1. Brekeke Product Name and version:
BSS 3.0.7.0 ADV
2. Java version:
1.6.0
3. OS type and the version:
Ubuntu 10.04
4. UA (phone), gateway or other hardware/software involved:
Bria3
5. Select your network pattern from http://www.brekeke-sip.com/bbs/network/ ... terns.html :
6. Your problem:
Set TLS+SRTP, When the phone call as the two UAs works fine.
However, if I set the TLS+SRTP+dialplan (for prefix routing), BSS stops working.
In addition, There was no system log, but brekeke process was alive.
Here is my dialplan
================
matching pattern
================
$request=^INVITE
To=sip:(88.+)@
================
deploy pattern
================
To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
On the other hand, If I turn off the TLS on BSS, everything works fine.
---additional infomation
If I call to 8888 then BSS is freezing.
dump log option is as below
net.sip.loglevel.file=255
Please help and check this issue.
BSS freezing when I using prefix routing with TLS
Moderator: Brekeke Support Team
Hi redmiru,
> To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
Is it a registered UA?
What's the destination port number?
> net.sip.loglevel.file=255
Also set the following.
----------------------------------
net.tls.loglevel.file = 255
net.sip.tls.log.reject = true
net.sip.tls.log.dump.info = true
----------------------------------
> To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
Is it a registered UA?
What's the destination port number?
> net.sip.loglevel.file=255
Also set the following.
----------------------------------
net.tls.loglevel.file = 255
net.sip.tls.log.reject = true
net.sip.tls.log.dump.info = true
----------------------------------
Dear harold,
Thank you for your interest!!
1)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
--> No, It's other SIP server.
if prefix start 88, INVITE packets must delivered to SIP server A.
and all packets except prefix 88, INVITE packets must delivered to SIP server B.
so I set this rule.
Is it a registered UA?
--> It is SIP server, so xxx.xxx.xxx.xxx has not registered at BSS
What's the destination port number?
--> It use 5060 port.
2) dial plan
OK, I'll set as you said and keep an eye on.
Thank you for your interest!!
1)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
--> No, It's other SIP server.
if prefix start 88, INVITE packets must delivered to SIP server A.
and all packets except prefix 88, INVITE packets must delivered to SIP server B.
so I set this rule.
Is it a registered UA?
--> It is SIP server, so xxx.xxx.xxx.xxx has not registered at BSS
What's the destination port number?
--> It use 5060 port.
2) dial plan
OK, I'll set as you said and keep an eye on.
Harold wrote:Hi redmiru,
> To=sip:%1@xxx.xxx.xxx.xxx (it's real-IP)
Is there any SIP UA running at xxx.xxx.xxx.xxx?
Is it a registered UA?
What's the destination port number?
> net.sip.loglevel.file=255
Also set the following.
----------------------------------
net.tls.loglevel.file = 255
net.sip.tls.log.reject = true
net.sip.tls.log.dump.info = true
----------------------------------
I want to connect as below.
1) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS2
if Invite To. SIP ID prefix start with 88, then it must route to BSS2
2) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS3
if Invite To. SIP ID prefix start except 88, then it must route to BSS3
Question:
a. Is it possible 1) and 2) ?
b. BSS1 set [Peer Certification Validation]="on" but BSS always freezing when I called.
c. When BSS falling in freezing status, log is as below.
