[VOIPSEC] Snom Softphone with TLS and Openser
Daniel-Constantin Mierla
daniel at voice-system.ro
Fri Feb 24 10:29:41 CST 2006
Hello Dennis,
just one mention here, if you are going to upgrade to openssl 0.9.8,
please use the latest version of openser from CVS in branch rel_1_0_0
(please see: http://openser.org/index.php#download). There is an issue
in the ssl library which does not properly initialize the memory manager
for compression, which is fixed somehow within openser. There is going
to be a new update release of branch rel_1_0_0 as version 1.0.1 by next
Monday.
Cheers,
Daniel
On 02/24/06 15:44, dennis wrote:
> Hi Martin,
>
> I folllow your method, but I still have somme problem.
>
> 1.After receive ClientHello, openser will be
> terminated.
> my openser is 1.0.0
> 1 1 0.0023 (0.0023) C>S Handshake
> ClientHello
> Version 3.1
> cipher suites
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_NULL_MD5
> TLS_RSA_WITH_NULL_SHA
> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> TLS_DH_anon_WITH_RC4_128_MD5
> TLS_RSA_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> TLS_DH_anon_WITH_DES_CBC_SHA
> compression methods
> NULL
> 1 0.2734 (0.2710) S>C TCP FIN
> ///////////////////////////////////
> 2. Add the tls_ciphers_list="NULL-SHA:NULL-MD5",
> openser was ok, but snom soft phone was stuck
> immediately after starting and did not accept any
> input via the user interface.
>
> 1 1 0.0894 (0.0894) C>S Handshake
> ClientHello
> Version 3.1
> cipher suites
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_NULL_MD5
> TLS_RSA_WITH_NULL_SHA
> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> TLS_DH_anon_WITH_RC4_128_MD5
> TLS_RSA_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> TLS_DH_anon_WITH_DES_CBC_SHA
> compression methods
> NULL
> 1 2 0.0913 (0.0018) S>C Handshake
> ServerHello
> Version 3.1
> session_id[32]=
> 86 63 02 13 cd 51 12 d8 02 61 aa cc 66 63 84
> d8
> 21 42 01 8e c1 d6 8e b0 c3 b6 d1 26 68 73 0d
> 02
> cipherSuite TLS_RSA_WITH_NULL_MD5
> compressionMethod NULL
> 1 3 0.0913 (0.0000) S>C Handshake
> Certificate
> 1 4 0.0913 (0.0000) S>C Handshake
> ServerHelloDone
> 1 131.0737 (130.9823) S>C TCP FIN
>
> When you re-executed the program, the ceritificate
> will be clean away. I thought that the soft phone lost
> it's certificate, so it hang on.
> Another root causer may be openssl (0.97f), I will try
> to upgrade or reinstall it.
> ///////////////////////////////////////
> In my environment, Windows Messenger always has some
> problems with Openser, when openser sent certificate,
> WM always pop up a error messange.
>
> 3 1 0.8193 (0.8193) C>S Handshake
> ClientHello
> Version 3.1
> cipher suites
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_RSA_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT_WITH_RC4_40_MD5
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_DSS_WITH_DES_CBC_SHA
> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
> compression methods
> NULL
> 3 2 0.8199 (0.0006) S>C Handshake
> ServerHello
> Version 3.1
> session_id[32]=
> c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
> 92
> 1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
> 32
> cipherSuite
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> compressionMethod NULL
> 3 3 0.8199 (0.0000) S>C Handshake
> Certificate
> 3 4 0.8199 (0.0000) S>C Handshake
> ServerHelloDone
> ////////////////////////////////////
> But after replaced key size from 2048 to 1024, there
> was improvement in Windows Messenger, although it
> still pop up the same error.
>
> 3 1 0.8193 (0.8193) C>S Handshake
> ClientHello
> Version 3.1
> cipher suites
> TLS_RSA_WITH_RC4_128_MD5
> TLS_RSA_WITH_RC4_128_SHA
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> TLS_RSA_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> TLS_RSA_EXPORT_WITH_RC4_40_MD5
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> TLS_DHE_DSS_WITH_DES_CBC_SHA
> TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
> compression methods
> NULL
> 3 2 0.8199 (0.0006) S>C Handshake
> ServerHello
> Version 3.1
> session_id[32]=
> c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
> 92
> 1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
> 32
> cipherSuite
> TLS_RSA_WITH_3DES_EDE_CBC_SHA
> compressionMethod NULL
> 3 3 0.8199 (0.0000) S>C Handshake
> Certificate
> 3 4 0.8199 (0.0000) S>C Handshake
> ServerHelloDone
> 3 5 0.8701 (0.0501) C>S Handshake
> ClientKeyExchange
> 3 6 0.8701 (0.0000) C>S ChangeCipherSpec
> 3 7 0.8701 (0.0000) C>S Handshake
> 3 8 0.8736 (0.0035) S>C ChangeCipherSpec
> 3 9 0.8738 (0.0001) S>C Handshake
> 3 1.6979 (0.8241) C>S TCP FIN
> 3 10 1.6985 (0.0006) S>C Alert
> 3 1.6986 (0.0000) S>C TCP FIN
>
> The Alert was not a standard TLS alert description, so
> I can't analyze it.
> The Alter messange is below:
> 15 03 01 00 18 fe ef bc 84 a3 c7 8c 8c a5 91 e7 da e1
> 7c
> ^^^^^^^^ (there are some problems.....)
