Jump to content


Photo

SIP/TLS


  • Please log in to reply
3 replies to this topic

#1 Muffin Sk

Muffin Sk

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 07 May 2011 - 05:23 PM

Hello all,

I have installed the .deb packages of the Asterisk v1.8.3.3 from the upstream project on my Debian GNU/Linux Squeeze server and bought the Comodo's PossitiveSSL SSL certificate to be used for my SIPS (TLS) and SRTP exercise. After setting up everything and trying to fix this problem, I am still getting a 401 Unauthorized SIP message. Correct me if I'm wrong, the first 401 Unauthorized SIP message is normal and it is expected that the SIP client which happens to be the SNOM 300 does not try to REGISTER back. So until as of this writing, I still cannot successfully REGISTER to my Asterisk box.

Below are the snippets of my Asterisk and SNOM 300 configurations including the logs for your reference.

I hope anyone from this community can help me solve this problem. A HOWTO of a similar scenario will help a lot.

Thank you in advance.

Regards,

Muffin

- - - ASTERISK v1.8.3.3 - - -

[ /etc/asterisk/sip.conf ]

[general]
...
...
tlsenable=yes
tlsbindaddr=0.0.0.0
tlscertfile=/etc/asterisk/keys/pbx.domain.com.pem
tlscipher=ALL
tlsclientmethod=tlsv1
tlsbindport=5061
externtlsport=5061
externtcpport=5061
tcpbindaddr=0.0.0.0
tcpbindport=5061
tcpenable=yes
srvlookup=yes

[361]
username=361
secret=*******
callerid="361-tls"<361>
mailbox=361@family
context=family
transport=tls
port=5061
type=friend
host=dynamic
dtmfmode=rfc2833
canreinvite=no
nat=yes
qualify=yes
autoframing=yes
encryption=yes

*CLI> core show version
Asterisk 1.8.3.3-1digium1~squeeze built by pbuilder @ nighthawk on a x86_64 running Linux on 2011-04-22 17:50:44 UTC

*CLI> sip show settings

Global Settings:
----------------
UDP Bindaddress: 0.0.0.0:5060
TCP SIP Bindaddress: 0.0.0.0:5060
TLS SIP Bindaddress: 0.0.0.0:5061
Videosupport: No
Textsupport: No
Ignore SDP sess. ver.: No
AutoCreate Peer: No
Match Auth Username: No
Allow unknown access: No
Allow subscriptions: Yes
Allow overlap dialing: Yes
Allow promsic. redir: No
Enable call counters: No
SIP domain support: Yes
Realm. auth: No
Our auth realm pbx.domain.com
Use domains as realms: No
Call to non-local dom.: Yes
URI user is phone no: No
Always auth rejects: Yes
Direct RTP setup: No
User Agent: "Asterisk rocks!"
SDP Session Name: Asterisk PBX 1.8.3.3-1digium1~squeeze
SDP Owner Name: root
Reg. context: (not set)
Regexten on Qualify: No
Caller ID: asterisk
From: Domain:
Record SIP history: Off
Call Events: Off
Auth. Failure Events: Off
T.38 support: No
T.38 EC mode: Unknown
T.38 MaxDtgrm: -1
SIP realtime: Disabled
Qualify Freq : 60000 ms
Q.850 Reason header: No

Network QoS Settings:
---------------------------
IP ToS SIP: CS0
IP ToS RTP audio: CS0
IP ToS RTP video: CS0
IP ToS RTP text: CS0
802.1p CoS SIP: 4
802.1p CoS RTP audio: 5
802.1p CoS RTP video: 6
802.1p CoS RTP text: 5
Jitterbuffer enabled: Yes
Jitterbuffer forced: No
Jitterbuffer max size: 200
Jitterbuffer resync: 1200
Jitterbuffer impl: fixed
Jitterbuffer log: No

Network Settings:
---------------------------
SIP address remapping: Enabled using externhost
Externhost: pbx.domain.com
externaddr: 11.22.33.44:0
Externrefresh: 10
Localnet: 192.168.101.0/255.255.255.0

