I configure the FreeSwitch's external profile with <param name="tls-only" value="false"/> and successfully setup a soft-phone client to make a fully secure connection to the FreeSwitch server (with signals over SIPS and voices over SRPT).
If I change to <param name="tls-only" value="true"/> or disable firewall access to the non-secured port then I can not make a dial from the soft-phone to the FreeSwitch. Consequently, I think that the non-secured port needs to open for the SIPS to work does not make sense.
Please, help me to figure it out. Thanks in advance!
Related
Good morning,
I’m trying to configure SRTP with TLS on Freeswitch. I already have SRTP, and I can establish a conversation with TLS, but when I make a call, it says “encrypted alert” and the TLS conversation stops sending the INVITE in TCP. I have been looking for some solutions and it states that the problema may be that the certificate is not properly configured or that TLS is not properly configured. It is imposible that the certificate has any problems because I currently get TLS untill the call starts.
Here it is the configuration on my profile:
<param name='rtp_secure_media' value='mandatory: AES_CM_128_HMAC_SHA1_80'/>
<param name='bind-params" value="tls"/>
<param name='tls-version' value='tlsv1'/>
<param name='register-transport' value='tls'/>
<param name="register" value="false"/>
<param name="transport" value="tls"/>
<param name="tls" value="$${internal_ssl_enable}"/>
<param name="tls-only" value="true"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<param name="tls-cert-dir" value="/usr/local/freeswitch/conf"/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="none"/>
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="tls-ciphers" value="$${sip_tls_ciphers}"/>
<param name="contact-params" value="tport=tls"/>
<param name="ws-binding" value="XX.XX.XX.XX:5061"/>
Also, I would like to make another observation: when I configure the bridge has transport=TLS ( ) in the dialplan, the debug says “TLS not supported by profile”
Thank you for taking the time to deal with my queries
Kind regards.
i had no experience on tls for freeswitch, but for the projects i had, we usually deploy opensips or kamailio ahead of freeswitch as a SIP proxy, which can bring sip over tls functionality easily in the whole topology structure.
the network looks like this:
freeswitch (group) opensips/kamalio other equipment or service
| ----(sip)----> | -------(sip over tls)------> |
| <======================(srtp)==========================> |
Keep the simplicity in freeswitch, and let the proxy handles all the protocols.
Actually opensips/kamailio can handle multiple protocols than tls, it can bring the flexiblity in your topology.
I have a web page to control a thermostat on a raspberry pi, and I'm running into difficulties when trying to get websockets to work from a remote client. It seems to work fine when on LAN however. I'm obviously missing something (and likely something basic), but I can't seem to figure out what it is.
The pi's local ip is 192.168.1.134. The web page (served from apache server) has the URL http://192.168.1.134:8010/thermostat.html. The page starts up some javascript, which then tries to connect to the pi's main program using websockets via ws://192.168.1.134:9000. (the server on the pi is running libwebsockets). The websocket comes up, and it seems to work fine. I then tried to connect via a remote client (a cell phone, where wifi was turned off) from http:\\23.239.99.99:8010\thermostat.html. The html/js files load fine, but the web socket attempts to connect to uri ws:\\23.239.99.99:9000, and this fials.
As far as I can tell, the NAT seems to be configured properly:
name ext ext protocol int int ip addr interface
port port port port
start end start end
Thermostat3 8010 8010 TCP 8010 8010 192.168.1.134 eth3.1
Thermostat5 8000 8000 TCP/UDP 80 80 192.168.1.134 eth3.1
Thermostat_ws 9000 9000 TCP/UDP 9000 9000 192.168.1.134 eth3.1
I checked, and the router does not have any firewalls set up, neither does my modem. I didn't install a firewall on the pi (I checked, and there's no odd iptables rule). Does anyone know what I'm missing?
--- EDIT ---
I'm still stuck on this. I called my ISP and they assure me there are no firewalls on their servers. Is there any way to tell if port 9000 is being blocked, and by who?
