[reSIProcate] reSIProcate and LCS?

Chris Rigg cdrigg at comcast.net
Wed Aug 17 16:11:43 CDT 2005 

Hi Scott, Sandeep, Chris,

FYI: I was able to get TLS working w/ the LCS's AP when resip was the 
server (i.e. LCS is now accepting our certificates). Had to remove the 
subjectAltName field and put the FQDN as the Comman Name in the Subject 
field. Also needed to (of course) make sure the certificate authority 
that signed my certificate was installed as a trusted root certificate 
in the LCS's AP's database.

Anyway, if you guys run into problems w/ TLS and the LCS AP, let me know 
because I've got it working now in both directions (i.e. in both client 
and server mode).

Chris


Chris Rigg wrote:

> Hi Scott, Sandeep,
>
> FYI: I sort of answered my own question later this afternoon. The 
> reason why TLS wasn't working when resip was the server was because 
> the sipStack->addTransport() function is defaulting TlsTransport to 
> SecurityTypes::TLSv1. When LCS sends the SSLv2 compatible client hello 
> message, it sent a RST because my TLS layer didn't recognize a v2 
> message. So, I changed my application (limpc) and added 
> SecurityTypes::SSLv23 and that worked (at least it got me further). 
> Now, the LCS server is sending a RST after the ServerHelloDone message 
> from resip.
>
> Chris
>
> Chris Rigg wrote:
>
>> Hi Scott,
>>
>> Thanks for your quick response.
>>
>> Yes, you are right -- to talk to LCS in Federation mode you MUST use 
>> TLS transport. And in fact, I have tried this out. I am able to 
>> establish a TLS session underneath me when the resip stack is a 
>> client and the LCS's access proxy is the server. To do this, I had to 
>> do a bunch of cert/pem stuff (as you might imagine). Essentially, I 
>> copied the root_cert that I used on the LCS to sign the AP's to my 
>> linux machine into $HOME/.sipCerts/. Then, of course, I had to also 
>> copy the root_cert that I created on my Linux machine (that was used 
>> to sign my domain_key for my resip stack) over to the AP's list of 
>> trusted certificate authorities. And this worked! I was able to 
>> establish a TLS session with LCS's AP w/out code modifications to the 
>> stack (although as I stated in my previous mail, this inital 
>> excitement quickly wore off once I started trying to reverse engineer 
>> the MSFT SIP message extensions).
>>
>> However, in the reverse direction (where resip is the server and 
>> LCS's AP is the client) resip doesn't like something in the TLS 
>> "compatible client hello" message and resip immediately sends a TCP RST.
>>
>> So, any idea why resip would respond w/ a TCP RST? Is it just simply 
>> that resip doesn't support any of their cipher suites?? The resip 
>> logs seem to indicate a "version error" (I've included those below 
>> too). Here is the ssldump of the messaging:
>>
>> New TCP connection #1: lcs-im.com(1127) <-> bldr-ccm51.resip.com(5061)
>> 1 1  0.0005 (0.0005)  C>S SSLv2 compatible client hello
>>  Version 3.1
>>  cipher suites
>>  TLS_RSA_WITH_RC4_128_MD5
>>  TLS_RSA_WITH_RC4_128_SHA
>>  TLS_RSA_WITH_3DES_EDE_CBC_SHA
>>  SSL2_CK_RC4
>>  SSL2_CK_3DES
>>  SSL2_CK_RC2
>>  TLS_RSA_WITH_DES_CBC_SHA
>>  SSL2_CK_DES
>>  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>  TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>>  TLS_RSA_EXPORT_WITH_RC4_40_MD5
>>  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
>>  SSL2_CK_RC4_EXPORT40
>>  SSL2_CK_RC2_EXPORT40
>>  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
>>  TLS_DHE_DSS_WITH_DES_CBC_SHA
>>  TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
>> 1    0.0088 (0.0083)  S>C  TCP RST
>>
>> And here is the verbose level tracing that I have enabled on the 
>> resip stack:
>> DEBUG | 20050816-152420.407 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TcpBaseTransport.cxx:109 | Received TCP 
>> connection from: [ V4 10.94.150.117:1127 TLS received on: Transport: 
>> [ V4 0.0.0.0:5061 TLS connectionId=0 ] connectionId=0 ] as fd=9
>> DEBUG | 20050816-152420.408 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | ConnectionBase.cxx:42 | 
