Good morning,
I’m trying to configure SRTP with TLS on Freeswitch. I already have SRTP, and I can establish a conversation with TLS, but when I make a call, it says “encrypted alert” and the TLS conversation stops sending the INVITE in TCP. I have been looking for some solutions and it states that the problema may be that the certificate is not properly configured or that TLS is not properly configured. It is imposible that the certificate has any problems because I currently get TLS untill the call starts.
Here it is the configuration on my profile:
<param name='rtp_secure_media' value='mandatory: AES_CM_128_HMAC_SHA1_80'/>
<param name='bind-params" value="tls"/>
<param name='tls-version' value='tlsv1'/>
<param name='register-transport' value='tls'/>
<param name="register" value="false"/>
<param name="transport" value="tls"/>
<param name="tls" value="$${internal_ssl_enable}"/>
<param name="tls-only" value="true"/>
<param name="tls-bind-params" value="transport=tls"/>
<param name="tls-sip-port" value="$${internal_tls_port}"/>
<param name="tls-cert-dir" value="/usr/local/freeswitch/conf"/>
<param name="tls-verify-date" value="true"/>
<param name="tls-verify-policy" value="none"/>
<param name="tls-version" value="$${sip_tls_version}"/>
<param name="tls-ciphers" value="$${sip_tls_ciphers}"/>
<param name="contact-params" value="tport=tls"/>
<param name="ws-binding" value="XX.XX.XX.XX:5061"/>
Also, I would like to make another observation: when I configure the bridge has transport=TLS ( ) in the dialplan, the debug says “TLS not supported by profile”
Thank you for taking the time to deal with my queries
Kind regards.
i had no experience on tls for freeswitch, but for the projects i had, we usually deploy opensips or kamailio ahead of freeswitch as a SIP proxy, which can bring sip over tls functionality easily in the whole topology structure.
the network looks like this:
freeswitch (group) opensips/kamalio other equipment or service
| ----(sip)----> | -------(sip over tls)------> |
| <======================(srtp)==========================> |
Keep the simplicity in freeswitch, and let the proxy handles all the protocols.
Actually opensips/kamailio can handle multiple protocols than tls, it can bring the flexiblity in your topology.
Related
I configure the FreeSwitch's external profile with <param name="tls-only" value="false"/> and successfully setup a soft-phone client to make a fully secure connection to the FreeSwitch server (with signals over SIPS and voices over SRPT).
If I change to <param name="tls-only" value="true"/> or disable firewall access to the non-secured port then I can not make a dial from the soft-phone to the FreeSwitch. Consequently, I think that the non-secured port needs to open for the SIPS to work does not make sense.
Please, help me to figure it out. Thanks in advance!
I had came across this scenario's for all the below use cases.
Except Case 3 which is normal & general and rest of the cases needs to be resolved
These below Services were running without any errors:
Net.Msmq Listener Adapter
Net.Pipe Listener Adapter
Net.Tcp Listener Adapter
Net.Tcp Port Sharing Service
Windows Process Activation Service
also Enabled Protocols: net.tcp,http
From the command line or via application when calling WCF written services:
C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.6.1 Tools>svcutil net.tcp://localhost/TNA/TAServices/AuthenticationManager/mex
Case 1:
Could not connect to
net.tcp://localhost/TNA/TAServices/AuthenticationManager/mex. The
connection attempt lasted for a time span of 00:00:04.0935290. TCP
error code 10061: No connection could be made because the target
machine actively refused it 127.0.0.1:808.
No connection could be made because the target machine actively refused it 127.0.0.1:808
Case 2:
There was no endpoint listening at
net.tcp://localhost/TNA/TAServices/AuthenticationManager/mex that
could accept the message. This is often caused by an incorrect address
or SOAP action. See InnerException, if present, for more details.
Case 3:
The socket connection was aborted. This could be caused by an error
processing your message or a receive timeout being exceeded by the
remote host, or an underlying network resource issue. Local socket
timeout was '00:04:59.9843875'.
An existing connection was forcibly closed by the remote host
Event Log for Case 2:
An error occurred in the Activation Service 'NetTcpActivator' of the protocol 'net.tcp' while trying to listen for the site '1', thus the protocol is disabled for the site temporarily. See the exception message for more details.
URL: WeakWildcard:net.tcp://username.domainname.com/
Status: FailedToListen
Exception: System.ServiceModel.AddressAlreadyInUseException: There is already a listener on IP endpoint 0.0.0.0:808. This could happen if there is another application already listening on this endpoint or if you have multiple service endpoints in your service host with the same IP endpoint but with incompatible binding configurations. ---> System.Net.Sockets.SocketException: Only one usage of each socket address (protocol/network address/port) is normally permitted
at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.Sockets.Socket.Bind(EndPoint localEP)
at System.ServiceModel.Channels.SocketConnectionListener.Listen()
--- End of inner exception stack trace ---
at System.ServiceModel.Channels.SocketConnectionListener.Listen()
at System.ServiceModel.Activation.TransportListener.Go(IConnectionListener connectionListener)
at System.ServiceModel.Activation.TransportListener..ctor(IPEndPoint endPoint)
at System.ServiceModel.Activation.TransportListener.Listen(IPEndPoint endPoint)
at System.ServiceModel.Activation.RoutingTable.TcpStart(MessageQueue messageQueue, BaseUriWithWildcard path)
at System.ServiceModel.Activation.MessageQueue.Register(BaseUriWithWildcard path)
at System.ServiceModel.Activation.ListenerAdapter.RegisterBindings(IActivatedMessageQueue queue, Int32 siteId, String[] bindings, String path)
Process Name: SMSvcHost
Process ID: 4608
How should we need to achieve to go to case 3 by default, whenever, at times such as Booting and rebooting the system?
