BSS freezing when I using prefix routing with TLS

[redmiru]

1. Brekeke Product Name and version:
BSS 3.0.7.0 ADV

2. Java version:
1.6.0

3. OS type and the version:
Ubuntu 10.04

4. UA (phone), gateway or other hardware/software involved:
Bria3

5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/networkpatterns.html :


6. Your problem:

Set TLS+SRTP, When the phone call as the two UAs works fine.

However, if I set the TLS+SRTP+dialplan (for prefix routing), BSS stops working.

In addition, There was no system log, but brekeke process was alive.

Here is my dialplan

================
matching pattern
================
$request=^INVITE
To=sip:(88.+)@


================
deploy pattern
================
To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)


On the other hand, If I turn off the TLS on BSS, everything works fine.

---additional infomation
If I call to 8888 then BSS is freezing.
dump log option is as below

net.sip.loglevel.file=255




Please help and check this issue.

[Harold]

Hi redmiru,

> To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)

Is there any SIP UA running at xxx.xxx.xxx.xxx?
Is it a registered UA?
What's the destination port number?


> net.sip.loglevel.file=255

Also set the following.
----------------------------------
net.tls.loglevel.file = 255
net.sip.tls.log.reject = true
net.sip.tls.log.dump.info = true
----------------------------------

[redmiru]

Dear harold,

Thank you for your interest!!

1)

Is there any SIP UA running at xxx.xxx.xxx.xxx?
--> No, It's other SIP server.
if prefix start 88, INVITE packets must delivered to SIP server A.
and all packets except prefix 88, INVITE packets must delivered to SIP server B.
so I set this rule.

Is it a registered UA?
--> It is SIP server, so xxx.xxx.xxx.xxx has not registered at BSS

What's the destination port number?
--> It use 5060 port.


2) dial plan

OK, I'll set as you said and keep an eye on.

[Harold]

It seems, you want to connect Brekeke SIP Server to another SIP server over TLS.
If so, Brekeke SIP Server must pretend as a TLS client and accept another server's certification.


Let you set the [Peer Certification Validation]="on" in the [Configuration]->[SIP] page.

[redmiru]

I want to connect as below.


1) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS2
if Invite To. SIP ID prefix start with 88, then it must route to BSS2

2) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS3
if Invite To. SIP ID prefix start except 88, then it must route to BSS3



Question:

a. Is it possible 1) and 2) ?
b. BSS1 set [Peer Certification Validation]="on" but BSS always freezing when I called.
c. When BSS falling in freezing status, log is as below.

===============================
sv: open logging-file: '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/sv.20120819.2.log'
sv: logging-plugin: com.brekeke.common.Logging
sv: 'IDC_SIP' at 'XXX' is starting...
sv: os=Linux (amd64:2.6.32-42-server) distribution=Debian java=1.6.0_29 (Sun Microsystems Inc.)
sv: total.mem=62128128 free.mem=60825688 cpu=8

svlistener: start at 08/19/12 06:06:46.688
tls-listener: start
TLS: Certificates ===================================
JKS File: /usr/local/brekeke/webapps/sip/WEB-INF/work/sv/key/keystore.jks
Local-Cert: Serial#: (CONFIDENTIAL)
Local-Cert: Issuer: CN=Thawte SSL CA,O=Thawte\, Inc.,C=US
Local-Cert: Subject: (CONFIDENTIAL)
Local-Cert: Signature: (CONFIDENTIAL)
Local-Cert: Valid from: 03/12/12 00:00:00.000 until : 04/11/13 23:59:59.000
============================================

TLS:SupportedCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
============================================

TLS:EnabledCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
============================================

TLS:SupportedProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================

TLS:EnabledProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================

tls-listener: listen-port=5061

svlistener: open session-log '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/session.20120819.log'.
svlistener: open dial-plan '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/etc/dialplan.tbl'.
svlistener: hostname=BSS3 listen-port=5060
svlistener: interface={ (CONFIDENTIAL) }

===============================


4) so I tried BSS start again on webpage(It always changed Inactive status), BSS displayed error message.

"Port not ready. Check firewall settings and conflicting applications, then restart machine."

[hope]

[james]

BSS will use the same transport protocol for proxying requests.
In your case, TLS will be used unless you set "$transport" in Deploy Patterns. (as Hope mentioned.)