Re: [OpenSIPS-Users] OpenSIPS on Cloud (AWS or Azure)

[Joseph Jackson]

There are no issues running it on any of the cloud providers I've found so far 
- never used Azure tho.



From: Users  on behalf of Andrés Alberto 
Lavariega Castellanos 
Sent: Thursday, January 5, 2023 11:50 PM
To: users@lists.opensips.org 
Subject: [OpenSIPS-Users] OpenSIPS on Cloud (AWS or Azure)


I'm trying to install OpenSips on Digital Ocean's server, if the service has a 
public IP I think I should have no problem.





[cid:image001.png@01D92160.8422F200]

Andres Lavariega

Back End VoIP

[cid:image002.png@01D92160.8422F200]

5579192214



[cid:image003.png@01D92160.8422F200]

andres.lavari...@directo.com



[cid:image004.png@01D92160.8422F200]

Torre Virreyes, Pedregal 24, piso 6
CDMX, México 11040

+52 55 5201 4550



[cid:image005.png@01D92160.8422F200]

www.directo.com
















AVISO DE CONFIDENCIALIDAD: Este correo electrónico y su contenido (incluyendo 
cualquier archivo adjunto o link hacia alguna URL), contiene información que es 
confidencial y/o legalmente privilegiada. La copia, revisión, uso, revelación 
y/o distribución de dicha información confidencial sin la autorización por 
escrito del remitente queda estrictamente prohibida. Si usted no es el 
destinatario a quien se dirige el presente correo, por favor notifique al 
remitente respondiendo al presente correo y elimine el correo original 
incluyendo cualquier archivo adjunto, así como cualquier copia del mismo. 
Mediante la recepción del presente correo usted reconoce y acepta que en caso 
de incumplimiento de su parte y/o de sus representantes a los términos antes 
mencionados, el remitente tendrá derecho a los daños y perjuicios que esto le 
cause.

CONFIDENTIALITY NOTICE: This email and its contents (including any attachments 
or linked urls) may contain information that is confidential and/or legally 
privileged. Any unauthorized use, disclosure, and/or distribution of such 
information is prohibited. If you are not the intended recipient, please notify 
the sender, delete the original email and any attachments, and destroy any 
copies thereof.

By receiving this e-mail, you acknowledge that any breach by you and/or your 
representatives of the above provisions may entitle the sender for damages.
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] UAC to UAC prefix

[Pat M via Users]

Hello

I have set up opensips as a registrar server hosting my uac clients
my users extensions are labelled like 2000-companyname
but when i dial the extension it tries to make an outbound call as it does not 
look at the -prefix

so my question is, how can i make it that if my from matches the domain it 
strips off the prefix and dials to the uac

please can you point me to the correct direction

Sent with [Proton Mail](https://proton.me/) secure email.___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Call Auth

[MR Miagi via Users]

Sent with [Proton Mail](https://proton.me/) secure email.___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] stir shaken verification

[Marcin Groszek]

I was/am suspecting openssl library, but I refuse to dedicate any more 
time to troubleshoot. It is quite easy to install new OS and try it 
again, especially for test environment.



On 1/6/2023 10:36 AM, Jonathan Abrams wrote:
IIRC, the issue you were having with the validation failures on CentOS 
7 was related to a shared library. OpenSSL I think.


-Jon Abrams


On Fri, Jan 6, 2023, 10:30 AM Marcin Groszek > wrote:


Thank you for all your help.

My test opensips installation was on CentOS 7 and cert
verification has been failing.

The certificates are verifying with same opensips version 3.1.5
and same configuration on Oracle linux 8.6.

Thank you again for all your answers and help.


On 1/5/2023 5:24 PM, Marcin Groszek wrote:


Yes it is, I sent it to xlog it  an it does.

On 1/5/2023 4:45 PM, David Villasmil wrote:

Is $var(cert) actually set? Print it out

On Thu, 5 Jan 2023 at 23:19, Marcin Groszek mailto:mar...@voipplus.net>> wrote:

Thank you very much. I have the same file, and verification
is still failing. Perhaps  my config:


$var(found) = cache_fetch("local", $identity(x5u), $var(cert));
if (!$var(found) || !stir_shaken_check_cert("$var(cert)")) {
    rest_get( "$identity(x5u)", $var(cert), $var(ctype),
$var(http_rc));
    if ($rc<0 || $var(http_rc) != 200) {
    send_reply(436, "Bad Identity Info");
    exit;
    }
    cache_store("local", $identity(x5u), $var(cert), 60);
}

stir_shaken_verify( "$var(cert)", $var(err_sip_code),
$var(err_sip_reason));
if ($rc < 0) {
    xlog("stir_shaken_verify() failed: $var(err_sip_code),
$var(err_sip_reason) \n");
    send_reply( $var(err_sip_code), $var(err_sip_reason));
    exit;
}


I figured this much:

$var(cert) is a public certificate downloaded from
$identity(x5u), if it does not exists in local cache it gets
pulled and stored,

stir_shaken_check_cert("$var(cert)") is generating these errors:

ERROR:stir_shaken:load_cert: Failed to parse certificate
ERROR:stir_shaken:w_stir_check_cert: Failed to load
certificate ( because the entry does not exists in local cashdb)

this forces the download of the public cert from
$identity(x5u) and store in local cashdb

second attempt does not generate this errors, however calls
with deferent identity header and url for public cert should
generate same errors again as the public cert from new url
is not in local cashdb, but it is NOT generating same error.

