SIP node the UAC is 
registering with.


So you have to re-think the internal design of your cluster.

Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 04:16 PM, Sasmita Panda wrote:

I got your point . I understand why 477 send failed message is coming .

Lets I am not using TCP . I am using UDP . my question is how I will 
use a single DB behind a cluster of opensips . Is this possible in UDP 
. I dont think so . In UDP i may get "408 request timeout"  message 
from opensips node .


Lets say . I have a client and I have given a domain to that . against 
that domain there are 2 opensips node and both sharing same DB and 
running in db_only mode . My UAC is behind NAT off-course .


 According to you I cant use this scenario if my UAC is behind NAT 
. If opensips nodes and UAC can communicate internally inside a LAN 
then its possible .


 Please correct me if I am wrong .

*/Thanks & Regards/*
/Sasmita Panda/
/Network Testing and Software Engineer/
/3CLogic , ph:07827611765/

On Tue, Jul 25, 2017 at 6:38 PM, Bogdan-Andrei Iancu 
> wrote:


Sasmita,

OpenSIPS can open a new TCP connection towards an UAC IF:
1) the registered IP is public
2) the UAC is not behind a NAT.

The 477 reply is generated by the inability of OpenSIPS to open a
TCP connection - you can see some error messages into the logs too.

Regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com 

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html


On 07/25/2017 02:53 PM, Sasmita Panda wrote:

Is there any way opensips nodes will be connected in TCP ? If
what I am expecting is not possible then I will leave this .

Then my question is whats the use of opensips cluster using same
DB ? In which scenarion I can use this . I just want a cluster of
opensips node sharing a single DB . How can I achieve this ?


*/Thanks & Regards/*
/Sasmita Panda/
/Network Testing and Software Engineer/
/3CLogic , ph:07827611765/

On Tue, Jul 25, 2017 at 5:18 PM, Bogdan-Andrei Iancu
> wrote:

Hi Sasmita,

There is an incompatibility between your opensips cluster
design and your network topology. If the end device is TCP
connected to one Node, and it is not able (due network
constraints) to receive TCP connections from any other Node,
it makes no sense to share the registration data between the
OpenSIPS Nodes as only the Node that received the
registration will be able to reach back the device (again,
due network constraints)

Best regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com


OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html


On 07/24/2017 03:24 PM, Sasmita Panda wrote:

Hi  All ,
  I wanted to use a single DB against 2 or more
registrar server .

 Below is my requirement :

 Opensips1 (x.x.x.x) -> DB
 Opensips2 (x.x.x.y) -> DB

   DB is in different machine and both opensips servers
are accessing the same DB . Opensips is running on Db only
mode . db_mode: 3 .


I had mapped a domain in route53 ex. "
loadbalance.i3clogic.com  "
and against this domain I have added both the IPs of
opensips1 and 2 as SRV .

 I have added this domain in my opensips config file
as aslias in both the config files  .

   what my client do is , it does SRV query in the
domain and resolve 1 Ip at a time and send requests to that .

example :
A-> SRV query( resolve Ip opensips1)  -> sent Register
Opensips1 -> store in DB
 This can change in ttl expire or in re-login of A . A
is making TCP connection with opensips .

when an Invite comes for A  to opensips2 , that send 477
send fail .

B -> Inv (TCP connection for A ) Opensips2

  Opensips2 replys with 477 send fail to B . The reason
behind this is A is registered through Opensips1 .

This is 

Re: [OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

[Bogdan-Andrei Iancu]

Hi Callum,

The error may indicate the fact that the TLS client does not present a 
TLS certificate while connection to your OpenSIPS. This has nothing to 
do with the TLS multi domain, which anyhow is supported. As the test, 
you can create a separate TLS domain (server) bound to the IP of that 
TLS client, TLS domain having the require_certificate option turned off.


Best Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 03:26 PM, Callum Guy wrote:

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having 
problems validating their client certificate. My OpenSIPs 
configuration works fine for other providers (i.e. Twilio) however I 
am seeing the following error messages reported while verify_cert is 
enabled:


Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: subject = 
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private 
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture 
Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain 
SSL/CN=simwood.com 
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get 
local issuer certificate
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: something wrong with the cert ... 
error code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
ERROR:proto_tls:tls_accept: New TLS connection from 
178.22.140.34:34281  failed to accept
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 25 13:10:32 proxy.ex.com  opensips[4881]: 
ERROR:proto_tls:tls_read_req: failed to do pre-tls reading


Part of my reason for resorting to the mailing list are old mailing 
list emails discussing that multi-domain certificates are not 
supported by OpenSIPs - is anyone able to confirm if this remains a 
problem?


