[reSIProcate] reSIProcate and LCS?

Chris Rigg cdrigg at comcast.net
Tue Aug 16 18:34:56 CDT 2005 

Hi Scott, Sandeep,

FYI: I sort of answered my own question later this afternoon. The reason 
why TLS wasn't working when resip was the server was because the 
sipStack->addTransport() function is defaulting TlsTransport to 
SecurityTypes::TLSv1. When LCS sends the SSLv2 compatible client hello 
message, it sent a RST because my TLS layer didn't recognize a v2 
message. So, I changed my application (limpc) and added 
SecurityTypes::SSLv23 and that worked (at least it got me further). Now, 
the LCS server is sending a RST after the ServerHelloDone message from 
resip.

Chris

Chris Rigg wrote:

> Hi Scott,
>
> Thanks for your quick response.
>
> Yes, you are right -- to talk to LCS in Federation mode you MUST use 
> TLS transport. And in fact, I have tried this out. I am able to 
> establish a TLS session underneath me when the resip stack is a client 
> and the LCS's access proxy is the server. To do this, I had to do a 
> bunch of cert/pem stuff (as you might imagine). Essentially, I copied 
> the root_cert that I used on the LCS to sign the AP's to my linux 
> machine into $HOME/.sipCerts/. Then, of course, I had to also copy the 
> root_cert that I created on my Linux machine (that was used to sign my 
> domain_key for my resip stack) over to the AP's list of trusted 
> certificate authorities. And this worked! I was able to establish a 
> TLS session with LCS's AP w/out code modifications to the stack 
> (although as I stated in my previous mail, this inital excitement 
> quickly wore off once I started trying to reverse engineer the MSFT 
> SIP message extensions).
>
> However, in the reverse direction (where resip is the server and LCS's 
> AP is the client) resip doesn't like something in the TLS "compatible 
> client hello" message and resip immediately sends a TCP RST.
>
> So, any idea why resip would respond w/ a TCP RST? Is it just simply 
> that resip doesn't support any of their cipher suites?? The resip logs 
> seem to indicate a "version error" (I've included those below too). 
> Here is the ssldump of the messaging:
>
> New TCP connection #1: lcs-im.com(1127) <-> bldr-ccm51.resip.com(5061)
> 1 1  0.0005 (0.0005)  C>S SSLv2 compatible client hello
>  Version 3.1
>  cipher suites
>  TLS_RSA_WITH_RC4_128_MD5
>  TLS_RSA_WITH_RC4_128_SHA
>  TLS_RSA_WITH_3DES_EDE_CBC_SHA
>  SSL2_CK_RC4
>  SSL2_CK_3DES
>  SSL2_CK_RC2
>  TLS_RSA_WITH_DES_CBC_SHA
>  SSL2_CK_DES
>  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>  TLS_RSA_EXPORT_WITH_RC4_40_MD5
>  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>  SSL2_CK_RC4_EXPORT40
>  SSL2_CK_RC2_EXPORT40
>  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>  TLS_DHE_DSS_WITH_DES_CBC_SHA
>  TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
> 1    0.0088 (0.0083)  S>C  TCP RST
>
> And here is the verbose level tracing that I have enabled on the resip 
> stack:
> DEBUG | 20050816-152420.407 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TcpBaseTransport.cxx:109 | Received TCP 
> connection from: [ V4 10.94.150.117:1127 TLS received on: Transport: [ 
> V4 0.0.0.0:5061 TLS connectionId=0 ] connectionId=0 ] as fd=9
> DEBUG | 20050816-152420.408 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | ConnectionBase.cxx:42 | 
> ConnectionBase::ConnectionBase, who: [ V4 10.94.150.117:1127 TLS 
> received on: Transport: [ V4 0.0.0.0:5061 TLS connectionId=0 ] 
> connectionId=0 ] 0x8074d38
> DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:35 | Creating TLS connection [ 
> V4 10.94.150.117:1127 TLS received on: Transport: [ V4 0.0.0.0:5061 
> TLS connectionId=0 ] connectionId=0 ] on 9
> DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:43 | Trying to form TLS 
> connection - acting as server
> DEBUG | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:161 | TLS error in accept ok=-1 
> err=1 error:00000001:lib(0):func(0):reason(1)
> ERR | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:182 | TLS connection failed 
> ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
> ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:190 |  (SSL Error ssl)
> ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:227 | error:1408F10B:SSL 
> routines:SSL3_GET_RECORD:wrong version number
> INFO | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:229 | Error code = 336130315 
> file=s3_pkt.c line=297
> ERR | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TlsConnection.cxx:234 | Couldn't TLS connect
> DEBUG | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP | 32375 | 
> 3069674144 | os/BaseException.cxx:17 | BaseException at 
> TlsConnection.cxx:108 TLS setup failed
> INFO | 20050816-152420.413 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
> 32375 | 3069674144 | TransportSelector.cxx:187 | Exception thrown from 
> Transport::process: TransportException TLS setup failed @ 
> TlsConnection.cxx:108
>
> Thanks,
> Chris
>
> Scott Godin wrote:
>
>> Apparently to use "Federation Mode" you must use the TLS transport.  As
>> far as I know - no one has tried this with resip yet.  Although it is on
>> my list of things to try out.  : )
>>
>> On the other hand - I have used resip to communicate with LCS by setting
>> up the resip endpoint as a trusted node.  Note:  LCS does not support
>> UDP - so you must use a TCP transport.  Don't expect to be able to
>> register with LCS though - since you need to implement those Microsoft
>> extensions that you mentioned (ie. Kerberos/NTLM Authentication instead
>> of Digest).
>>
>> Scott
>>
>> -----Original Message-----
>> From: resiprocate-devel-bounces at list.sipfoundry.org
>> [mailto:resiprocate-devel-bounces at list.sipfoundry.org] On Behalf Of
>> Chris Rigg
>> Sent: Tuesday, August 16, 2005 5:21 PM
>> To: resiprocate-devel at list.sipfoundry.org
>> Subject: [reSIProcate] reSIProcate and LCS?
>>
>> Hello,
>>
>> I am trying to connect reSIProcate to Microsoft's LCS (Live 
>> Communications Server) in Federation mode (i.e. Public IM). In this 
>> mode, instant messenger users (i.e. MOC clients) can communicate OUTSIDE
>>
>> of their domain. For example, with Federation mode a user named 
>> john at abc.com (that uses LCS as their enterprise IM server) can IM 
>> with sam at aol.com. The inter-domain protocol that is used to make this 
>> happen is called "Federation". The protocol is basically just some 
>> MSFT extensions onto standard SIP/SIMPLE messages. However, I'm 
>> running into plenty of problems when trying to interoperate between 
>> reSIProcate and
>> LCS.
>>
>> Has anyone tried to do something similar?? If so, was there a 
>> detailed Microsoft Federation mode interface spec that you followed 
>> or something?
>>
>> Thanks,
>> Chris
>> _______________________________________________
>> resiprocate-devel mailing list
>> resiprocate-devel at list.sipfoundry.org
>> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>>
>>  
>>
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel at list.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>

More information about the resiprocate-devel mailing list