Re: [reSIProcate] reSIProcate and LCS?
Hi Scott, Sandeep, Chris,
FYI: I was able to get TLS working w/ the LCS's AP when resip was the
server (i.e. LCS is now accepting our certificates). Had to remove the
subjectAltName field and put the FQDN as the Comman Name in the Subject
field. Also needed to (of course) make sure the certificate authority
that signed my certificate was installed as a trusted root certificate
in the LCS's AP's database.
Anyway, if you guys run into problems w/ TLS and the LCS AP, let me know
because I've got it working now in both directions (i.e. in both client
and server mode).
Chris
Chris Rigg wrote:
Hi Scott, Sandeep,
FYI: I sort of answered my own question later this afternoon. The
reason why TLS wasn't working when resip was the server was because
the sipStack->addTransport() function is defaulting TlsTransport to
SecurityTypes::TLSv1. When LCS sends the SSLv2 compatible client hello
message, it sent a RST because my TLS layer didn't recognize a v2
message. So, I changed my application (limpc) and added
SecurityTypes::SSLv23 and that worked (at least it got me further).
Now, the LCS server is sending a RST after the ServerHelloDone message
from resip.
Chris
Chris Rigg wrote:
Hi Scott,
Thanks for your quick response.
Yes, you are right -- to talk to LCS in Federation mode you MUST use
TLS transport. And in fact, I have tried this out. I am able to
establish a TLS session underneath me when the resip stack is a
client and the LCS's access proxy is the server. To do this, I had to
do a bunch of cert/pem stuff (as you might imagine). Essentially, I
copied the root_cert that I used on the LCS to sign the AP's to my
linux machine into $HOME/.sipCerts/. Then, of course, I had to also
copy the root_cert that I created on my Linux machine (that was used
to sign my domain_key for my resip stack) over to the AP's list of
trusted certificate authorities. And this worked! I was able to
establish a TLS session with LCS's AP w/out code modifications to the
stack (although as I stated in my previous mail, this inital
excitement quickly wore off once I started trying to reverse engineer
the MSFT SIP message extensions).
However, in the reverse direction (where resip is the server and
LCS's AP is the client) resip doesn't like something in the TLS
"compatible client hello" message and resip immediately sends a TCP RST.
So, any idea why resip would respond w/ a TCP RST? Is it just simply
that resip doesn't support any of their cipher suites?? The resip
logs seem to indicate a "version error" (I've included those below
too). Here is the ssldump of the messaging:
New TCP connection #1: lcs-im.com(1127) <-> bldr-ccm51.resip.com(5061)
1 1 0.0005 (0.0005) C>S SSLv2 compatible client hello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
SSL2_CK_RC4
SSL2_CK_3DES
SSL2_CK_RC2
TLS_RSA_WITH_DES_CBC_SHA
SSL2_CK_DES
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL2_CK_RC4_EXPORT40
SSL2_CK_RC2_EXPORT40
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
1 0.0088 (0.0083) S>C TCP RST
And here is the verbose level tracing that I have enabled on the
resip stack:
DEBUG | 20050816-152420.407 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TcpBaseTransport.cxx:109 | Received TCP
connection from: [ V4 10.94.150.117:1127 TLS received on: Transport:
[ V4 0.0.0.0:5061 TLS connectionId=0 ] connectionId=0 ] as fd=9
DEBUG | 20050816-152420.408 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | ConnectionBase.cxx:42 |
ConnectionBase::ConnectionBase, who: [ V4 10.94.150.117:1127 TLS
received on: Transport: [ V4 0.0.0.0:5061 TLS connectionId=0 ]
connectionId=0 ] 0x8074d38
DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:35 | Creating TLS connection [
V4 10.94.150.117:1127 TLS received on: Transport: [ V4 0.0.0.0:5061
TLS connectionId=0 ] connectionId=0 ] on 9
DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:43 | Trying to form TLS
connection - acting as server
DEBUG | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:161 | TLS error in accept
ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
ERR | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:182 | TLS connection failed
ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:190 | (SSL Error ssl)
ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:227 | error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
INFO | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:229 | Error code = 336130315
file=s3_pkt.c line=297
ERR | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TlsConnection.cxx:234 | Couldn't TLS connect
DEBUG | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP | 32375 |
3069674144 | os/BaseException.cxx:17 | BaseException at
TlsConnection.cxx:108 TLS setup failed
INFO | 20050816-152420.413 | bldr-ccm51 | limpc | RESIP:TRANSPORT |
32375 | 3069674144 | TransportSelector.cxx:187 | Exception thrown
from Transport::process: TransportException TLS setup failed @
TlsConnection.cxx:108
Thanks,
Chris
Scott Godin wrote:
Apparently to use "Federation Mode" you must use the TLS transport. As
far as I know - no one has tried this with resip yet. Although it
is on
my list of things to try out. : )
On the other hand - I have used resip to communicate with LCS by
setting
up the resip endpoint as a trusted node. Note: LCS does not support
UDP - so you must use a TCP transport. Don't expect to be able to
register with LCS though - since you need to implement those Microsoft
extensions that you mentioned (ie. Kerberos/NTLM Authentication instead
of Digest).
Scott
-----Original Message-----
From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of
Chris Rigg
Sent: Tuesday, August 16, 2005 5:21 PM
To: resiprocate-devel@xxxxxxxxxxxxxxxxxxx
Subject: [reSIProcate] reSIProcate and LCS?
Hello,
I am trying to connect reSIProcate to Microsoft's LCS (Live
Communications Server) in Federation mode (i.e. Public IM). In this
mode, instant messenger users (i.e. MOC clients) can communicate
OUTSIDE
of their domain. For example, with Federation mode a user named
john@xxxxxxx (that uses LCS as their enterprise IM server) can IM
with sam@xxxxxxxx The inter-domain protocol that is used to make
this happen is called "Federation". The protocol is basically just
some MSFT extensions onto standard SIP/SIMPLE messages. However, I'm
running into plenty of problems when trying to interoperate between
reSIProcate and
LCS.
Has anyone tried to do something similar?? If so, was there a
detailed Microsoft Federation mode interface spec that you followed
or something?
Thanks,
Chris
_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxx
https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
_______________________________________________
resiprocate-devel mailing list
resiprocate-devel@xxxxxxxxxxxxxxxxxxx
https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel