[jitsi-dev] SIP TLS problem


#1

Hi,
currently I am testing the Jitsi sip client together with Kamailio SIP
server. The UDP and TCP works fine, but I have the problem to use TLS. In
TLS, when Jitsi send the SIP Request to SIP Server Kamailio, it always set
it's Contact's port to 5061 instead of the port which is being used to
connect to Kamailio. That causes the problem when Kamailio need to send the
message to Jitsi becuase it needs the Kamailio SIP server open a new TLS
connect as a SSL client to connect to the Jitsi (as SSL Server) and fails.
For some SIP message, this can be fixed by hacking in the configuration of
Kamailio to force the server to use the received port of Jistsi to delivery
the messages to Jitsi client, but it's not always ok. For example for the
ACK of the audio/video call. I think this could be a bug ofg Jitsi. Can you
fix it please?

While I configure Jitsi to use TCP, it always set the Contact's port of its
Request to the port currently used to connect to the SIP server kamailio.
Everything works wells w even it's behind of Firewall/NAT.

Thanks in advanced!

Best Regards,
Laura


#2

Hey

I'm aware of these problems and I'll address them in the following months. This is not just a trivial bug, as it requires Jitsi to have a certificate to authenticate against Kamailio. Last time I investigated this (sometime in December 2010) there were also some issues in the underlying JAIN-SIP stack.

For the time being, I can only recommend you to use a Firewall to block Jitsis port to force Kamailio into NAT handling and keep the TCP-Connection open.

But maybe I'm completely mistaken and someone else who worked on the TLS implementation has something to add?

Regards,
Ingo

···

-----Original Message-----
From: laura testi [mailto:lau.testi@gmail.com]
Sent: Donnerstag, 16. Juni 2011 16:04
To: dev@jitsi.java.net
Cc:
Subject: [jitsi-dev] SIP TLS problem
Hi,
currently I am testing the Jitsi sip client together with Kamailio SIP
server. The UDP and TCP works fine, but I have the problem to use TLS. In
TLS, when Jitsi send the SIP Request to SIP Server Kamailio, it always set
it's Contact's port to 5061 instead of the port which is being used to
connect to Kamailio. That causes the problem when Kamailio need to send
the message to Jitsi becuase it needs the Kamailio SIP server open a new
TLS connect as a SSL client to connect to the Jitsi (as SSL Server) and
fails. For some SIP message, this can be fixed by hacking in the
configuration of Kamailio to force the server to use the received port of
Jistsi to delivery the messages to Jitsi client, but it's not always ok.
For example for the ACK of the audio/video call. I think this could be a
bug ofg Jitsi. Can you fix it please?

While I configure Jitsi to use TCP, it always set the Contact's port of
its Request to the port currently used to connect to the SIP server
kamailio. Everything works wells w even it's behind of Firewall/NAT.

Thanks in advanced!

Best Regards,
Laura


#3

Hi,

a fix for the problem was just committed and will be available in next
build (I believe it will be 3540). This was a problem we worked while
ago and after sending a patch to jain-sip and after updating the
library a simple comment was left by mistake that enables this fix.
Thanks for the report and test next build is it ok with your Kamailio TLS setup.

Thanks
damencho

···

On Thu, Jun 16, 2011 at 5:03 PM, laura testi <lau.testi@gmail.com> wrote:

Hi,
currently I am testing the Jitsi sip client together with Kamailio SIP
server. The UDP and TCP works fine, but I have the problem to use TLS. In
TLS, when Jitsi send the SIP Request to SIP Server Kamailio, it always set
it's Contact's port to 5061 instead of the port which is being used to
connect to Kamailio. That causes the problem when Kamailio need to send the
message to Jitsi becuase it needs the Kamailio SIP server open a new TLS
connect as a SSL client to connect to the Jitsi (as SSL Server) and fails.
For some SIP message, this can be fixed by hacking in the configuration of
Kamailio to force the server to use the received port of Jistsi to delivery
the messages to Jitsi client, but it's not always ok. For example for the
ACK of the audio/video call. I think this could be a bug ofg Jitsi. Can you
fix it please?

While I configure Jitsi to use TCP, it always set the Contact's port of its
Request to the port currently used to connect to the SIP server kamailio.
Everything works wells w even it's behind of Firewall/NAT.

Thanks in advanced!

Best Regards,
Laura


#4

Hey Ingo,

На 16.06.11 16:23, Bauersachs Ingo написа:

Hey

I'm aware of these problems and I'll address them in the following
months. This is not just a trivial bug, as it requires Jitsi to have
a certificate to authenticate against Kamailio. Last time I
investigated this (sometime in December 2010) there were also some
issues in the underlying JAIN-SIP stack.

No, that's ok. We fixed this in JAIN SIP quite a while ago for TCP and
then more recently for TLS. We just forgot to enable the TLS part in
Jitsi but Damencho has just committed a fix.

Emil

···

For the time being, I can only recommend you to use a Firewall to
block Jitsis port to force Kamailio into NAT handling and keep the
TCP-Connection open.

But maybe I'm completely mistaken and someone else who worked on the
TLS implementation has something to add?

Regards, Ingo

-----Original Message----- From: laura testi
[mailto:lau.testi@gmail.com] Sent: Donnerstag, 16. Juni 2011 16:04
To: dev@jitsi.java.net Cc: Subject: [jitsi-dev] SIP TLS problem
Hi, currently I am testing the Jitsi sip client together with
Kamailio SIP server. The UDP and TCP works fine, but I have the
problem to use TLS. In TLS, when Jitsi send the SIP Request to SIP
Server Kamailio, it always set it's Contact's port to 5061 instead
of the port which is being used to connect to Kamailio. That causes
the problem when Kamailio need to send the message to Jitsi becuase
it needs the Kamailio SIP server open a new TLS connect as a SSL
client to connect to the Jitsi (as SSL Server) and fails. For some
SIP message, this can be fixed by hacking in the configuration of
Kamailio to force the server to use the received port of Jistsi to
delivery the messages to Jitsi client, but it's not always ok. For
example for the ACK of the audio/video call. I think this could be
a bug ofg Jitsi. Can you fix it please?

While I configure Jitsi to use TCP, it always set the Contact's
port of its Request to the port currently used to connect to the
SIP server kamailio. Everything works wells w even it's behind of
Firewall/NAT.

Thanks in advanced!

Best Regards, Laura

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31