The openssl error code 20 is translated as 
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY


I have seen other reports that this issue may be related to an 
improperly chained certificate - does this sound at all likely?


Any tips on debugging would be greatly appreciated, thanks.

Callum
--
Callum Guy
Head of Information Security
X-on


*^0333 332   | www.x-on.co.uk   | 
_**_^ 
  *
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please 
notify X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must 
not use, disclose, disseminate, distribute, copy, print or reply to 
this email. Views or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the 
absence of viruses in this email or any attachments.




___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] I have a query regarding loadbalance of opensips .

[Sasmita Panda]

I got your point . I understand why 477 send failed message is coming .

Lets I am not using TCP . I am using UDP . my question is how I will use a
single DB behind a cluster of opensips . Is this possible in UDP . I dont
think so . In UDP i may get "408 request timeout"  message from opensips
node .

Lets say . I have a client and I have given a domain to that . against that
domain there are 2 opensips node and both sharing same DB and running in
db_only mode . My UAC is behind NAT off-course .

 According to you I cant use this scenario if my UAC is behind NAT . If
opensips nodes and UAC can communicate internally inside a LAN then its
possible .

 Please correct me if I am wrong .

*Thanks & Regards*
*Sasmita Panda*
*Network Testing and Software Engineer*
*3CLogic , ph:07827611765*

On Tue, Jul 25, 2017 at 6:38 PM, Bogdan-Andrei Iancu 
wrote:

> Sasmita,
>
> OpenSIPS can open a new TCP connection towards an UAC IF:
> 1) the registered IP is public
> 2) the UAC is not behind a NAT.
>
> The 477 reply is generated by the inability of OpenSIPS to open a TCP
> connection - you can see some error messages into the logs too.
>
> Regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/25/2017 02:53 PM, Sasmita Panda wrote:
>
> Is there any way opensips nodes will be connected in TCP ? If what I am
> expecting is not possible then I will leave this .
>
> Then my question is whats the use of opensips cluster using same DB ? In
> which scenarion I can use this . I just want a cluster of opensips node
> sharing a single DB . How can I achieve this ?
>
>
> *Thanks & Regards*
> *Sasmita Panda*
> *Network Testing and Software Engineer*
> *3CLogic , ph:07827611765*
>
> On Tue, Jul 25, 2017 at 5:18 PM, Bogdan-Andrei Iancu 
> wrote:
>
>> Hi Sasmita,
>>
>> There is an incompatibility between your opensips cluster design and your
>> network topology. If the end device is TCP connected to one Node, and it is
>> not able (due network constraints) to receive TCP connections from any
>> other Node, it makes no sense to share the registration data between the
>> OpenSIPS Nodes as only the Node that received the registration will be able
>> to reach back the device (again, due network constraints)
>>
>> Best regards,
>>
>> Bogdan-Andrei Iancu
>>   OpenSIPS Founder and Developer
>>   http://www.opensips-solutions.com
>>
>> OpenSIPS Bootcamp 2017, Houston, US
>>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>>
>> On 07/24/2017 03:24 PM, Sasmita Panda wrote:
>>
>> Hi  All ,
>>
>>   I wanted to use a single DB against 2 or more registrar server .
>>
>>  Below is my requirement :
>>
>>  Opensips1 (x.x.x.x) -> DB
>>  Opensips2 (x.x.x.y) -> DB
>>
>>DB is in different machine and both opensips servers are accessing
>> the same DB .  Opensips is running on Db only mode . db_mode: 3 .
>>
>>
>> I had mapped a domain in route53 ex. " loadbalance.i3clogic.com " and
>> against this domain I have added both the IPs of opensips1 and 2 as SRV .
>>
>>  I have added this domain in my opensips config file as aslias in
>> both the config files  .
>>
>>what my client do is , it does SRV query in the domain and resolve
>> 1 Ip at a time and send requests to that .
>>
>> example :
>> A-> SRV query( resolve Ip opensips1)  -> sent Register Opensips1 -> store
>> in DB
>>  This can change in ttl expire or in re-login of A . A is making TCP
>> connection with opensips .
>>
>> when an Invite comes for A  to opensips2 , that send 477 send fail .
>>
>> B -> Inv (TCP connection for A ) Opensips2
>>
>>   Opensips2 replys with 477 send fail to B . The reason behind this
>> is A is registered through Opensips1 .
>>
>> This is what I want and the problem I am facing . My questing is how can
>> I solve this . I dont want to add any proxy in between client and
>> opensips1/2 . Is there any way this will work for me ?
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> *Thanks & Regards*
>> *Sasmita Panda*
>> *Network Testing and Software Engineer*
>> *3CLogic , ph:07827611765*
>>
>>
>> ___
>> Users mailing 
>> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>>
>>
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] I have a query regarding loadbalance of opensips .