Also, I have minimize cache_store  down to 1 second and
after that second call with same $identity(x5u) should
generate same errors , but it is not.

an example at shaken-not-stirred page have :

rest_get( "$identity(x5u)", "$var(cert)",
 $var(ctype), $var(http_rc));

but this fails a start-up with error ERROR:core:fix_cmd:
Param [2] expected to be a variable so I removed the double
quotes from around $var(cert) .



On 1/5/2023 1:18 PM, Joseph Jackson wrote:

Hi Marcin,

I suspect you are correct that its how you are decoding the
ca cert file from iconectiv.

attached is what we have currently and it works in our
production enviroment.

If the maillist strips out that attachment let me know. 
You can reach me directly at jjack...@aninetworks.net


Joseph


*From:* Users 
 on behalf of
Marcin Groszek 

*Sent:* Thursday, January 5, 2023 10:16 AM
*To:* users@lists.opensips.org

 
*Subject:* Re: [OpenSIPS-Users] stir shaken verification

Joseph, Thank you very much for your respond.


I have downloaded and apply new sti-ca file but certificate
validation fails.

INFO:stir_shaken:verify_callback: certificate validation
failed: certificate signature failure
INFO:stir_shaken:w_stir_verify: Invalid certificate
DBG:core:comp_scriptvar: int 26 : -8 / 0
[1637] stir_shaken_verify() failed: 437, Unsupported Credential


Perhaps I am not processing the sti-ca file properly.


I am testing this with a valid token , in fact test calls
are coming from major cellular carrier in US and the
verification fails.

I can see curl download the public cert, storing it in
local cache and then attempt to verify, but it fails.

Upon next call with 

[OpenSIPS-Users] OpenSIPS on Cloud (AWS or Azure)

[Andrés Alberto Lavariega Castellanos]

I'm trying to install OpenSips on Digital Ocean's server, if the service has a 
public IP I think I should have no problem.


[cid:image001.png@01D92160.8422F200]
Andres Lavariega
Back End VoIP
[cid:image002.png@01D92160.8422F200]
5579192214

[cid:image003.png@01D92160.8422F200]
andres.lavari...@directo.com

[cid:image004.png@01D92160.8422F200]
Torre Virreyes, Pedregal 24, piso 6
CDMX, México 11040
+52 55 5201 4550

[cid:image005.png@01D92160.8422F200]
www.directo.com














AVISO DE CONFIDENCIALIDAD: Este correo electrónico y su contenido (incluyendo 
cualquier archivo adjunto o link hacia alguna URL), contiene información que es 
confidencial y/o legalmente privilegiada. La copia, revisión, uso, revelación 
y/o distribución de dicha información confidencial sin la autorización por 
escrito del remitente queda estrictamente prohibida. Si usted no es el 
destinatario a quien se dirige el presente correo, por favor notifique al 
remitente respondiendo al presente correo y elimine el correo original 
incluyendo cualquier archivo adjunto, así como cualquier copia del mismo. 
Mediante la recepción del presente correo usted reconoce y acepta que en caso 
de incumplimiento de su parte y/o de sus representantes a los términos antes 
mencionados, el remitente tendrá derecho a los daños y perjuicios que esto le 
cause.

CONFIDENTIALITY NOTICE: This email and its contents (including any attachments 
or linked urls) may contain information that is confidential and/or legally 
privileged. Any unauthorized use, disclosure, and/or distribution of such 
information is prohibited. If you are not the intended recipient, please notify 
the sender, delete the original email and any attachments, and destroy any 
copies thereof.

By receiving this e-mail, you acknowledge that any breach by you and/or your 
representatives of the above provisions may entitle the sender for damages.
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] TLS verify client

[L S]

Hi,
We are upgrading from 1.11.5 tls to 3.2.9. In 1.11 we had issues with the
client certificate so we had to set the following:

# 1.11 parameters
tls_verify_server = 1
tls_verify_client = 0tls_require_client_certificate = 0

TLS works fine for us with those settings. Now we are trying to migrate
them to 3.2.9 and having issues. Just wanted to confirm
if the following is correct way to migrate those parameters to 3.2? (Just
included those parameters - the domains are set up correctly)

Server domain
modparam("tls_mgm", "verify_cert", "[dom1]0")
modparam("tls_mgm", "require_cert", "[dom1]0")

Client domain
modparam("tls_mgm", "verify_cert", "[dom2]1")
modparam("tls_mgm", "require_cert", "[dom2]1")

Thanks,
Matt
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Ratelimit CPS Algorithms

[James Seer]

Hello,
I'm trying to find the best way to control calls coming to my opensips box
using the Ratelimit module.
i'm setting a specific cps limit to each customer via its ip source and i
want precision and accuracy without exhausting my server (vultr virtual
machine 2 cores, 4gb ram with 2gb dedicated to opensips shared memory and
32m shared + 8 udp workers with a profile scalling up to 16 workers on 70%
load)
I was able to achieve what I wanted by using the SBT algorithm, a
window_size of 1 second and slot_period of 200 milliseconds, 5 slots in
total. Most of my customers have a 5 to 20 cps limit.

modparam("ratelimit", "window_size", 1)
modparam("ratelimit", "slot_period", 200)

if(!rl_check("RL_$si", 5, "SBT")) send_reply("403", "Cps Exceeded");

I admit not being able to understand how the SBT algorithm works via the
documentation, I wanted to know if the values i set for window_size and
slot_period are the best for CPS Limitation.
Also do you confirm that SBT is the most accurate among other ratelimit
algorithms for calls per second limitation ?

Thank you
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users