[reSIProcate] reSIProcate and LCS?

Chris Rigg cdrigg at comcast.net
Tue Aug 16 16:47:46 CDT 2005 

Hi Scott,

Thanks for your quick response.

Yes, you are right -- to talk to LCS in Federation mode you MUST use TLS 
transport. And in fact, I have tried this out. I am able to establish a 
TLS session underneath me when the resip stack is a client and the LCS's 
access proxy is the server. To do this, I had to do a bunch of cert/pem 
stuff (as you might imagine). Essentially, I copied the root_cert that I 
used on the LCS to sign the AP's to my linux machine into 
$HOME/.sipCerts/. Then, of course, I had to also copy the root_cert that 
I created on my Linux machine (that was used to sign my domain_key for 
my resip stack) over to the AP's list of trusted certificate 
authorities. And this worked! I was able to establish a TLS session with 
LCS's AP w/out code modifications to the stack (although as I stated in 
my previous mail, this inital excitement quickly wore off once I started 
trying to reverse engineer the MSFT SIP message extensions).

However, in the reverse direction (where resip is the server and LCS's 
AP is the client) resip doesn't like something in the TLS "compatible 
client hello" message and resip immediately sends a TCP RST.

So, any idea why resip would respond w/ a TCP RST? Is it just simply 
that resip doesn't support any of their cipher suites?? The resip logs 
seem to indicate a "version error" (I've included those below too). Here 
is the ssldump of the messaging:

New TCP connection #1: lcs-im.com(1127) <-> bldr-ccm51.resip.com(5061)
1 1  0.0005 (0.0005)  C>S SSLv2 compatible client hello
  Version 3.1
  cipher suites
  TLS_RSA_WITH_RC4_128_MD5
  TLS_RSA_WITH_RC4_128_SHA
  TLS_RSA_WITH_3DES_EDE_CBC_SHA
  SSL2_CK_RC4
  SSL2_CK_3DES
  SSL2_CK_RC2
  TLS_RSA_WITH_DES_CBC_SHA
  SSL2_CK_DES
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  TLS_RSA_EXPORT_WITH_RC4_40_MD5
  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
  SSL2_CK_RC4_EXPORT40
  SSL2_CK_RC2_EXPORT40
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  TLS_DHE_DSS_WITH_DES_CBC_SHA
  TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
1    0.0088 (0.0083)  S>C  TCP RST

And here is the verbose level tracing that I have enabled on the resip 
stack:
DEBUG | 20050816-152420.407 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | TcpBaseTransport.cxx:109 | Received TCP connection 
from: [ V4 10.94.150.117:1127 TLS received on: Transport: [ V4 
0.0.0.0:5061 TLS connectionId=0 ] connectionId=0 ] as fd=9
DEBUG | 20050816-152420.408 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | ConnectionBase.cxx:42 | 
ConnectionBase::ConnectionBase, who: [ V4 10.94.150.117:1127 TLS 
received on: Transport: [ V4 0.0.0.0:5061 TLS connectionId=0 ] 
connectionId=0 ] 0x8074d38
DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | TlsConnection.cxx:35 | Creating TLS connection [ V4 
10.94.150.117:1127 TLS received on: Transport: [ V4 0.0.0.0:5061 TLS 
connectionId=0 ] connectionId=0 ] on 9
DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | TlsConnection.cxx:43 | Trying to form TLS 
connection - acting as server
DEBUG | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | TlsConnection.cxx:161 | TLS error in accept ok=-1 
err=1 error:00000001:lib(0):func(0):reason(1)
ERR | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 32375 
| 3069674144 | TlsConnection.cxx:182 | TLS connection failed ok=-1 err=1 
error:00000001:lib(0):func(0):reason(1)
ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 32375 
| 3069674144 | TlsConnection.cxx:190 |  (SSL Error ssl)
ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 32375 
| 3069674144 | TlsConnection.cxx:227 | error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number
INFO | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | TlsConnection.cxx:229 | Error code = 336130315 
file=s3_pkt.c line=297
ERR | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 32375 
| 3069674144 | TlsConnection.cxx:234 | Couldn't TLS connect
DEBUG | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP | 32375 | 
3069674144 | os/BaseException.cxx:17 | BaseException at 
TlsConnection.cxx:108 TLS setup failed
INFO | 20050816-152420.413 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
32375 | 3069674144 | TransportSelector.cxx:187 | Exception thrown from 
Transport::process: TransportException TLS setup failed @ 
TlsConnection.cxx:108

Thanks,
Chris

Scott Godin wrote:

>Apparently to use "Federation Mode" you must use the TLS transport.  As
>far as I know - no one has tried this with resip yet.  Although it is on
>my list of things to try out.  : )
>
>On the other hand - I have used resip to communicate with LCS by setting
>up the resip endpoint as a trusted node.  Note:  LCS does not support
>UDP - so you must use a TCP transport.  Don't expect to be able to
>register with LCS though - since you need to implement those Microsoft
>extensions that you mentioned (ie. Kerberos/NTLM Authentication instead
>of Digest).
>
>Scott
>
>-----Original Message-----
>From: resiprocate-devel-bounces at list.sipfoundry.org
>[mailto:resiprocate-devel-bounces at list.sipfoundry.org] On Behalf Of
>Chris Rigg
>Sent: Tuesday, August 16, 2005 5:21 PM
>To: resiprocate-devel at list.sipfoundry.org
>Subject: [reSIProcate] reSIProcate and LCS?
>
>Hello,
>
>I am trying to connect reSIProcate to Microsoft's LCS (Live 
>Communications Server) in Federation mode (i.e. Public IM). In this 
>mode, instant messenger users (i.e. MOC clients) can communicate OUTSIDE
>
>of their domain. For example, with Federation mode a user named 
>john at abc.com (that uses LCS as their enterprise IM server) can IM with 
>sam at aol.com. The inter-domain protocol that is used to make this happen 
>is called "Federation". The protocol is basically just some MSFT 
>extensions onto standard SIP/SIMPLE messages. However, I'm running into 
>plenty of problems when trying to interoperate between reSIProcate and
>LCS.
>
>Has anyone tried to do something similar?? If so, was there a detailed 
>Microsoft Federation mode interface spec that you followed or something?
>
>Thanks,
>Chris
>_______________________________________________
>resiprocate-devel mailing list
>resiprocate-devel at list.sipfoundry.org
>https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>
>  
>

More information about the resiprocate-devel mailing list