[Bogdan-Andrei Iancu]

Sasmita,

OpenSIPS can open a new TCP connection towards an UAC IF:
1) the registered IP is public
2) the UAC is not behind a NAT.

The 477 reply is generated by the inability of OpenSIPS to open a TCP 
connection - you can see some error messages into the logs too.


Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 02:53 PM, Sasmita Panda wrote:
Is there any way opensips nodes will be connected in TCP ? If what I 
am expecting is not possible then I will leave this .


Then my question is whats the use of opensips cluster using same DB ? 
In which scenarion I can use this . I just want a cluster of opensips 
node sharing a single DB . How can I achieve this ?



*/Thanks & Regards/*
/Sasmita Panda/
/Network Testing and Software Engineer/
/3CLogic , ph:07827611765/

On Tue, Jul 25, 2017 at 5:18 PM, Bogdan-Andrei Iancu 
> wrote:


Hi Sasmita,

There is an incompatibility between your opensips cluster design
and your network topology. If the end device is TCP connected to
one Node, and it is not able (due network constraints) to receive
TCP connections from any other Node, it makes no sense to share
the registration data between the OpenSIPS Nodes as only the Node
that received the registration will be able to reach back the
device (again, due network constraints)

Best regards,

Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com 

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html


On 07/24/2017 03:24 PM, Sasmita Panda wrote:

Hi  All ,
  I wanted to use a single DB against 2 or more registrar
server .

 Below is my requirement :

 Opensips1 (x.x.x.x) -> DB
 Opensips2 (x.x.x.y) -> DB

   DB is in different machine and both opensips servers are
accessing the same DB . Opensips is running on Db only mode .
db_mode: 3 .


I had mapped a domain in route53 ex. " loadbalance.i3clogic.com
 " and against this domain I
have added both the IPs of opensips1 and 2 as SRV .

 I have added this domain in my opensips config file as
aslias in both the config files  .

   what my client do is , it does SRV query in the domain and
resolve 1 Ip at a time and send requests to that .

example :
A-> SRV query( resolve Ip opensips1)  -> sent Register Opensips1
-> store in DB
 This can change in ttl expire or in re-login of A . A is
making TCP connection with opensips .

when an Invite comes for A  to opensips2 , that send 477 send fail .

B -> Inv (TCP connection for A ) Opensips2

  Opensips2 replys with 477 send fail to B . The reason
behind this is A is registered through Opensips1 .

This is what I want and the problem I am facing . My questing is
how can I solve this . I dont want to add any proxy in between
client and opensips1/2 . Is there any way this will work for me ?









*/Thanks & Regards/*
/Sasmita Panda/
/Network Testing and Software Engineer/
/3CLogic , ph:07827611765/


___
Users mailing list
Users@lists.opensips.org 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users






___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] pv_proxy_authorize cache

[Bogdan-Andrei Iancu]

The difference between www_ and proxy_ comes to what SIP headers they 
are looking for (in the SIP message) for reading the auth answer 
(Proxy-Authorize versus Authorize). Otherwise, in terms of auth 
algorithm, they are the same.


Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 04:01 PM, Mike Tesliuk wrote:


Hello Bogdan,  the $avp(usuario) is populated with the $fU as you 
think, the password is using the calculate parameter , but my question 
was if the pv_proxy_authorize is supposed to work, because on the 
example was used the www_ , and on my tests  do not work, but i will 
double check my configuration an try again.



thank you very much


Em 25/07/17 09:45, Bogdan-Andrei Iancu escreveu:

Hi Mike,

depending on your SIP flow, you can use either www_ (if a REGISTER) 
or proxy_ (if a non-REGISTER) functions.


In your script snip, you must populate both auth username and 
password before the calling the auth function. I do not see the 
$avp(usuario) set (probably with $fU ??) . Also, if the password is 
plain/text, be use you properly set the calculate_ha1 parameter.