> 06 ee 35 9d 32 21 ec ef 8c 79
>
>
>
>
> --- Christian Stredicke <Christian.Stredicke at snom.de>
> 說:
>
>
>> Instead of using DNS SRV you can also use a
>> transport parameter in the
>> outbound proxy. E.g.
>>
>> server.example.at:5061;transport=tls
>>
>> Christian
>>
>>
>>> -----Original Message-----
>>> From: Voipsec-bounces at voipsa.org
>>> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of
>>>
>> Martin Petraschek
>>
>>> Sent: Thursday, February 23, 2006 5:01 AM
>>> To: Voipsec at voipsa.org
>>> Subject: [VOIPSEC] Snom Softphone with TLS and
>>>
>> Openser
>>
>>> Hi all,
>>>
>>> I just wanted to share the experiences I made when
>>>
>> trying to
>>
>>> get the Snom 360 Softphone to work with TLS
>>>
>> support together
>>
>>> with Openser. Maybe my findings can be of use for
>>>
>> other
>>
>>> people having similar problems.
>>>
>>> The Snom Softphone is one of the few Softphones I
>>>
>> am aware of
>>
>>> that support TLS as well as RTP encryption.
>>>
>> Unfortunately it
>>
>>> is not Open Source, but the binary is freely
>>>
>> available at
>>
>>> http://www.snom.com/download/snom360-5.3.exe
>>>
>>> When trying to use TLS, one might be disappointed
>>>
>> that the
>>
>>> configuration menus do not offer any setting like
>>>
>> "enable
>>
>>> TLS". This is because the Snom phone uses DNS SRV
>>>
>> queries in
>>
>>> order to find out which connection method to use.
>>>
>> The first
>>
>>> task is therefore to configure SRV records of the
>>>
>> DNS server.
>>
>>> For bind, the following lines did the trick:
>>>
>>> example.at. IN NAPTR 10 50 "s" "SIPS+D2T" ""
>>>
>> _sips._tcp.example.at.
>>
>>> example.at. IN NAPTR 20 50 "s" "SIP+D2U" ""
>>>
>> _sip._udp.example.at.
>>
>>> example.at. IN NAPTR 30 50 "s" "SIP+D2T" ""
>>>
>> _sip._tcp.example.at.
>>
>>> ; ----- SRV records -----
>>> _sip._udp IN SRV 0 0 5060
>>>
>> server.example.at.
>>
>>> _sip._tcp IN SRV 0 0 5060
>>>
>> server.example.at.
>>
>>> _sips._tcp IN SRV 0 0 5061
>>>
>> server.example.at.
>>
>>> After that, the Snom phone tried to contact the
>>>
>> SIP server via TLS.
>>
>>> However, the program was stuck immediately after
>>>
>> starting and
>>
>>> did not accept any input via the user interface. I
>>>
>> inspected
>>
>>> the network traffic it generated with the help of
>>>
>> the tool
>>
>>> ssldump, which showed the following:
>>>
>>> server:/etc/openser/tools# ssldump -i eth0 port
>>>
>> 5061 New TCP
>>
>>> connection #1: user.example.at(3695) <->
>>>
>> server.example.at(5061)
>>
>>> 1 1 0.0124 (0.0124) C>S Handshake
>>> ClientHello
>>> Version 3.1
>>> cipher suites
>>> TLS_RSA_WITH_RC4_128_MD5
>>> TLS_RSA_WITH_RC4_128_SHA
>>> TLS_RSA_WITH_NULL_MD5
>>> TLS_RSA_WITH_NULL_SHA
>>> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
>>> TLS_DH_anon_WITH_RC4_128_MD5
>>> TLS_RSA_WITH_DES_CBC_SHA
>>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
>>> TLS_DH_anon_WITH_DES_CBC_SHA
>>> compression methods
>>> NULL
>>> 1 2 0.0145 (0.0021) S>C Handshake
>>> ServerHello
>>> Version 3.1
>>> session_id[32]=
>>> 5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24
>>>
>> 82 6a c3
>>
>>> 2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67
>>>
>> 53 ab f0
>>
>>> cipherSuite
>>>
>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
>>
>>> compressionMethod NULL
>>> 1 3 0.0146 (0.0000) S>C Handshake
>>> Certificate
>>> 1 4 0.0146 (0.0000) S>C Handshake
>>> CertificateRequest
>>> certificate_types
>>>
>> rsa_sign
>>
>>> certificate_types
>>>
>> dss_sign
>>
>>> ServerHelloDone
>>> 1 9.5153 (9.5006) C>S TCP RST
>>>
>>>
>>> I noticed that the chosen ciphersuite was 1024 bit
>>>
>> RSA.
>>
>>> Checking the certificate file
>>> /etc/openser/tls/user/user-cert.pem, I found that
>>>
>> the
>>
>>> certificate configured for openser is 2048 bit! To
>>>
>> overcome
>>
>>> this problem, I changed the configuration files
>>>
>> ca.conf and
>>
>>> user.conf as well as gen_rootCA.sh (just replaced
>>>
>> 2048 with
>>
>>> 1024 at every occurence).
>>> After re-generating the certificates and restaring
>>>
>> openser,
>>
>>> the TLS connection finally worked like a charm.
>>>
>>> Cheers,
>>>
>>> Martin
>>>
>>> _______________________________________________
>>> Voipsec mailing list
>>> Voipsec at voipsa.org
>>>
>>>
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>>>
>>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>>
>>
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> ___________________________________________________ 最新版 Yahoo!奇摩即時通訊 7.0,免費網路電話任你打! http://messenger.yahoo.com.tw/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list