< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index  

Re: [reSIProcate-users] Resiprocate TLS help


...inline

> -----Original Message-----
> From: resiprocate-users-bounces@xxxxxxxxxxxxxxx [mailto:resiprocate-
> users-bounces@xxxxxxxxxxxxxxx] On Behalf Of Krister Jarl
> Sent: Thursday, November 29, 2007 9:03 AM
> To: Byron Campen
> Cc: resiprocate-users@xxxxxxxxxxxxxxx
> Subject: Re: [reSIProcate-users] Resiprocate TLS help
> 
> Ok that did the trick. Thanks! "TLS sessions set up with TLSv1
> TLSv1/SSLv3 AES256-SHA".
> 
> I have some follow up questions on using reciprocate with TLS.
> 1. When the TLS connection is setup, do I have to encrypt/decrypt my
> SIP-messages on my own or will the stack do this for me? Can I just
> call the send function just as usual?

[Scott] The stack (in combination with openSSL) handles this for you.  Just 
send messages as usual.

> 2. What's the behaviour of reciprocate when acting as client? Will it
> present a certificate? Does reciprocate support mutual TLS?

[Scott] When acting as a client resiprocate will Verify the servers certificate 
(ie. domain used in the Request URI, matches the domain presented in the 
certificate).  It will also send it's own certificate if the server requests it 
(MTLS), and the certificate exists in the store.  For server side - I'm about 
80% sure that resip will never request a certificate from the client.  
Therefore MTLS is supported when resip is acting as a client only.

> Thanks for your time.
> 
> Best regards
> Krister
> 
> >-----Ursprungligt meddelande-----
> >Från: Byron Campen [mailto:bcampen@xxxxxxxxxxxx]
> >Skickat: den 23 november 2007 21:26
> >Till: Krister Jarl
> >Kopia: resiprocate-users@xxxxxxxxxxxxxxx
> >Ämne: Re: [reSIProcate-users] Resiprocate TLS help
> >
> >     I've looked at the code, and I'm pretty sure this was fixed in
> >version 1.2. If you can get your sipp instance to put an rport in its
> >Via, this should let things function ok with 1.1.
> >
> >Best regards,
> >Byron Campen
> >
> >> I'm running version 1.1. Please find the full log attached.
> >> Thanks!
> >>
> >>> -----Ursprungligt meddelande-----
> >>> Från: Byron Campen [mailto:bcampen@xxxxxxxxxxxx]
> >>> Skickat: den 23 november 2007 06:32
> >>> Till: Krister Jarl
> >>> Kopia: Boris Rozinov; resiprocate-users@xxxxxxxxxxxxxxx
> >>> Ämne: Re: [reSIProcate-users] Resiprocate TLS help
> >>>
> >>>   This is very strange behavior. What revision are you running?
> >>> Also,
> >>> full logs would help us debug.
> >>>
> >>> Best regards,
> >>> Byron Campen
> >>>
> >>>
> >>>> Ok, I see. Then what am I doing wrong?
> >>>> I'm just using one of the makeResponse functions to create the
> >>>> response and then passing it to the stack send function.
> >>>>
> >>>> /KJ
> >>>>
> >>>>> -----Ursprungligt meddelande-----
> >>>>> Från: Boris Rozinov [mailto:borisrozinov@xxxxxxxx]
> >>>>> Skickat: den 22 november 2007 16:02
> >>>>> Till: Krister Jarl; resiprocate-users@xxxxxxxxxxxxxxx
> >>>>> Ämne: Re: [reSIProcate-users] Resiprocate TLS help
> >>>>>
> >>>>> It is not OK to try to open new conection for sending
> >>>>> response; UA should reuse the same connection that the
> >>>>> request was received on. Only if this connection is
> >>>>> down, UA should open new connection based on value
> >>>>> retrieved in Via header.
> >>>>>
> >>>>> --- Krister Jarl <kj@xxxxxxxxxxx> wrote:
> >>>>>
> >>>>>> Hi!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I'm using the resiprocate stack to implement TLS
> >>>>>> support for our
> >>>>>> application, but I've encountered some problems.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I've set up the security object and passed it to the
> >>>>>> stack. Receiving an
> >>>>>> INVITE works perfectly but when I'm trying to send a
> >>>>>> 100 Trying response
> >>>>>> I get the following:
> >>>>>>
> >>>>>> connection id 4 exists, but does not match the
> >>>>>> destination. ("Cid" and
> >>>>>> "Tuple" does not match. From what I can see the only
> >>>>>> thing that differs
> >>>>>> is the remote port.)
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> So resiprocate then tries to set up a new connection
> >>>>>> (I guess this is
> >>>>>> OK?). However, during the handshake there's a
> >>>>>> certificate mismatch.
> >>>>>>
> >>>>>> "Certificate name mismatch: trying to connect to <>
> >>>>>> remote cert
> >>>>>> domain(s) are <X.X.X.X>"
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> The remote cert domain is correct but why is target
> >>>>>> domain empty?
> >>>>>> Checking the log file I can see that the target
> >>>>>> domain is 'unspecified'.
> >>>>>>
> >>>>>> I'm betting that I've overlooked something simple.
> >>>>>> All help is much
> >>>>>> appreciated!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Also, when sending requests, can I think of the
> >>>>>> TlsTransport as an
> >>>>>> "encrypted pipe" just throwing my requests into it
> >>>>>> or do I have to take
> >>>>>> some special actions before sending?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Cheers,
> >>>>>>
> >>>>>> KJ
> >>>>>>
> >>>>>>> _______________________________________________
> >>>>>> resiprocate-users mailing list
> >>>>>> resiprocate-users@xxxxxxxxxxxxxxx
> >>>>>> List Archive:
> >>>>> http://resiprocate.org/archive/resiprocate-users/
> >>>>>
> >>>>>
> >>>>>
> >>>>>      Looking for the perfect gift? Give the gift of Flickr!
> >>>>>
> >>>>> http://www.flickr.com/gift/
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> resiprocate-users mailing list
> >>>> resiprocate-users@xxxxxxxxxxxxxxx
> >>>> List Archive: http://resiprocate.org/archive/resiprocate-users/
> >>
> >> <log.txt>
> 
> _______________________________________________
> resiprocate-users mailing list
> resiprocate-users@xxxxxxxxxxxxxxx
> List Archive: http://resiprocate.org/archive/resiprocate-users/