Best regards,
Bogdan-Andrei Iancu
   OpenSIPS Founder and Developer
   http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
On 07/24/2017 11:21 PM, Mike Tesliuk wrote:


Hello there,


Im trying to implement a proxy_authorize using cache without success.


is that possible to perform the cache using proxy_authorize ? on the 
example [1] i see the www_challenge() no proxy_challenge, is that 
correct ?



on my test im doing this (below):


modparam("auth","username_spec", "$avp(usuario)")
modparam("auth","password_spec", "$avp(senha)")
modparam("auth_db", "load_credentials", "$avp(senha)=password")


$avp(usuario) = $fU;

if(cache_fetch("redis","passwd_$fU",$avp(senha))) {
if(!pv_proxy_authorize("")){
proxy_challenge("","0");
exit;
}
}else{
if(!proxy_authorize("")){
proxy_challenge("","0");
exit;
}


cache_store("redis","passwd_$fU","$avp(senha)",3600);

}

But with this rule i do not get the user authenticated.

what im doing wrong ? :)


Thanks in advice




[1] - 
https://www.opensips.org/Documentation/Tutorials-MemoryCaching#toc3


--


​Atenciosamente,
WSU TECNOLOGIA
Mike Tesliuk
Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR
12387 SW 125th ter, Miami, Florida 33186 - USA
tel +55 (41) 3941.0650   +1 (786) 719.6253
*website   | mapa 
  | 
email  *

.



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




--


​Atenciosamente,
WSU TECNOLOGIA
Mike Tesliuk
Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR
12387 SW 125th ter, Miami, Florida 33186 - USA
tel +55 (41) 3941.0650   +1 (786) 719.6253
*website   | mapa 
  | 
email  *

.



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] pv_proxy_authorize cache

[Mike Tesliuk]

Hello Bogdan,  the $avp(usuario) is populated with the $fU as you think,
the password is using the calculate parameter , but my question was if
the pv_proxy_authorize is supposed to work, because on the example was
used the www_ , and on my tests  do not work, but i will double check my
configuration an try again.


thank you very much


Em 25/07/17 09:45, Bogdan-Andrei Iancu escreveu:
> Hi Mike,
>
> depending on your SIP flow, you can use either www_ (if a REGISTER) or
> proxy_ (if a non-REGISTER) functions.
>
> In your script snip, you must populate both auth username and password
> before the calling the auth function. I do not see the $avp(usuario)
> set (probably with $fU ??) . Also, if the password is plain/text, be
> use you properly set the calculate_ha1 parameter.
>
> Best regards,
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
> On 07/24/2017 11:21 PM, Mike Tesliuk wrote:
>>
>> Hello there,
>>
>>
>> Im trying to implement a proxy_authorize using cache without success.
>>
>>
>> is that possible to perform the cache using proxy_authorize ? on the
>> example [1] i see the www_challenge() no proxy_challenge, is that
>> correct ?
>>
>>
>> on my test im doing this (below):
>>
>>
>> modparam("auth","username_spec", "$avp(usuario)")
>> modparam("auth","password_spec", "$avp(senha)")
>> modparam("auth_db", "load_credentials", "$avp(senha)=password")
>>
>>
>> $avp(usuario) = $fU;
>>
>> if(cache_fetch("redis","passwd_$fU",$avp(senha))) {
>>  if(!pv_proxy_authorize("")){
>>  proxy_challenge("","0");
>>  exit;
>>  }
>> }else{
>>  if(!proxy_authorize("")){
>>  proxy_challenge("","0");
>>  exit;
>>  }
>>
>>  
>>  cache_store("redis","passwd_$fU","$avp(senha)",3600);
>>
>> }
>>
>> But with this rule i do not get the user authenticated.
>>
>> what im doing wrong ? :)
>>
>>
>> Thanks in advice 
>>
>>
>>
>>
>> [1] - https://www.opensips.org/Documentation/Tutorials-MemoryCaching#toc3
>>
>> -- 
>>
>>
>> ​Atenciosamente,
>> WSU TECNOLOGIA
>> Mike Tesliuk
>> Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR  
>> 12387 SW 125th ter, Miami, Florida 33186 - USA
>> tel +55 (41) 3941.0650   +1 (786) 719.6253
>> *website   |  mapa
>> 
>>   |  email
>> *
>> .
>>
>>
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

-- 


​Atenciosamente,
WSU TECNOLOGIA
Mike Tesliuk
Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR  
12387 SW 125th ter, Miami, Florida 33186 - USA
tel +55 (41) 3941.0650   +1 (786) 719.6253
*website   |  mapa

  |  email
*
.



signature.asc
Description: OpenPGP digital signature
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Registered trunks

[Bogdan-Andrei Iancu]

Hi Pat,

I see 2 scenarios here (in both cases, the calledID and the auth user 
are completely different, they cannot be calculated one from the other):


* if the caller sends in FROM the auth username and in PAI/RPID the CLI, 
you should be fine.