Global Signalling Settings:
---------------------------
Codecs: 0x60e (gsm|ulaw|alaw|speex|ilbc)
Codec Order: ulaw:20,alaw:20,gsm:20,speex:20,ilbc:30
Relax DTMF: No
RFC2833 Compensation: No
Symmetric RTP: No
Compact SIP headers: No
RTP Keepalive: 0 (Disabled)
RTP Timeout: 15
RTP Hold Timeout: 0 (Disabled)
MWI NOTIFY mime type: application/simple-message-summary
DNS SRV lookup: Yes
Pedantic SIP support: Yes
Reg. min duration 1800 secs
Reg. max duration: 3600 secs
Reg. default duration: 120 secs
Outbound reg. timeout: 20 secs
Outbound reg. attempts: 0
Notify ringing state: Yes
Include CID: No
Notify hold state: No
SIP Transfer mode: open
Max Call Bitrate: 384 kbps
Auto-Framing: No
Outb. proxy: <not set>
Session Timers: Refuse
Session Refresher: uas
Session Expires: 1800 secs
Session Min-SE: 90 secs
Timer T1: 3000
Timer T1 minimum: 100
Timer B: 192000
No premature media: Yes
Max forwards: 70

Default Settings:
-----------------
Allowed transports: UDP
Outbound transport: UDP
Context: default
Force rport: No
DTMF: rfc2833
Qualify: 0
Use ClientCode: No
Progress inband: Never
Language:
MOH Interpret: default
MOH Suggest:
Voice Mail Extension: asterisk

*CLI> sip show peer 361

* Name : 361
Secret : <Set>
MD5Secret : <Not set>
Remote Secret: <Not set>
Context : family
Subscr.Cont. : <Not set>
Language :
AMA flags : Unknown
Transfer mode: open
CallingPres : Presentation Allowed, Not Screened
Callgroup :
Pickupgroup :
MOH Suggest :
Mailbox : 361@family
VM Extension : asterisk
LastMsgsSent : 32767/65535
Call limit : 0
Max forwards : 0
Dynamic : Yes
Callerid : "361-tls" <361>
MaxCallBR : 384 kbps
Expire : -1
Insecure : no
Force rport : Yes
ACL : No
DirectMedACL : No
T.38 support : No
T.38 EC mode : Unknown
T.38 MaxDtgrm: -1
DirectMedia : No
PromiscRedir : No
User=Phone : No
Video Support: No
Text Support : No
Ign SDP ver : No
Trust RPID : No
Send RPID : No
Subscriptions: Yes
Overlap dial : Yes
DTMFmode : rfc2833
Timer T1 : 3000
Timer B : 192000
ToHost :
Addr->IP : (null)
Defaddr->IP : (null)
Prim.Transp. : TLS
Allowed.Trsp : TLS
Def. Username: 361
SIP Options : (none)
Codecs : 0x60e (gsm|ulaw|alaw|speex|ilbc)
Codec Order : (ulaw:20,alaw:20,gsm:20,speex:20,ilbc:30)
Auto-Framing : Yes
100 on REG : No
Status : UNKNOWN
Useragent :
Reg. Contact :
Qualify Freq : 60000 ms
Sess-Timers : Refuse
Sess-Refresh : uas
Sess-Expires : 1800 secs
Min-Sess : 90 secs
RTP Engine : asterisk
Parkinglot :
Use Reason : No
Encryption : Yes

- - - SNOM 300 - - -

[ Setup > Identity 1 > Login ]

Displayname: 361
Account: 361
Password: ********
Registrar: pbx.domain.com
Outbound Proxy: sips:pbx.domain.com:5061
Authentication Username: 361

- - -

[ Setup > Certificates > Server Certificates ]

Country: ; State: ; Locality ; Organization: ; Common Name: pbx.domain.com; eMail:
Version: 2
Serial Number: 00b6b63eb67ed2111345253c228264d093
Signature Algorithm: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
Signature: 28ce574c9715e1e59dfc90829287ab31fdbf0e0212dc488b106e71ffaaa339610492dc091d440772...
Issuer: Country: GB; State: Greater Manchester; Locality Salford; Organization: Comodo CA Limited; Common Name: PositiveSSL CA; eMail:
Validity: 27/04/11 - 26/04/12
SHA1-Fingerprint: 38d13c709ab1cc9b434c2f05e927239fe4ae6f19
MD5-Fingerprint: a9b62e186465055f34a04153ad7898de
PK Algorithm: 1.2.840.113549.1.1.1 (rsaEncryption)
RSA modulus: 00b90412744fd50459d807a04d007a9fd7d667189f1394f11ecd46e8556bd861526eb9be582a2631...
RSA exponent: 010001
Filename on FS: f6700ff3f3059f4c629df2bff8678aeacb291ddb.DER

- - -

[ Status > System Information ]

System Information:
Phone Type: snom300-SIP
MAC-Address: 0004132F08DC
IP-Address: 192.168.101.102
Firmware-Version: snom300-SIP 8.4.31
Firmware-URL: http://provisioning.....4.31-SIP-f.bin
Production Information: Mac:0004132F08DC;Version:Standard;Hardware:snom300 (H: R2A);Date:15/05/08;Copyright© snom technology AG
Uptime: 0 days, 1 hours, 27 minutes
LCS: 0 days, 0 hours, 53 minutes (0)
Memfree: 772 K
CPU: 0.04 0.02 0.03 1/10 96
Bootloader-Version: 1.1.3-u

