Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Mon, 31 Aug 2015 10:15:17 -0700 

Hi Bogdan,


Pastebin link is http://pastebin.com/tM7zqTKX


I included both 1.7.1 and 1.11 captures. I don't see a difference between them 
other than 1.11 sending the NOTIFY to UAC unencrypted.

Btw, INVITEs seems to be behaving the same way as NOTIFY (don't have a capture 
for those - I assume the issue is the same).


Btw, TLS works fine between Opensips 1.11 and the phone (OK messages, etc. are 
encrypted).


Thanks,

Matt


[http://pastebin.com/i/fb2.jpg]<http://pastebin.com/tM7zqTKX>

Opensips TLS - Pastebin.com
Read more...<http://pastebin.com/tM7zqTKX>



________________________________
From: Bogdan-Andrei Iancu <bog...@opensips.org>
Sent: Monday, August 31, 2015 5:21 AM
To: OpenSIPS users mailling list; mistral9...@hotmail.com
Subject: Re: [OpenSIPS-Users] TLS discrepancy between 1.7.1 and 1.11.5

Hi Matt,

Can you post of pastebin (or similar) the SIP capture showing the incoming 
NOTIFY (via UDP) from Asterisk and the outgoing NOTIFY (supposedly via TLS) to 
UAC ?
Also the SUBSCRIBE request going from OpenSIPS to Asterisk will help alot.

Regards,

Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
http://www.opensips-solutions.com

On 30.08.2015 18:22, Matt Hamilton wrote:


We use Opensips (with TLS) as a dispatcher to multiple Asterisk servers.  
Currently we are in the process of upgrading from 1.7.1 to 1.11.5, and we ran 
into a discrepancy between 1.7.1 and 1.11.5 regarding SIP NOTIFY messages.


Here is the flow (both ways):

UAC    (TLS) ->     Opensips   (UDP)->     Asterisk
Asterisk     (UDP) ->     Opensips       (TLS)->    UAC


In 1.7.1,  all messages between Opensips and UAC were encrypted - didn't matter 
if it was originated at UAC or Asterisk.

In 1.11.5, the SIP NOTIFY messages coming from Asterisk are sent to UAC 
unencrypted (and not accepted by UAC). Here is the request that Opensips 
receives and sends to the UAC in plaintext:

Request-Line: NOTIFY 
sip:101@1.2.3.4:5075;transport=tls;nat=yes<mailto:sip:101@1.2.3.4:5075;transport=tls;nat=yes>
 SIP/2.0

Anything we can do to have that leg encrypted as well?

Thanks,
Matt




_______________________________________________
Users mailing list
Users@lists.opensips.org<mailto:Users@lists.opensips.org>
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Reply via email to