* if the caller sends in FROM the CLI, then it should send in the auth 
answer the (as "username" attribute) the right auth username. The 
authentication should be successful, but you should check if the 
advertised CLI (in FROM) is allowed to use authentication username


So, bottom line (I think you are on the second scenario), you have to 
keep the db_check_from(), re-configure the URI module to perform the 
check against a predefined set of mappings (auth username as per 
subscriber and SIP username as per FROM hdr) vi DB table "uri" - see the 
"db_table" and "use_uri_table" parameters:

http://www.opensips.org/html/docs/modules/2.3.x/uri.html#use-uri-table

Or using avp_db_query() you can make your one SQL query for checking 
(via custom table) if the auth username is allowed with a certain CLI 
(FROM username)


Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/25/2017 03:32 AM, Pat Burke wrote:

Hello,

As a SIP Provider, we implementing the ability to provide SIP trunks 
to customers with a PBX or Dialer that require Registration.  With 
this in mind,
the customer wants to be able to set the CallerID on at least on the 
basis of the devices connected tho them, but potentially on a per call 
basis.


For the challenge-response to the non-Register methods, we have 
implemented the script as follows (seems to be a very standard way).  
My question is
for the case of the CallerID not being the same as the 
username/authorization name, how do we do this?  Because the "FROM" 
user is different from the
authorized user, the db_check_from fails.  I don't believe all phone 
systems support P-Asserted-ID, so we can't really go that route.  So 
can we just remove

the "db_check_from"?   What risk does that expose us to?

if ( !(is_method("REGISTER")) ) {
   if (is_from_local("$var(reg_domain_attr)")) { # from Registered device
   $avp(callee_number_type) := "Registered";

   # authenticate if from local subscriber
   # authenticate all initial non-REGISTER request that pretend to be
   # generated by local subscriber (domain from FROM URI is local)
   if (!proxy_authorize("", "subscriber")) {
  proxy_challenge("", "0");
  exit;
   }

   if (!db_check_from()) {
  sl_send_reply("403","Forbidden auth ID");
  exit;
   }

   consume_credentials();
   # caller authenticated
}
}
Regards,
*Pat Burke*



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] pv_proxy_authorize cache

[Bogdan-Andrei Iancu]

Hi Mike,

depending on your SIP flow, you can use either www_ (if a REGISTER) or 
proxy_ (if a non-REGISTER) functions.


In your script snip, you must populate both auth username and password 
before the calling the auth function. I do not see the $avp(usuario) set 
(probably with $fU ??) . Also, if the password is plain/text, be use you 
properly set the calculate_ha1 parameter.


Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/24/2017 11:21 PM, Mike Tesliuk wrote:


Hello there,


Im trying to implement a proxy_authorize using cache without success.


is that possible to perform the cache using proxy_authorize ? on the 
example [1] i see the www_challenge() no proxy_challenge, is that 
correct ?



on my test im doing this (below):


modparam("auth","username_spec", "$avp(usuario)")
modparam("auth","password_spec", "$avp(senha)")
modparam("auth_db", "load_credentials", "$avp(senha)=password")


$avp(usuario) = $fU;

if(cache_fetch("redis","passwd_$fU",$avp(senha))) {
if(!pv_proxy_authorize("")){
proxy_challenge("","0");
exit;
}
}else{
if(!proxy_authorize("")){
proxy_challenge("","0");
exit;
}


cache_store("redis","passwd_$fU","$avp(senha)",3600);

}

But with this rule i do not get the user authenticated.

what im doing wrong ? :)


Thanks in advice




[1] - https://www.opensips.org/Documentation/Tutorials-MemoryCaching#toc3

--


​Atenciosamente,
WSU TECNOLOGIA
Mike Tesliuk
Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR
12387 SW 125th ter, Miami, Florida 33186 - USA
tel +55 (41) 3941.0650   +1 (786) 719.6253
*website   | mapa 
  | 
email  *

.



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] TLS_MGM: Multi-domain Client Certificate Validation

[Callum Guy]

Hi All,

*Running: *opensips-2.3.1-1.el7.x86_64 / CentOS 7

I have been working with new TLS connection and have been having problems
validating their client certificate. My OpenSIPs configuration works fine
for other providers (i.e. Twilio) however I am seeing the following error
messages reported while verify_cert is enabled:

Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: depth = 0
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: subject =
/serialNumber=03379831/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private
Organization/C=GB/postalCode=SO16 7NP/L=Southampton/street=2 Venture
Road/O=SIMWOOD ESMS LIMITED/OU=COMODO EV Multi-Domain SSL/CN=simwood.com
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify error:num=20:unable to get local
issuer certificate
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: something wrong with the cert ... error
code is 20 (check x509_vfy.h)
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
NOTICE:tls_mgm:verify_callback: verify return:0
Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_accept:
New TLS connection from 178.22.140.34:34281 failed to accept
Jul 25 13:10:32 proxy.ex.com opensips[4881]:
ERROR:proto_tls:tls_print_errstack: TLS errstack: error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 25 13:10:32 proxy.ex.com opensips[4881]: ERROR:proto_tls:tls_read_req:
failed to do pre-tls reading

Part of my reason for resorting to the mailing list are old mailing list
emails discussing that multi-domain certificates are not supported by
OpenSIPs - is anyone able to confirm if this remains a problem?