SIP Identity Status:
Identity 1 Status: 361@pbx.domain.com: Network Failure

- - -

[ Status > SIP Trace ]

Sent to tls:11.22.33.44:5061 at 24/12/2001 08:00:32:192 (729 bytes):
REGISTER sip:pbx.domain.com SIP/2.0
Via: SIP/2.0/TLS 192.168.101.102:2055;branch=z9hG4bK-9i3rt6llzqd1;rport
From: "361" <sip:361@pbx.domain.com>;tag=hpleutmwxu
To: "361" <sip:361@pbx.domain.com>
Call-ID: 3c26701f3456-58is2wtgld05
CSeq: 1 REGISTER
Max-Forwards: 70
Contact: <sip:361@192.168.101.102:2055;transport=tls>;q=1.0;reg-id=1;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="
INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
User-Agent: snom300/8.4.31
Allow-Events: dialog
X-Real-IP: 192.168.101.102
Supported: path, gruu
Expires: 3600
Content-Length: 0
Sent to tls:11.22.33.44:5061 at 8/5/2011 00:24:03:610 (729 bytes):

REGISTER sip:pbx.domain.com SIP/2.0
Via: SIP/2.0/TLS 192.168.101.102:2056;branch=z9hG4bK-lriexp5iqoio;rport
From: "361" <sip:361@pbx.domain.com>;tag=b11o8j7lk4
To: "361" <sip:361@pbx.domain.com>
Call-ID: 3c26701f3456-58is2wtgld05
CSeq: 2 REGISTER
Max-Forwards: 70
Contact: <sip:361@192.168.101.102:2056;transport=tls>;reg-id=1;q=1.0;+sip.instance="<urn:uuid:0a473ab2-1159-4286-9cdb-385c32d8003d>";audio;mobility="fixed";duplex="full";description="snom300";actor="principal";events="dialog";methods="
INVITE,ACK,CANCEL,BYE,REFER,OPTIONS,NOTIFY,SUBSCRIBE,PRACK,MESSAGE,INFO"
User-Agent: snom300/8.4.31
Allow-Events: dialog
X-Real-IP: 192.168.101.102
Supported: path, gruu
Expires: 3600
Content-Length: 0

- - -

[ Status > Log ]