Bind your apache server to 0.0.0.0 address to make it accessible from remote machines
Try this tool to determine if the port is inaccessible (use the custom port): http://www.whatsmyip.org/port-scanner/
Everything else looks fine. As a sanity check I would try putting the ws port to 8010 to see if that works. I would also recommend using a tool like Advanced Web Client to isolate networking issues.
This is interesting. I once had a similar problem. I set up a WebSocket (I was using a nodejs ws) and once I tried to access it from remote client I was not able to reach it with ws://yourip:port but instead I had to use http://yourip:port. I don't know if you have the same problem, mine was due to a proxy I was using.
I still have an advice for you how you might be able to solve your problem. I don't know how concerned you are about security but as far as I understood your idea you basically connect to your raspberry pi through a WebSocket and tell it to change the temperature.
Back when did a similar project I found it rather hard to secure my WebSocket connection. I was basically sending a password plus command through the WebSocket to my server which then checks wether the password is correct. Otherwise everyone on the internet could heat your house. Not cool...
But therefore, I had to tunnel the connection through https to prevent a middleware attack.
I quickly threw the towel and decided to go with a completely different solution. Basically I set up a nodejs express server (can easily be configured with a self signed certificate to use https or used behind a nginx/apache https server) and authenticated with username and password. When someone made a POST request to /api/thermostats?id=0 with a temperature request, the server checks if the user is authenticated and then executes a terminal command from within node.
Maybe this idea also fits your demands.
I have just installed freeswitch on my system.Right now i am able to register sample extension(s) with external sip profiles
for example :
1000#x.x.x.x:5080
1001#x.x.x.x:5080
now i am dialing 1001 from extension 1000 then freeswitch console its showing me user not registered but i am already registered with 1001 extension.
As per my knowledge when i am dial 1001 then its try to call on internal profile that's why its showing user is not registered but from which place i have to change like call goes on my 1001 extension
any suggestions ? any ideas ?
Thanks in advance.
You can configure sip gateway.
Configuring a sip gateway allows you to connect with outside carriers or other SIP machines.
Gateways are associated with SIP profiles because FreeSWITCH needs to know which IP and port to send traffic to and from in relation to the carrier.
First, you'll need to add a gateway to your SIP profile. Let's assume you're using the default FreeSWITCH configuration. In this case, we'll create a gateway that is attached to the default external profile.
Create a file in the conf/sip_profiles/external/ directory named after your gateway
Add the following content (note that even if you are not registering, a username and password is required) but replace the highlighted items with your own provider:
<gateway name="providerA">
<param name="realm" value="sip.domain.com"/>
<param name="username" value="testuser"/>
<param name="password" value="test"/>
<param name="register" value="true"/>
</gateway>
You will access the gateway by using the bridge application with sofia/gateway/
providerA/number , such as sofia/gateway/providerA/4158867999 . You
can do this in any dialplan you are using. In this example, edit your dialplan (typically
the default dialplan in conf/dialplan/default.xml ) and add code to utilize
the gateway:
action application="bridge" data="sofia/gateway/providerA/$1"
Issue a reloadxml command in your FreeSWITCH CLI after making the
mentioned changes.
How can I install Mobicents SIP Servlets/Tomcat7 on OpenShift?
Is there any cartridge for this?
There is none. The issue is that we would need to open signalling ports for SIP on 5060 or the likes which is not allowed AFAIR. But you can double check again if they allow other ports apart HTTP ones to be opened.
I am trying to run ftp client and server.
The connection successful only if both server and client windows firewall is turned off.
I tried to turn the firewall on and allow roll for:
1. (inbound and outbound) tcp port 20-21 allow
2. allow end point communication for server-client
However, my problem still not solved.
Anyone has any other ideas?
Thanks ahead
Fixed it. The server throw an exception. I found it when i created log file on both server and client side