===============================
sv: open logging-file: '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/sv.20120819.2.log'
sv: logging-plugin: com.brekeke.common.Logging
sv: 'IDC_SIP' at 'XXX' is starting...
sv: os=Linux (amd64:2.6.32-42-server) distribution=Debian java=1.6.0_29 (Sun Microsystems Inc.)
sv: total.mem=62128128 free.mem=60825688 cpu=8
svlistener: start at 08/19/12 06:06:46.688
tls-listener: start
TLS: Certificates ===================================
JKS File: /usr/local/brekeke/webapps/sip/WEB-INF/work/sv/key/keystore.jks
Local-Cert: Serial#: (CONFIDENTIAL)
Local-Cert: Issuer: CN=Thawte SSL CA,O=Thawte\, Inc.,C=US
Local-Cert: Subject: (CONFIDENTIAL)
Local-Cert: Signature: (CONFIDENTIAL)
Local-Cert: Valid from: 03/12/12 00:00:00.000 until : 04/11/13 23:59:59.000
============================================
TLS:SupportedCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
============================================
TLS:EnabledCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
============================================
TLS:SupportedProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================
TLS:EnabledProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================
tls-listener: listen-port=5061
svlistener: open session-log '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/session.20120819.log'.
svlistener: open dial-plan '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/etc/dialplan.tbl'.
svlistener: hostname=BSS3 listen-port=5060
svlistener: interface={ (CONFIDENTIAL) }
===============================
4) so I tried BSS start again on webpage(It always changed Inactive status), BSS displayed error message.
"Port not ready. Check firewall settings and conflicting applications, then restart machine."
1) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS2
if Invite To. SIP ID prefix start with 88, then it must route to BSS2
2) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS3
if Invite To. SIP ID prefix start except 88, then it must route to BSS3
Question:
a. Is it possible 1) and 2) ?
b. BSS1 set [Peer Certification Validation]="on" but BSS always freezing when I called.
c. When BSS falling in freezing status, log is as below.
===============================
sv: open logging-file: '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/sv.20120819.2.log'
sv: logging-plugin: com.brekeke.common.Logging
sv: 'IDC_SIP' at 'XXX' is starting...
sv: os=Linux (amd64:2.6.32-42-server) distribution=Debian java=1.6.0_29 (Sun Microsystems Inc.)
sv: total.mem=62128128 free.mem=60825688 cpu=8
svlistener: start at 08/19/12 06:06:46.688
tls-listener: start
TLS: Certificates ===================================
JKS File: /usr/local/brekeke/webapps/sip/WEB-INF/work/sv/key/keystore.jks
Local-Cert: Serial#: (CONFIDENTIAL)
Local-Cert: Issuer: CN=Thawte SSL CA,O=Thawte\, Inc.,C=US
Local-Cert: Subject: (CONFIDENTIAL)
Local-Cert: Signature: (CONFIDENTIAL)
Local-Cert: Valid from: 03/12/12 00:00:00.000 until : 04/11/13 23:59:59.000
============================================
TLS:SupportedCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_DH_anon_WITH_RC4_128_MD5
TLS_DH_anon_WITH_AES_128_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
TLS_KRB5_WITH_RC4_128_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
============================================
TLS:EnabledCipherSuites ===================================
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
TLS_EMPTY_RENEGOTIATION_INFO_SCSV
============================================
TLS:SupportedProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================
TLS:EnabledProtocols ===================================
SSLv2Hello
SSLv3
TLSv1
============================================
tls-listener: listen-port=5061
svlistener: open session-log '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/log/2012/08/session.20120819.log'.
svlistener: open dial-plan '/usr/local/brekeke/webapps/sip/WEB-INF/work/sv/etc/dialplan.tbl'.
svlistener: hostname=BSS3 listen-port=5060
svlistener: interface={ (CONFIDENTIAL) }
===============================
4) so I tried BSS start again on webpage(It always changed Inactive status), BSS displayed error message.
"Port not ready. Check firewall settings and conflicting applications, then restart machine."
are both BSS2 and BSS3 using UDP transport?1) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS2
if Invite To. SIP ID prefix start with 88, then it must route to BSS2
2) Bria3 ---- (TLS) ---- BSS1 ---- (Non-TLS) --- BSS3
if Invite To. SIP ID prefix start except 88, then it must route to BSS3
if yes, in the dial plan rules used for the calls in above two cases, add $transport = udp in both rules [Deploy Patterns]