[VOIPSEC] Snom Softphone with TLS and Openser
mailinglist
mailinglist at pbxnsip.com
Fri Feb 24 12:25:30 CST 2006
If you are interested in playing around with TLS and SRTP, please also try
free demo at http://www.pbxnsip.com/demo_license.php.
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of
> Daniel-Constantin Mierla
> Sent: Friday, February 24, 2006 11:30 AM
> To: dennis
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Snom Softphone with TLS and Openser
>
> Hello Dennis,
>
> just one mention here, if you are going to upgrade to openssl
> 0.9.8, please use the latest version of openser from CVS in
> branch rel_1_0_0 (please see:
> http://openser.org/index.php#download). There is an issue in
> the ssl library which does not properly initialize the memory
> manager for compression, which is fixed somehow within
> openser. There is going to be a new update release of branch
> rel_1_0_0 as version 1.0.1 by next Monday.
>
> Cheers,
> Daniel
>
>
> On 02/24/06 15:44, dennis wrote:
> > Hi Martin,
> >
> > I folllow your method, but I still have somme problem.
> >
> > 1.After receive ClientHello, openser will be terminated.
> > my openser is 1.0.0
> > 1 1 0.0023 (0.0023) C>S Handshake
> > ClientHello
> > Version 3.1
> > cipher suites
> > TLS_RSA_WITH_RC4_128_MD5
> > TLS_RSA_WITH_RC4_128_SHA
> > TLS_RSA_WITH_NULL_MD5
> > TLS_RSA_WITH_NULL_SHA
> > TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> > TLS_DH_anon_WITH_RC4_128_MD5
> > TLS_RSA_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> > TLS_DH_anon_WITH_DES_CBC_SHA
> > compression methods
> > NULL
> > 1 0.2734 (0.2710) S>C TCP FIN
> > ///////////////////////////////////
> > 2. Add the tls_ciphers_list="NULL-SHA:NULL-MD5",
> > openser was ok, but snom soft phone was stuck immediately after
> > starting and did not accept any input via the user interface.
> >
> > 1 1 0.0894 (0.0894) C>S Handshake
> > ClientHello
> > Version 3.1
> > cipher suites
> > TLS_RSA_WITH_RC4_128_MD5
> > TLS_RSA_WITH_RC4_128_SHA
> > TLS_RSA_WITH_NULL_MD5
> > TLS_RSA_WITH_NULL_SHA
> > TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> > TLS_DH_anon_WITH_RC4_128_MD5
> > TLS_RSA_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> > TLS_DH_anon_WITH_DES_CBC_SHA
> > compression methods
> > NULL
> > 1 2 0.0913 (0.0018) S>C Handshake
> > ServerHello
> > Version 3.1
> > session_id[32]=
> > 86 63 02 13 cd 51 12 d8 02 61 aa cc 66 63 84
> > d8
> > 21 42 01 8e c1 d6 8e b0 c3 b6 d1 26 68 73 0d
> > 02
> > cipherSuite TLS_RSA_WITH_NULL_MD5
> > compressionMethod NULL
> > 1 3 0.0913 (0.0000) S>C Handshake
> > Certificate
> > 1 4 0.0913 (0.0000) S>C Handshake
> > ServerHelloDone
> > 1 131.0737 (130.9823) S>C TCP FIN
> >
> > When you re-executed the program, the ceritificate will be
> clean away.
> > I thought that the soft phone lost it's certificate, so it hang on.
> > Another root causer may be openssl (0.97f), I will try to
> upgrade or
> > reinstall it.
> > ///////////////////////////////////////
> > In my environment, Windows Messenger always has some problems with
> > Openser, when openser sent certificate, WM always pop up a error
> > messange.
> >
> > 3 1 0.8193 (0.8193) C>S Handshake
> > ClientHello
> > Version 3.1
> > cipher suites
> > TLS_RSA_WITH_RC4_128_MD5
> > TLS_RSA_WITH_RC4_128_SHA
> > TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > TLS_RSA_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT_WITH_RC4_40_MD5
> > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> > TLS_DHE_DSS_WITH_DES_CBC_SHA
> > TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
> > compression methods
> > NULL
> > 3 2 0.8199 (0.0006) S>C Handshake
> > ServerHello
> > Version 3.1
> > session_id[32]=
> > c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
> > 92
> > 1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
> > 32
> > cipherSuite
> > TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > compressionMethod NULL
> > 3 3 0.8199 (0.0000) S>C Handshake
> > Certificate
> > 3 4 0.8199 (0.0000) S>C Handshake
> > ServerHelloDone
> > ////////////////////////////////////
> > But after replaced key size from 2048 to 1024, there was
> improvement
> > in Windows Messenger, although it still pop up the same error.