Case 1 and Case 2 require a Mex service endpoint in the WCF service configuration. Please add a Mex endpoint to exchange the service metadata.
<system.serviceModel>
<services>
<service name="WcfService1.Service1">
<endpoint address="service1" binding="basicHttpBinding" contract="WcfService1.IService1" ></endpoint>
<endpoint address="service2" binding="netTcpBinding" contract="WcfService1.IService1"></endpoint>
<!--for exchanging service metadata.-->
<endpoint address="mex" binding="mexTcpBinding" contract="IMetadataExchange"></endpoint>
</service>
</services>
Feel free to let me know if there is anything I can help with.
I have just installed freeswitch on my system.Right now i am able to register sample extension(s) with external sip profiles
for example :
1000#x.x.x.x:5080
1001#x.x.x.x:5080
now i am dialing 1001 from extension 1000 then freeswitch console its showing me user not registered but i am already registered with 1001 extension.
As per my knowledge when i am dial 1001 then its try to call on internal profile that's why its showing user is not registered but from which place i have to change like call goes on my 1001 extension
any suggestions ? any ideas ?
Thanks in advance.
You can configure sip gateway.
Configuring a sip gateway allows you to connect with outside carriers or other SIP machines.
Gateways are associated with SIP profiles because FreeSWITCH needs to know which IP and port to send traffic to and from in relation to the carrier.
First, you'll need to add a gateway to your SIP profile. Let's assume you're using the default FreeSWITCH configuration. In this case, we'll create a gateway that is attached to the default external profile.
Create a file in the conf/sip_profiles/external/ directory named after your gateway
Add the following content (note that even if you are not registering, a username and password is required) but replace the highlighted items with your own provider:
<gateway name="providerA">
<param name="realm" value="sip.domain.com"/>
<param name="username" value="testuser"/>
<param name="password" value="test"/>
<param name="register" value="true"/>
</gateway>
You will access the gateway by using the bridge application with sofia/gateway/
providerA/number , such as sofia/gateway/providerA/4158867999 . You
can do this in any dialplan you are using. In this example, edit your dialplan (typically
the default dialplan in conf/dialplan/default.xml ) and add code to utilize
the gateway:
action application="bridge" data="sofia/gateway/providerA/$1"
Issue a reloadxml command in your FreeSWITCH CLI after making the
mentioned changes.
I know it is a similar problem to:
Spring Integration. Unknown host and tcp-connection-factory
However, in my particular case the tcp-connection is established based on the si message flow. I am writing a program that "fakes" a user login to a particular site through tcp/ip connection. The host/port changes weekly so I prefer to dynamically set-up the connections. Hence, those host/ip for the destination server is not static.
I am still wondering whether there is any methods other than the [dynamic ftp sample] which set-up a whole new applicationContext for each tcp/ip connection and modifying the connection-factory which is non-trivial work.
My ideal case is:
<int-ip:tcp-outbound-gateway id="outGateway"
request-channel="input"
reply-channel="clientBytes2StringChannel"
connection-factory="client"
connection-host="#{headers.dest.host}"
connection-port="#{headers.dest.port}"
request-timeout="10000"
reply-timeout="10000"/>
<int-ip:tcp-connection-factory id="client"
type="client"
host="#{headers.dest.host}"
port="#{headers.dest.port}"
single-use="true"
so-timeout="10000"/>
Where the destination host and port is inside the message header.
I know my use-case is rare but it's extremely useful in my particular business logic. My whole webapp runs based on the messages from those raw tcp-ip connections.
It's not currently possible/easy - even if you customize or extend the class for tcp-connection-factory to be able to connect to changing hosts. There is an open new feature request in JIRA to provide that functionality. Simillar question here.
There is no class defined corresponding to that service in opennms. The service is running on a remote host. The current protocols supported out of the box are:
Citrix
DHCP
DNS
Domino IIOP
FTP
HTTP
HTTPS
ICMP
IMAP
JBOSS
JDBC
JDBC Stored Procedure
JSR160
K5
LDAP
Microsoft Exchange
MX4J
Notes HTTP
NSClient (Nagios Agent)
NRPE (Nagios Remote Plugin Executor)
NTP
POP3
Radius
SMB
SMTP
SNMP
SSH
TCP
Is there a way to detect a service not in this list?
Adding the detector to the provisioning group will get the port listed as a service on a nodes particular interface. But to get it "monitored" you also need to add a matching poller. Here is a sample for generic DNS port 53 test.
provision group detector within the detectors section or via UI as Pete indicated:
<detector name="TCP-DNS-53" class="org.opennms.netmgt.provision.detector.simple.TcpDetector">
<parameter key="port" value="53"/>
</detector>
Matching poller-configuration.xml to get it monitored. i.e. events if the node stops responding to the port.
<!-- within the services section -->
<service name="TCP-DNS-53" interval="300000" user-defined="false" status="on">
<parameter key="retry" value="3"/>
<parameter key="timeout" value="3000"/>
<parameter key="port" value="53"/>
<parameter key="banner" value="*"/>
</service>
Then a monitor definition near the bottom.
<monitor service="TCP-DNS-53" class-name="org.opennms.netmgt.poller.monitors.TcpMonitor"/>
The detector, service names and monitor service all have to be identical.
"Admin" -> "Node provisioning" -> "Manage Provisioning Requisitions" -> "Edit Default Foreign Source Definition" -> "Add detector" -> give it a name, select TCP -> "add parameter" -> "key": port, "value": port_used_by_service
You can check OpenNMS documentation (there's an example adding Telnet):
http://www.opennms.org/wiki/Provisiond