Author |
Message |
redmiru Brekeke Member
Joined: 12 Feb 2012 Posts: 19
|
Posted: Thu Aug 16, 2012 5:38 pm Post subject: BSS freezing when I using prefix routing with TLS |
|
|
1. Brekeke Product Name and version:
BSS 3.0.7.0 ADV
2. Java version:
1.6.0
3. OS type and the version:
Ubuntu 10.04
4. UA (phone), gateway or other hardware/software involved:
Bria3
5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/networkpatterns.html :
6. Your problem:
Set TLS+SRTP, When the phone call as the two UAs works fine.
However, if I set the TLS+SRTP+dialplan (for prefix routing), BSS stops working.
In addition, There was no system log, but brekeke process was alive.
Here is my dialplan
================
matching pattern
================
$request=^INVITE
To=sip:(88.+)@
================
deploy pattern
================
To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
On the other hand, If I turn off the TLS on BSS, everything works fine.
---additional infomation
If I call to 8888 then BSS is freezing.
dump log option is as below
net.sip.loglevel.file=255
Please help and check this issue. |
|
Back to top |
|
Harold Brekeke Master Guru
Joined: 21 Sep 2008 Posts: 287
Location: Japan
|
Posted: Fri Aug 17, 2012 10:00 am Post subject: |
|
|
Hi redmiru,
> To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
Is it a registered UA?
What's the destination port number?
> net.sip.loglevel.file=255
Also set the following.
----------------------------------
net.tls.loglevel.file = 255
net.sip.tls.log.reject = true
net.sip.tls.log.dump.info = true
---------------------------------- |
|
Back to top |
|
redmiru Brekeke Member
Joined: 12 Feb 2012 Posts: 19
|
Posted: Fri Aug 17, 2012 9:18 pm Post subject: |
|
|
Dear harold,
Thank you for your interest!!
1)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
--> No, It's other SIP server.
if prefix start 88, INVITE packets must delivered to SIP server A.
and all packets except prefix 88, INVITE packets must delivered to SIP server B.
so I set this rule.
Is it a registered UA?
--> It is SIP server, so xxx.xxx.xxx.xxx has not registered at BSS
What's the destination port number?
--> It use 5060 port.
2) dial plan
OK, I'll set as you said and keep an eye on.
Harold wrote: |
Hi redmiru,
> To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
Is it a registered UA?
What's the destination port number?
> net.sip.loglevel.file=255
Also set the following.
----------------------------------
net.tls.loglevel.file = 255
net.sip.tls.log.reject = true
net.sip.tls.log.dump.info = true
---------------------------------- |
|
|
Back to top |
|
Harold Brekeke Master Guru
Joined: 21 Sep 2008 Posts: 287
Location: Japan
|
Posted: Sat Aug 18, 2012 10:24 pm Post subject: |
|
|
It seems, you want to connect Brekeke SIP Server to another SIP server over TLS.
If so, Brekeke SIP Server must pretend as a TLS client and accept another server's certification.
Let you set the [Peer Certification Validation]="on" in the [Configuration]->[SIP] page. |
|
Back to top |
|
redmiru Brekeke Member
Joined: 12 Feb 2012 Posts: 19
|
Posted: Sat Aug 18, 2012 11:31 pm Post subject: |
|
|
I want to connect as below.
1) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS2
if Invite To. SIP ID prefix start with 88, then it must route to BSS2
2) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS3
if Invite To. SIP ID prefix start except 88, then it must route to BSS3
Question:
a. Is it possible 1) and 2) ?
b. BSS1 set [Peer Certification Validation]="on" but BSS always freezing when I called.
c. When BSS falling in freezing status, log is as below.
===============================
sv: open logging-file: '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/sv.20120819.2.log'
sv: logging-plugin: com.brekeke.common.Logging
sv: 'IDC_SIP' at 'XXX' is starting...
sv: os=Linux (amd64:2.6.32-42-server) distribution=Debian java=1.6.0_29 (Sun Microsystems Inc.)
sv: total.mem=62128128 free.mem=60825688 cpu=8
svlistener: start at 08/19/12 06:06:46.688
tls-listener: start
TLS: Certificates ===================================
JKS File: /usr/local/brekeke/webapps/sip/WEB-INF/work/sv/key/keystore.jks
Local-Cert: Serial#: (CONFIDENTIAL)
Local-Cert: Issuer: CN=Thawte SSL CA,O=Thawte\, Inc.,C=US
Local-Cert: Subject: (CONFIDENTIAL)
Local-Cert: Signature: (CONFIDENTIAL)
Local-Cert: Valid from: 03/12/12 00:00:00.000 until : 04/11/13 23:59:59.000
============================================
TLS:SupportedCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
============================================
TLS:EnabledCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
============================================
TLS:SupportedProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================
TLS:EnabledProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================
tls-listener: listen-port=5061
svlistener: open session-log '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/session.20120819.log'.
svlistener: open dial-plan '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/etc/dialplan.tbl'.
svlistener: hostname=BSS3 listen-port=5060
svlistener: interface={ (CONFIDENTIAL) }
===============================
4) so I tried BSS start again on webpage(It always changed Inactive status), BSS displayed error message.
"Port not ready. Check firewall settings and conflicting applications, then restart machine." |
|
Back to top |
|
hope Brekeke Master Guru
Joined: 15 Jan 2008 Posts: 862
|
Posted: Mon Aug 20, 2012 10:41 am Post subject: |
|
|
Quote: |
1) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS2
if Invite To. SIP ID prefix start with 88, then it must route to BSS2
2) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS3
if Invite To. SIP ID prefix start except 88, then it must route to BSS3 |
are both BSS2 and BSS3 using UDP transport?
if yes, in the dial plan rules used for the calls in above two cases, add $transport = udp in both rules [Deploy Patterns] |
|
Back to top |
|
james Brekeke Master Guru
Joined: 10 Dec 2007 Posts: 495
|
Posted: Mon Aug 20, 2012 11:06 am Post subject: |
|
|
BSS will use the same transport protocol for proxying requests.
In your case, TLS will be used unless you set "$transport" in Deploy Patterns. (as Hope mentioned.) |
|
Back to top |
|
|