tls only sip connection

rts-cn · Aug 2, 2019 · 968d3c0 · 968d3c0
1 parent a93c416
commit 968d3c0
Show file tree

Hide file tree

Showing 4 changed files with 472 additions and 0 deletions.
diff --git a/TLSonly/README.md b/TLSonly/README.md
@@ -0,0 +1,87 @@
+# Secure TLS connection via port 5061 
+
+Securinng signalling using TLS certificates to provide privacy to voip calls over public internet.
+I have used self signed certificate in this exmaple which is ok for dev enviornment for staging , beta or production env use third party certificate provider ( Letsencrypt etc , I will add more on that later )
+
+## Steps 
+
+Build tls module in kamailio src 
+```
+make -C modules/tls extra_defs="-DTLS_WR_DEBUG -DTLS_RD_DEBUG"
+```
+
+Add it to cfg load module 
+```
+loadmodule "sl.so"
+loadmodule "tls.so"
+```
+provide either tls params of path to tls.cfg holding tls params like private_key , certificate , tls methods etc
+```
+modparam("tls", "private_key", "/etc/kamailio/certs/provkey.pem")
+modparam("tls", "certificate", "/etc/kamailio/certs/cert.pem")
+modparam("tls", "ca_list", "/etc/kamailio/certs/calist.pem")
+```
+or
+```
+[server:default]
+method = TLSv1
+verify_certificate = no
+require_certificate = no
+private_key = /etc/kamailio/certs/provkey.pem
+certificate = /etc/kamailio/certs/cert.pem"
+```
+Add listen address , also add advertise publicip:secire sip port for one behind NAT
+```
+listen=tls:MY_IP_ADDR:MY_SIPS_PORT advertise MY_EXTERNAL_IP:MY_SIPS_PORT
+```
+
+Enable TLS module. Optionally u can check for proto or can use pseudo variable $pr
+```
+enable_tls=yes
+
+request_route {
+	if(proto != TLS) {
+		sl_send_reply("403", "Accepting TLS Only");
+		exit;
+	}
+	...
+}
+```
+
+## Traces 
+snippet of traces from TLS connection
+```
+tcpconn_new: new tcp connection: ua_addr
+tcpconn_new(): on port 23235, type 3
+tcpconn_add(): hashes: 3659:631:405, 2
+DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa87960, 46, 2, 0x7fb7cc2f0190), fd_no=39
+DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xa87960, 46, -1, 0x0) fd_no=40 called
+DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev(): sending to child, events 1
+DEBUG: <core> [core/tcp_main.c:3875]: send2child(): selected tcp worker idx:0 proc:22 pid:2973 for activity on [tcp:ip_addr:5061], 0x7fb7cc2f0190
+DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8 con=0x7fb7cc2f0190, fd=5
+DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xae1280, 5, 2, 0x7fb7cc2f0190), fd_no=1
+DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xae1280, 5, -1, 0x10) fd_no=2 called
+DEBUG: <core> [core/tcp_read.c:1680]: release_tcpconn(): releasing con 0x7fb7cc2f0190, state 1, fd=5, id=1 ([ua_addr]:47439 -> [ua_addr]:5061)
+DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn(): extra_data (nil)
+DEBUG: <core> [core/tcp_main.c:3307]: handle_tcp_child(): reader response= 7fb7cc2f0190, 1 from 0 
+DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa87960, 46, 2, 0x7fb7cc2f0190), fd_no=39
+DEBUG: <core> [core/tcp_main.c:3434]: handle_tcp_child(): CONN_RELEASE  0x7fb7cc2f0190 refcnt= 1
+```
+
+## Debugging 
+
+**Issue 1** : ERROR: connect_unix_sock: connect(/var/run/kamailio//kamailio_ctl): No such file or directory [2]
+**Solution** : Look for the location of kamcmd executable in sbin like 
+```
+>ls /usr/local/sbin/
+root@ip-10-130-74-151:/home/ubuntu# ls /usr/local/sbin/
+kamailio  kamcmd  kamctl  kamdbctl
+```
+and execute from source 
+```
+/usr/local/sbin/kamcmd
+```
+
+**Issue 2** : ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
+ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f0f56a3e440 r: 0x7f0f56a3e4c0 (-1)
+**Solution :** although if verify_certificate is no , this should not affect the call, use openssl sclient to validate the certs . tbd more details   
diff --git a/TLSonly/openssl_sclient.md b/TLSonly/openssl_sclient.md
@@ -0,0 +1,71 @@
+# s_client in openssl
+
+Used for validating server security certs and TLS 
+
+ -host host     - use -connect instead
+ -port port     - use -connect instead
+ -connect host:port - who to connect to (default is localhost:4433)
+ -verify_hostname host - check peer certificate matches "host"
+ -verify_email email - check peer certificate matches "email"
+ -verify_ip ipaddr - check peer certificate matches "ipaddr"
+ -verify arg   - turn on peer certificate verification
+ -verify_return_error - return verification errors
+ -cert arg     - certificate file to use, PEM format assumed
+ -certform arg - certificate format (PEM or DER) PEM default