> >
> > 3 1 0.8193 (0.8193) C>S Handshake
> > ClientHello
> > Version 3.1
> > cipher suites
> > TLS_RSA_WITH_RC4_128_MD5
> > TLS_RSA_WITH_RC4_128_SHA
> > TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > TLS_RSA_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> > TLS_RSA_EXPORT_WITH_RC4_40_MD5
> > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
> > TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> > TLS_DHE_DSS_WITH_DES_CBC_SHA
> > TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
> > compression methods
> > NULL
> > 3 2 0.8199 (0.0006) S>C Handshake
> > ServerHello
> > Version 3.1
> > session_id[32]=
> > c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
> > 92
> > 1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
> > 32
> > cipherSuite
> > TLS_RSA_WITH_3DES_EDE_CBC_SHA
> > compressionMethod NULL
> > 3 3 0.8199 (0.0000) S>C Handshake
> > Certificate
> > 3 4 0.8199 (0.0000) S>C Handshake
> > ServerHelloDone
> > 3 5 0.8701 (0.0501) C>S Handshake
> > ClientKeyExchange
> > 3 6 0.8701 (0.0000) C>S ChangeCipherSpec
> > 3 7 0.8701 (0.0000) C>S Handshake
> > 3 8 0.8736 (0.0035) S>C ChangeCipherSpec
> > 3 9 0.8738 (0.0001) S>C Handshake
> > 3 1.6979 (0.8241) C>S TCP FIN
> > 3 10 1.6985 (0.0006) S>C Alert
> > 3 1.6986 (0.0000) S>C TCP FIN
> >
> > The Alert was not a standard TLS alert description, so I
> can't analyze
> > it.
> > The Alter messange is below:
> > 15 03 01 00 18 fe ef bc 84 a3 c7 8c 8c a5 91 e7 da e1 7c
> > ^^^^^^^^ (there are some problems.....)
> > 06 ee 35 9d 32 21 ec ef 8c 79
> >
> >
> >
> >
> > --- Christian Stredicke <Christian.Stredicke at snom.de>
> > Õf£º
> >
> >
> >> Instead of using DNS SRV you can also use a
> >> transport parameter in the
> >> outbound proxy. E.g.
> >>
> >> server.example.at:5061;transport=tls
> >>
> >> Christian
> >>
> >>
> >>> -----Original Message-----
> >>> From: Voipsec-bounces at voipsa.org
> >>> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of
> >>>
> >> Martin Petraschek
> >>
> >>> Sent: Thursday, February 23, 2006 5:01 AM
> >>> To: Voipsec at voipsa.org
> >>> Subject: [VOIPSEC] Snom Softphone with TLS and
> >>>
> >> Openser
> >>
> >>> Hi all,
> >>>
> >>> I just wanted to share the experiences I made when
> >>>
> >> trying to
> >>
> >>> get the Snom 360 Softphone to work with TLS
> >>>
> >> support together
> >>
> >>> with Openser. Maybe my findings can be of use for
> >>>
> >> other
> >>
> >>> people having similar problems.
> >>>
> >>> The Snom Softphone is one of the few Softphones I
> >>>
> >> am aware of
> >>
> >>> that support TLS as well as RTP encryption.
> >>>
> >> Unfortunately it
> >>
> >>> is not Open Source, but the binary is freely
> >>>
> >> available at
> >>
> >>> http://www.snom.com/download/snom360-5.3.exe
> >>>
> >>> When trying to use TLS, one might be disappointed
> >>>
> >> that the
> >>
> >>> configuration menus do not offer any setting like
> >>>
> >> "enable
> >>
> >>> TLS". This is because the Snom phone uses DNS SRV
> >>>
> >> queries in
> >>
> >>> order to find out which connection method to use.
> >>>
> >> The first
> >>
> >>> task is therefore to configure SRV records of the
> >>>
> >> DNS server.
> >>
> >>> For bind, the following lines did the trick:
> >>>
> >>> example.at. IN NAPTR 10 50 "s" "SIPS+D2T" ""
> >>>
> >> _sips._tcp.example.at.