[0] 24/12/2001 00:00:27: Phone::uboot_version:1.1.3-u
[1] 24/12/2001 00:00:29: Conf setup: code: 500, host: 127.0.0.1:80, file: /dummy.htm
[0] 24/12/2001 08:00:31: TaskMon: LCS 21/0 recv LPCP took 1271 msecs
[0] 24/12/2001 08:00:31: LoopMon: LCS 21 took 1271 (290/0) msecs, read 1, 3/1 tasks
[1] 24/12/2001 08:00:32: TLS: Warning: Certificate with subject Country: ; State: ; Locality ; Organization: ; Common Name: pbx.domain.com; eMail: has expired according to the local time of the phone.
[0] 24/12/2001 08:00:33: TaskMon: LCS 30/0 recv LPCP took 934 msecs
[0] 24/12/2001 08:00:33: LoopMon: LCS 30 took 968 (42/32) msecs, read 1, 3/1 tasks
[0] 8/5/2011 00:22:49: TaskMon: LCS 93/0 recv LPCP took 434 msecs
[0] 8/5/2011 00:22:49: TaskMon: LCS 94/0 recv LPCP took 461 msecs
[0] 8/5/2011 00:22:50: TaskMon: LCS 96/0 recv LPCP took 576 msecs
[0] 8/5/2011 00:23:03: TaskMon: LCS 148/0 recv LPCP took 238 msecs
[2] 8/5/2011 00:23:03: Transport Error: Pending packet 1000000: generating fake
[2] 8/5/2011 00:23:03: Registrar 361@pbx.domain.com timed out
[0] 8/5/2011 00:23:05: TaskMon: LCS 157/0 recv LPCP took 372 msecs
[0] 8/5/2011 00:23:05: LoopMon: LCS 157 took 850 (499/478) msecs, read 1, 4/1 tasks
[0] 8/5/2011 00:24:04: TaskMon: LCS 359/0 recv LPCP took 872 msecs
[0] 8/5/2011 00:24:04: LoopMon: LCS 359 took 872 (306/0) msecs, read 1, 3/1 tasks
[2] 8/5/2011 00:24:34: Transport Error: Pending packet 1000002: generating fake
[2] 8/5/2011 00:24:34: Registrar 361@pbx.domain.com timed out
[0] 8/5/2011 00:24:48: TaskMon: LCS 508/0 recv LPCP took 443 msecs
[0] 8/5/2011 00:24:48: LoopMon: LCS 508 took 444 (16/0) msecs, read 1, 3/1 tasks
[0] 8/5/2011 00:24:48: TaskMon: LCS 509/0 recv LPCP took 506 msecs
[0] 8/5/2011 00:24:48: LoopMon: LCS 509 took 507 (72/0) msecs, read 1, 4/1 tasks
[0] 8/5/2011 00:24:49: TaskMon: LCS 510/0 recv LPCP took 1293 msecs
[0] 8/5/2011 00:24:49: LoopMon: LCS 510 took 1337 (500/0) msecs, read 1, 5/1 tasks
[0] 8/5/2011 00:25:35: TaskMon: LCS 673/0 recv LPCP took 871 msecs
[0] 8/5/2011 00:25:35: LoopMon: LCS 673 took 871 (118/0) msecs, read 1, 3/1 tasks
[2] 8/5/2011 00:26:05: Transport Error: Pending packet 1000004: generating fake
[2] 8/5/2011 00:26:05: Registrar 361@pbx.domain.com timed out
[0] 8/5/2011 00:27:06: TaskMon: LCS 986/0 recv LPCP took 871 msecs
[0] 8/5/2011 00:27:06: LoopMon: LCS 986 took 871 (419/0) msecs, read 1, 3/1 tasks
[2] 8/5/2011 00:27:36: Transport Error: Pending packet 1000006: generating fake
[2] 8/5/2011 00:27:36: Registrar 361@pbx.domain.com timed out
[0] 8/5/2011 00:28:37: TaskMon: LCS 1296/0 recv LPCP took 869 msecs
[0] 8/5/2011 00:28:37: LoopMon: LCS 1296 took 870 (387/0) msecs, read 1, 3/1 tasks
[2] 8/5/2011 00:29:07: Transport Error: Pending packet 1000008: generating fake
[2] 8/5/2011 00:29:07: Registrar 361@pbx.domain.com timed out
[0] 8/5/2011 00:30:08: TaskMon: LCS 1605/0 recv LPCP took 870 msecs
[0] 8/5/2011 00:30:08: LoopMon: LCS 1605 took 871 (458/0) msecs, read 1, 3/1 tasks
[2] 8/5/2011 00:30:38: Transport Error: Pending packet 1000010: generating fake
[2] 8/5/2011 00:30:38: Registrar 361@pbx.domain.com timed out
[0] 8/5/2011 00:31:39: TaskMon: LCS 1918/0 recv LPCP took 874 msecs
[0] 8/5/2011 00:31:39: LoopMon: LCS 1918 took 875 (346/0) msecs, read 1, 3/1 tasks
[0] 8/5/2011 00:32:03: TaskMon: LCS 1996/0 recv LPCP took 424 msecs
[0] 8/5/2011 00:32:03: LoopMon: LCS 1996 took 430 (24/4) msecs, read 1, 3/1 tasks

#2 Muffin Sk

Muffin Sk

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 19 May 2011 - 04:14 AM

Hello all,

I have installed the .deb packages of the Asterisk v1.8.3.3 from the upstream project on my Debian GNU/Linux Squeeze server and bought the Comodo's PossitiveSSL SSL certificate to be used for my SIPS (TLS) and SRTP exercise. After setting up everything and trying to fix this problem, I am still getting a 401 Unauthorized SIP message. Correct me if I'm wrong, the first 401 Unauthorized SIP message is normal and it is expected that the SIP client which happens to be the SNOM 300 does not try to REGISTER back. So until as of this writing, I still cannot successfully REGISTER to my Asterisk box.

...


Anyone from SNOM has an idea what's causing this problem? Any idea from the community?

Regards,

Muffin

#3 finn2

finn2

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 05 July 2011 - 02:51 PM

Hi
TLS on 1.8.3.3 might be broken, one could try: 1.8.3.2 or 1.8.4.4

#4 paul

paul

    Advanced Member

  • Members
  • PipPipPip
  • 31 posts
  • Gender:Male
  • Location:Manchester, UK

Posted 07 July 2011 - 03:36 PM

Yes the current digium maintained debian packages are 1.8.4.4 so I'd upgrade to that. TLS was fairly broken in some older versions.

I did a quick guide here when I got mine working:

http://blog.provu.co.uk/item/212
UK based Snom & SIP telephony expert




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users