+ -key arg      - Private key file to use, in cert file if not specified but cert file is.
+ -keyform arg  - key format (PEM or DER) PEM default
+ -pass arg     - private key file pass phrase source
+ -CApath arg   - PEM format directory of CA's
+ -CAfile arg   - PEM format file of CA's
+ -no_alt_chains - only ever use the first certificate chain found
+ -reconnect    - Drop and re-make the connection with the same Session-ID
+ -pause        - sleep(1) after each read(2) and write(2) system call
+ -prexit       - print session information even on connection failure
+ -showcerts    - show all certificates in the chain
+ -debug        - extra output
+ -msg          - Show protocol messages
+ -nbio_test    - more ssl protocol testing
+ -state        - print the 'ssl' states
+ -nbio         - Run with non-blocking IO
+ -crlf         - convert LF from terminal into CRLF
+ -quiet        - no s_client output
+ -ign_eof      - ignore input eof (default when -quiet)
+ -no_ign_eof   - don't ignore input eof
+ -psk_identity arg - PSK identity
+ -psk arg      - PSK in hex (without 0x)
+ -srpuser user     - SRP authentification for 'user'
+ -srppass arg      - password for 'user'
+ -srp_lateuser     - SRP username into second ClientHello message
+ -srp_moregroups   - Tolerate other than the known g N values.
+ -srp_strength int - minimal length in bits for N (default 1024).
+ -ssl2         - just use SSLv2
+ -ssl3         - just use SSLv3
+ -tls1_2       - just use TLSv1.2
+ -tls1_1       - just use TLSv1.1
+ -tls1         - just use TLSv1
+ -dtls1        - just use DTLSv1
+ -fallback_scsv - send TLS_FALLBACK_SCSV
+ -mtu          - set the link layer MTU
+ -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol
+ -bugs         - Switch on all SSL implementation bug workarounds
+ -cipher       - preferred cipher to use, use the 'openssl ciphers' command to see what is available
+ -starttls prot - use the STARTTLS command before starting TLS for those protocols that support it, where
+                 'prot' defines which one to assume.  Currently, only "smtp", "pop3", "imap", "ftp" and "xmpp" are supported.
+ -engine id    - Initialise and use the specified engine
+ -rand file:file:...
+ -sess_out arg - file to write SSL session to
+ -sess_in arg  - file to read SSL session from
+ -servername host  - Set TLS extension servername in ClientHello
+ -tlsextdebug      - hex dump of all TLS extensions received
+ -status           - request certificate status from server
+ -no_ticket        - disable use of RFC4507bis session tickets
+ -serverinfo types - send empty ClientHello extensions (comma-separated numbers)
+ -curves arg       - Elliptic curves to advertise (colon-separated list)
+ -sigalgs arg      - Signature algorithms to support (colon-separated list)
+ -client_sigalgs arg - Signature algorithms to support for client certificate authentication (colon-separated list)
+ -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)
+ -alpn arg         - enable ALPN extension, considering named protocols supported (comma-separated list)
+ -legacy_renegotiation - enable use of legacy renegotiation (dangerous)
+ -use_srtp profiles - Offer SRTP key management with a colon-separated profile list
+ -keymatexport label   - Export keying material using label
+ -keymatexportlen len  - Export len bytes of keying material (default 20)
diff --git a/TLSonly/tls.cfg b/TLSonly/tls.cfg
@@ -0,0 +1,46 @@
+[server:default]
+method = TLSv1
+verify_certificate = yes
+require_certificate = yes
+private_key = /usr/local/etc/kamailio/kamailio-selfsigned.key
+certificate = /usr/local/etc/kamailio/kamailio-selfsigned.pem
+ca_list = default_ca.pem
+crl = default_crl.pem
+
+[client:default]
+verify_certificate = yes
+require_certificate = yes
+
+# more relaxed for connection on the loopback interface
+[server:127.0.0.1:5061]
+method = TLSv1
+verify_certificate = yes
+require_certificate = no
+private_key = local_kamailio_org_key.pem
+certificate = local_kamailio_org_cert.pem
+verify_depth = 3
+ca_list = local_ca.pem
+server_name = kamailio.org
+
+[client:127.0.0.1:5061]
+method = TLSv1
+verify_certificate = yes
+require_certificate = yes
+private_key = default_key.pem
+certificate = default_cert.pem
+ca_list = default_ca.pem
+crl = default_crl.pem
+server_name = kamailio.org
+server_id = kamailio.org
+
+# server profile on any address
+[server:any]
+method = TLSv1
+verify_certificate = yes
+require_certificate = no
+private_key = kamailio_net_key.pem
+certificate = kamailio_net_cert.pem
+verify_depth = 3
+ca_list = local_ca.pem
+server_name = kamailio.net
+server_name_mode = 1