> >>
> >>> example.at. IN NAPTR 20 50 "s" "SIP+D2U" ""
> >>>
> >> _sip._udp.example.at.
> >>
> >>> example.at. IN NAPTR 30 50 "s" "SIP+D2T" ""
> >>>
> >> _sip._tcp.example.at.
> >>
> >>> ; ----- SRV records -----
> >>> _sip._udp IN SRV 0 0 5060
> >>>
> >> server.example.at.
> >>
> >>> _sip._tcp IN SRV 0 0 5060
> >>>
> >> server.example.at.
> >>
> >>> _sips._tcp IN SRV 0 0 5061
> >>>
> >> server.example.at.
> >>
> >>> After that, the Snom phone tried to contact the
> >>>
> >> SIP server via TLS.
> >>
> >>> However, the program was stuck immediately after
> >>>
> >> starting and
> >>
> >>> did not accept any input via the user interface. I
> >>>
> >> inspected
> >>
> >>> the network traffic it generated with the help of
> >>>
> >> the tool
> >>
> >>> ssldump, which showed the following:
> >>>
> >>> server:/etc/openser/tools# ssldump -i eth0 port
> >>>
> >> 5061 New TCP
> >>
> >>> connection #1: user.example.at(3695) <->
> >>>
> >> server.example.at(5061)
> >>
> >>> 1 1 0.0124 (0.0124) C>S Handshake
> >>> ClientHello
> >>> Version 3.1
> >>> cipher suites
> >>> TLS_RSA_WITH_RC4_128_MD5
> >>> TLS_RSA_WITH_RC4_128_SHA
> >>> TLS_RSA_WITH_NULL_MD5
> >>> TLS_RSA_WITH_NULL_SHA
> >>> TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> >>> TLS_DH_anon_WITH_RC4_128_MD5
> >>> TLS_RSA_WITH_DES_CBC_SHA
> >>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> >>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> >>> TLS_DH_anon_WITH_DES_CBC_SHA
> >>> compression methods
> >>> NULL
> >>> 1 2 0.0145 (0.0021) S>C Handshake
> >>> ServerHello
> >>> Version 3.1
> >>> session_id[32]=
> >>> 5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24
> >>>
> >> 82 6a c3
> >>
> >>> 2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67
> >>>
> >> 53 ab f0
> >>
> >>> cipherSuite
> >>>
> >> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> >>
> >>> compressionMethod NULL
> >>> 1 3 0.0146 (0.0000) S>C Handshake
> >>> Certificate
> >>> 1 4 0.0146 (0.0000) S>C Handshake
> >>> CertificateRequest
> >>> certificate_types
> >>>
> >> rsa_sign
> >>
> >>> certificate_types
> >>>
> >> dss_sign
> >>
> >>> ServerHelloDone
> >>> 1 9.5153 (9.5006) C>S TCP RST
> >>>
> >>>
> >>> I noticed that the chosen ciphersuite was 1024 bit
> >>>
> >> RSA.
> >>
> >>> Checking the certificate file
> >>> /etc/openser/tls/user/user-cert.pem, I found that
> >>>
> >> the
> >>
> >>> certificate configured for openser is 2048 bit! To
> >>>
> >> overcome
> >>
> >>> this problem, I changed the configuration files
> >>>
> >> ca.conf and
> >>
> >>> user.conf as well as gen_rootCA.sh (just replaced
> >>>
> >> 2048 with
> >>
> >>> 1024 at every occurence).
> >>> After re-generating the certificates and restaring
> >>>
> >> openser,
> >>
> >>> the TLS connection finally worked like a charm.
> >>>
> >>> Cheers,
> >>>
> >>> Martin
> >>>
> >>> _______________________________________________
> >>> Voipsec mailing list
> >>> Voipsec at voipsa.org
> >>>
> >>>
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >>>
> >>>
> >> _______________________________________________
> >> Voipsec mailing list
> >> Voipsec at voipsa.org
> >>
> >>
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> >
> > ___________________________________________________ ×îаæ
> Yahoo!ÆæĦ¼´•rÍ¨Ó 7.0£¬ÃâÙM¾W·ëŠÔ’ÈÎÄã´ò£¡
http://messenger.yahoo.com.tw/
> >
> >
> >
> --------------------------------------------------------------
> ----------
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>
More information about the Voipsec
mailing list