The openssl error code 20 is translated as
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY

I have seen other reports that this issue may be related to an improperly
chained certificate - does this sound at all likely?

Any tips on debugging would be greatly appreciated, thanks.

Callum
-- 
Callum Guy
Head of Information Security
X-on

-- 



*0333 332   |  www.x-on.co.uk   |   ** 
    
   * 
X-on is a trading name of Storacall Technology Ltd a limited company 
registered in England and Wales.
Registered Office : Avaland House, 110 London Road, Apsley, Hemel 
Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
The information in this e-mail is confidential and for use by the 
addressee(s) only. If you are not the intended recipient, please notify 
X-on immediately on +44(0)333 332  and delete the
message from your computer. If you are not a named addressee you must not 
use, disclose, disseminate, distribute, copy, print or reply to this email. 
Views 
or opinions expressed by an individual
within this email may not necessarily reflect the views of X-on or its 
associated companies. Although X-on routinely screens for viruses, 
addressees should scan this email and any attachments
for viruses. X-on makes no representation or warranty as to the absence of 
viruses in this email or any attachments.

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] I have a query regarding loadbalance of opensips .

[Sasmita Panda]

Is there any way opensips nodes will be connected in TCP ? If what I am
expecting is not possible then I will leave this .

Then my question is whats the use of opensips cluster using same DB ? In
which scenarion I can use this . I just want a cluster of opensips node
sharing a single DB . How can I achieve this ?


*Thanks & Regards*
*Sasmita Panda*
*Network Testing and Software Engineer*
*3CLogic , ph:07827611765*

On Tue, Jul 25, 2017 at 5:18 PM, Bogdan-Andrei Iancu 
wrote:

> Hi Sasmita,
>
> There is an incompatibility between your opensips cluster design and your
> network topology. If the end device is TCP connected to one Node, and it is
> not able (due network constraints) to receive TCP connections from any
> other Node, it makes no sense to share the registration data between the
> OpenSIPS Nodes as only the Node that received the registration will be able
> to reach back the device (again, due network constraints)
>
> Best regards,
>
> Bogdan-Andrei Iancu
>   OpenSIPS Founder and Developer
>   http://www.opensips-solutions.com
>
> OpenSIPS Bootcamp 2017, Houston, US
>   http://opensips.org/training/OpenSIPS_Bootcamp_2017.html
>
> On 07/24/2017 03:24 PM, Sasmita Panda wrote:
>
> Hi  All ,
>
>   I wanted to use a single DB against 2 or more registrar server .
>
>  Below is my requirement :
>
>  Opensips1 (x.x.x.x) -> DB
>  Opensips2 (x.x.x.y) -> DB
>
>DB is in different machine and both opensips servers are accessing
> the same DB .  Opensips is running on Db only mode . db_mode: 3 .
>
>
> I had mapped a domain in route53 ex. " loadbalance.i3clogic.com " and
> against this domain I have added both the IPs of opensips1 and 2 as SRV .
>
>  I have added this domain in my opensips config file as aslias in
> both the config files  .
>
>what my client do is , it does SRV query in the domain and resolve
> 1 Ip at a time and send requests to that .
>
> example :
> A-> SRV query( resolve Ip opensips1)  -> sent Register Opensips1 -> store
> in DB
>  This can change in ttl expire or in re-login of A . A is making TCP
> connection with opensips .
>
> when an Invite comes for A  to opensips2 , that send 477 send fail .
>
> B -> Inv (TCP connection for A ) Opensips2
>
>   Opensips2 replys with 477 send fail to B . The reason behind this is
> A is registered through Opensips1 .
>
> This is what I want and the problem I am facing . My questing is how can I
> solve this . I dont want to add any proxy in between client and opensips1/2
> . Is there any way this will work for me ?
>
>
>
>
>
>
>
>
>
>
>
> *Thanks & Regards*
> *Sasmita Panda*
> *Network Testing and Software Engineer*
> *3CLogic , ph:07827611765*
>
>
> ___
> Users mailing 
> listUsers@lists.opensips.orghttp://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] I have a query regarding loadbalance of opensips .