>> ConnectionBase::ConnectionBase, who: [ V4 10.94.150.117:1127 TLS 
>> received on: Transport: [ V4 0.0.0.0:5061 TLS connectionId=0 ] 
>> connectionId=0 ] 0x8074d38
>> DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:35 | Creating TLS connection [ 
>> V4 10.94.150.117:1127 TLS received on: Transport: [ V4 0.0.0.0:5061 
>> TLS connectionId=0 ] connectionId=0 ] on 9
>> DEBUG | 20050816-152420.409 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:43 | Trying to form TLS 
>> connection - acting as server
>> DEBUG | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:161 | TLS error in accept 
>> ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
>> ERR | 20050816-152420.410 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:182 | TLS connection failed 
>> ok=-1 err=1 error:00000001:lib(0):func(0):reason(1)
>> ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:190 |  (SSL Error ssl)
>> ERR | 20050816-152420.411 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:227 | error:1408F10B:SSL 
>> routines:SSL3_GET_RECORD:wrong version number
>> INFO | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:229 | Error code = 336130315 
>> file=s3_pkt.c line=297
>> ERR | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TlsConnection.cxx:234 | Couldn't TLS connect
>> DEBUG | 20050816-152420.412 | bldr-ccm51 | limpc | RESIP | 32375 | 
>> 3069674144 | os/BaseException.cxx:17 | BaseException at 
>> TlsConnection.cxx:108 TLS setup failed
>> INFO | 20050816-152420.413 | bldr-ccm51 | limpc | RESIP:TRANSPORT | 
>> 32375 | 3069674144 | TransportSelector.cxx:187 | Exception thrown 
>> from Transport::process: TransportException TLS setup failed @ 
>> TlsConnection.cxx:108
>>
>> Thanks,
>> Chris
>>
>> Scott Godin wrote:
>>
>>> Apparently to use "Federation Mode" you must use the TLS transport.  As
>>> far as I know - no one has tried this with resip yet.  Although it 
>>> is on
>>> my list of things to try out.  : )
>>>
>>> On the other hand - I have used resip to communicate with LCS by 
>>> setting
>>> up the resip endpoint as a trusted node.  Note:  LCS does not support
>>> UDP - so you must use a TCP transport.  Don't expect to be able to
>>> register with LCS though - since you need to implement those Microsoft
>>> extensions that you mentioned (ie. Kerberos/NTLM Authentication instead
>>> of Digest).
>>>
>>> Scott
>>>
>>> -----Original Message-----
>>> From: resiprocate-devel-bounces at list.sipfoundry.org
>>> [mailto:resiprocate-devel-bounces at list.sipfoundry.org] On Behalf Of
>>> Chris Rigg
>>> Sent: Tuesday, August 16, 2005 5:21 PM
>>> To: resiprocate-devel at list.sipfoundry.org
>>> Subject: [reSIProcate] reSIProcate and LCS?
>>>
>>> Hello,
>>>
>>> I am trying to connect reSIProcate to Microsoft's LCS (Live 
>>> Communications Server) in Federation mode (i.e. Public IM). In this 
>>> mode, instant messenger users (i.e. MOC clients) can communicate 
>>> OUTSIDE
>>>
>>> of their domain. For example, with Federation mode a user named 
>>> john at abc.com (that uses LCS as their enterprise IM server) can IM 
>>> with sam at aol.com. The inter-domain protocol that is used to make 
>>> this happen is called "Federation". The protocol is basically just 
>>> some MSFT extensions onto standard SIP/SIMPLE messages. However, I'm 
>>> running into plenty of problems when trying to interoperate between 
>>> reSIProcate and
>>> LCS.
>>>
>>> Has anyone tried to do something similar?? If so, was there a 
>>> detailed Microsoft Federation mode interface spec that you followed 
>>> or something?
>>>
>>> Thanks,
>>> Chris
>>> _______________________________________________
>>> resiprocate-devel mailing list
>>> resiprocate-devel at list.sipfoundry.org
>>> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>>>
>>>  
>>>
>> _______________________________________________
>> resiprocate-devel mailing list
>> resiprocate-devel at list.sipfoundry.org
>> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel
>>
>

More information about the resiprocate-devel mailing list