[Bogdan-Andrei Iancu]

Hi Sasmita,

There is an incompatibility between your opensips cluster design and 
your network topology. If the end device is TCP connected to one Node, 
and it is not able (due network constraints) to receive TCP connections 
from any other Node, it makes no sense to share the registration data 
between the OpenSIPS Nodes as only the Node that received the 
registration will be able to reach back the device (again, due network 
constraints)


Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/24/2017 03:24 PM, Sasmita Panda wrote:

Hi  All ,
  I wanted to use a single DB against 2 or more registrar server .

 Below is my requirement :

 Opensips1 (x.x.x.x) -> DB
 Opensips2 (x.x.x.y) -> DB

   DB is in different machine and both opensips servers are 
accessing the same DB .  Opensips is running on Db only mode . 
db_mode: 3 .



I had mapped a domain in route53 ex. " loadbalance.i3clogic.com 
 " and against this domain I have 
added both the IPs of opensips1 and 2 as SRV .


 I have added this domain in my opensips config file as aslias 
in both the config files  .


   what my client do is , it does SRV query in the domain and 
resolve 1 Ip at a time and send requests to that .


example :
A-> SRV query( resolve Ip opensips1)  -> sent Register Opensips1 -> 
store in DB
 This can change in ttl expire or in re-login of A . A is making 
TCP connection with opensips .


when an Invite comes for A  to opensips2 , that send 477 send fail .

B -> Inv (TCP connection for A ) Opensips2

  Opensips2 replys with 477 send fail to B . The reason behind 
this is A is registered through Opensips1 .


This is what I want and the problem I am facing . My questing is how 
can I solve this . I dont want to add any proxy in between client and 
opensips1/2 . Is there any way this will work for me ?










*/Thanks & Regards/*
/Sasmita Panda/
/Network Testing and Software Engineer/
/3CLogic , ph:07827611765/


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] LoadBalancer and Clusterer

[Bogdan-Andrei Iancu]

Hello Mike,

The profile replication (the thing you were already doing) and the 
destination status replication (newly added in 2.3) are different kind 
of replications, different data in different modules.


The /s is about dialog profile replication and it is at the dialog 
module level.


At the LB module level we have the replication of the status of the 
destination.


The two kinds of replications are independent.

Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/23/2017 12:36 AM, Mike Tesliuk wrote:


Hello,


On the past, i had implemented the dialog with cachedb and 
load_balancer using a nosql, using the resource with the /s , as the 
load_balancer have the parameter receive the replication, how i use that ?



without the /s when i create a call i do not se the resource being 
used on node 2 , is that supposed to happen ?



Thank you.


PS: testing the 2.3 version


--


​Atenciosamente,
WSU TECNOLOGIA
Mike Tesliuk
Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR
12387 SW 125th ter, Miami, Florida 33186 - USA
tel +55 (41) 3941.0650   +1 (786) 719.6253
*website   | mapa 
  | 
email  *

.



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] error on script generation

[Bogdan-Andrei Iancu]

Hi Mike,

Yes, you are right, I just fixed this is on 2.2, 2.3 and devel branches. 
Please doublecheck for me.


Many thanks,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/22/2017 05:18 PM, Mike Tesliuk wrote:


Hello there,


im compiling the opensips 2.3 and the generated script with tls 
generate the lines below:


modparam("proto_tls","verify_cert", "1")
modparam("proto_tls","require_cert", "0")
modparam("proto_tls","tls_method", "TLSv1")

modparam("proto_tls","certificate", 
"/usr/local/etc/opensips/tls/user/user-cert.pem")
modparam("proto_tls","private_key", 
"/usr/local/etc/opensips/tls/user/user-privkey.pem")
modparam("proto_tls","ca_list", 
"/usr/local/etc/opensips/tls/user/user-calist.pem")



Those parameters are from tls_mgm not from proto_tls right ? on module 
documentation are on tls_mgm section



--


​Atenciosamente,
WSU TECNOLOGIA
Mike Tesliuk
Rua Visconde do Rio Branco 1630 . Sala 1302 . Curitiba . PR
12387 SW 125th ter, Miami, Florida 33186 - USA
tel +55 (41) 3941.0650   +1 (786) 719.6253
*website   | mapa 
  | 
email  *

.



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Registered trunks

[Pat Burke]

Mike,

Thanks for the response.  The PBX that is interfacing with us does not have 
that option.  And because of the varied nature of PBX's, I would like to
be as generic as possible.  

So to me it really come back to what is the exposure to not performing the 
"db_check_from"?

Regards,
Pat Burke



Hello Pat,


I think that you can ask them to set the From Name as the callerid so
you can use transformation to take de information [1]


Example:

                xlog("FROM NAME: $(hdr(From){nameaddr.name})");
                xlog("FROM USER: $fU");

       

Result (on log):


l 24 22:06:51 opensipsHomolog2 /usr/local/sbin/opensips[7960]: FROM
NAME: "1016"
Jul 24 22:06:51 opensipsHomolog2 /usr/local/sbin/opensips[7960]: FROM
USER: 10160393



After the authentication you can use the uac_replace_from[2] and change
the callerid that you send you carriers.



[1] - https://www.opensips.org/Documentation/Script-Tran-2-2
[2] - http://www.opensips.org/html/docs/modules/devel/uac.html#idp5265536


Em 24/07/17 21:32, Pat Burke escreveu:
> Hello,
>
> As a SIP Provider, we implementing the ability to provide SIP trunks
> to customers with a PBX or Dialer that require Registration.  With
> this in mind,
> the customer wants to be able to set the CallerID on at least on the
> basis of the devices connected tho them, but potentially on a per call
> basis.
>
> For the challenge-response to the non-Register methods, we have
> implemented the script as follows (seems to be a very standard way). 
> My question is
> for the case of the CallerID not being the same as the
> username/authorization name, how do we do this?  Because the "FROM"
> user is different from the
> authorized user, the db_check_from fails.  I don't believe all phone
> systems support P-Asserted-ID, so we can't really go that route.  So
> can we just remove
> the "db_check_from"?   What risk does that expose us to?
>
> if ( !(is_method("REGISTER")) ) {
>   if (is_from_local("$var(reg_domain_attr)")) { # from Registered device
>       $avp(callee_number_type) := "Registered";
>
>       # authenticate if from local subscriber
>       # authenticate all initial non-REGISTER request that pretend to be
>       # generated by local subscriber (domain from FROM URI is local)
>       if (!proxy_authorize("", "subscriber")) {
>          proxy_challenge("", "0");
>          exit;
>       }
>
>       if (!db_check_from()) {
>          sl_send_reply("403","Forbidden auth ID");
>          exit;
>       }
>
>       consume_credentials();
>       # caller authenticated
>    }
> }
> Regards,
> *Pat Burke*




___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Uac registrant check

[Bogdan-Andrei Iancu]

Hi Volkan,

I think you are looking for the is_registered() function:
http://www.opensips.org/html/docs/modules/2.2.x/registrar.html#idp5648928

Regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/21/2017 12:34 PM, Volkan Oransoy wrote:

Hi all,

I use uac_registrant to register to remote SIP systems and 
registration phase seems ok. What I want to do is to receive calls 
from these systems and before accepting calls to my box, I want to 
check destination, if it is a valid record on my system. I found a 
couple of replies on list archives and one of them suggests to lookup 
agains AOR. But that doesn’t work right now. What is the most suitable 
way to do this?



   if ( check_source_address("1","$avp(trunk_attrs)") ) {
# request comes from trunks
setflag(IS_TRUNK);
} else if ( is_from_gw() ) {
# request comes from GWs
*} else if ( lookup("location","","$ru") ){*
*  xlog("Location check for $ru passed.\n");*
} else {
xlog("Location check for $ru failed.\n");
send_reply("403","Forbidden");
exit;
}

Regards,

/Volkan


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Accounting of 200 OK and BYE

[Bogdan-Andrei Iancu]

Hi Daniel,

There are 3 types of accountings in OpenSIPS - per message, per 
transaction, per dialog.


For the per message, it is clear :) . When doing per-transaction 
accounting, the ACC record is written when the transaction is completed 
with a final response (>=200) on the UAS side (towards caller). For the 
dialog based accounting, the time reference (for ending the call) is the 
reception of BYE request; still the CDR is written on the BYE final 
reply (as OpenSIPS allows you to collect CDR info from the BYE replies too).


Best regards,

Bogdan-Andrei Iancu
  OpenSIPS Founder and Developer
  http://www.opensips-solutions.com

OpenSIPS Bootcamp 2017, Houston, US
  http://opensips.org/training/OpenSIPS_Bootcamp_2017.html

On 07/20/2017 10:49 PM, Daniel Zanutti wrote:

Hi Alex

I'm having a billing problem from receiving BYE to 200 OK is taking 
more than 500ms. If BYE is accounted when it's received, great!


Are you absolutely sure it works this way?

Thanks

On Thu, Jul 20, 2017 at 4:26 PM, Alex Balashov 
> wrote:


My understanding is that this is a rather simple module without
sophisticated state componentry, and that it logs things
immediately as received, in the same iteration of message processing.

-- Alex

--
Principal, Evariste Systems LLC (www.evaristesys.com
)

Sent from my Google Nexus.

___
Users mailing list
Users@lists.opensips.org 
http://lists.opensips.org/cgi-bin/mailman/listinfo/users





___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users