VoIP Mailing List Archives

[reb-freeswitch at futu...]

folks,

i'm wondering if anyone here has actually managed to get SIP over TLS
working from a symbian s60 phone to FreeSWITCH. i've been trying for
some time with an e71 and while i've made some progress, progress !=
success.

in fact, i've progressed to the point where the failure is known to
not be specific to FreeSWITCH's implementation. however, having used
the certificates generated by FreeSWITCH's gentls_cert script with
openssh s_server's builtin simple web server while having my e71's
browser connect to it, i can say that the failure mode is same (we
send cert, e71 replies with "illegal parameter") whether we are
running SIP or HTTP over SSL/TLS. as such, it could still be a result
of the certs generated by the FS scripts.

to eliminate one obvious potential cause, note that i have installed
the FreeSWITCH CA cert on the e71 so it shouldn't be a self-signed
cert problem. this leaves me thinking that the problem is either an
openssl problem (there appear to have been some interoperability
issues between SSL implementations as a result of e.g. padding SSL
PDUs) or a limitation in the feature set of the symbian s60 TLS
implementation, specifically limitations on the types of server certs
it'll accept. before exhausting more energy trying to track this
down, i was hoping that someone out there may have solved this problem
or at least know exactly what the problem is i can stop banging my
head against the wall.

anyone? anyone? Bueller?

thanks,
eric


_______________________________________________
Freeswitch-users mailing list
Freeswitch-users@lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org

[brian at freeswitch.org]

Without one for me to test with I can only guess. I have tested TLS
on Polycom, Snom you might need to setup sslv3 instead of tls on your
profile for doing secure SIP. What are you trying https against?

/b


On Sep 12, 2008, at 10:01 AM, R. Eric Bennett wrote:

[reb-freeswitch at futu...]

Note that I was mostly just hoping to find someone who'd already had
experience trying to do SIP over TLS with an s60 device, not asking
you folks to do add developing that knowledge in order to have you do
my debugging for me.

That said, I did leave out a few things in the interest of note being
too long-winded...

First, I should point out that I'm doing this on vanilla Mac OS X
10.5.4, i.e. no fink or macports installed packages. Second, I'm
using a "latest" tarball from an unknown date in late August (see
prior post on AIM SIP for explanation of why). I'm 4k miles away from
the machine with no remote access so I don't know the exact date of
the tarball. Third, my configs work fine without TLS.

So what I did was perform a gentls_cert and then:

1) configured FreeSWITCH for TLS, forced e71 to register. Didn't
work, "illegal parameter" error returned to server by client.
2) configured FS with "sslv23", forced e71 to register. Didn't work,
"illegal parameter" error.
3) ran "openssh s_server -accept ... -CApath ... -CAfile ... -www -
tls1" using the CA and server cert created by gentls_cert, pointed e71
browser at s_server port. Didn't work, "illegal parameter" error.
4) ran "openssh s_server -accept ... -CApath ... -CAfile ... -www -
ssl3", pointed e71 browser at s_server port. Didn't work, "illegal
parameter" error.
5) gave up for the time being hoping i could find wisdom on freeswitch-
users.

If you are interested in having an s60 device with which to test,
contact me directly via email.

<param name="podium" value="
Frankly, as the disappointed purchaser of a UTStarcom WiSIP-something-
or-other years ago and one who waited anxiously for someone to sell
the hipi-2200 from Paragon Wireless (never could find one), it seems
to me that the s60 phones with SIP represent the holy grail for which
SIP-minded VoIP people have been searching, ironic since it's been
hiding in plain sight as they say... Notably s60 SIP devices have
real PIM and syncing functionality, a browser (for those of us that
would want to do SIP because we're frequently at a remote site that
requires web-page-based authentication), 802.1X support, all in cell
phone... one of which you're likely to have/need anyway.
"/>

thanks,
eric

On Sep 12, 2008, at 11:14 AM, Brian West wrote:

[brian at freeswitch.org]

Eric,
I wasn't aware that the s60 did TLS yet nor was I aware that it does
SRTP till very recently. I do know that the phone is very picky and
thats the extent of my knowledge on that. Still not 100% sure on
those facts.

/b

On Sep 12, 2008, at 1:17 PM, R. Eric Bennett wrote:

[Prometheus001 at gmx.net]

Concerning TLS and SRTP on S60 see
http://mosh.nokia.com/common/download/4452B13D5F854A8DE040050A45306C1B/original/Developing_3rd_party_VoIP_clients_on_S60_platform_v1_0_en.pdf

But I a not sure whether they use SDES or Mikey for key exchange.

Brian West schrieb:

[reb-freeswitch at futu...]

Brian,

Yes, I'd also like to point out that finding details on that pickiness
is not the easiest task either. That's why I was hoping to find
someone here with some personal experience. If not, back to the salt
mines myself...

Just for completeness I will point out that I'm primarily interested
in SIP/TLS and not SRTP. I'm much more concerned about people
sniffing authentication data and using it to access for-fee (e.g. my
PSTN trunk) services (e.g. my PSTN trunk) than I am about them hearing
what I'm talking about. But that's my particular situation...

thanks,
eric

On Sep 12, 2008, at 2:28 PM, Brian West wrote:

[brian at freeswitch.org]

They can't use your auth data if they happen to sniff it. Its hashed
and impossible for someone to reuse or gain your auth data from it.

/b

On Sep 13, 2008, at 3:11 PM, R. Eric Bennett wrote:

[astmac at stillnewt.org]

On Sep 13, 2008, at 1:20 PM, Brian West wrote:

[brian at freeswitch.org]

Anything is possible but the way the authentication data is hashed
together it wouldn't be possible for someone to gain access to your
authentication data derived from the auth headers in the sip packets.
If it were so simple then everyone would be able to crack their Vonage
accounts.

http://en.wikipedia.org/wiki/Digest_access_authentication

/b

On Sep 14, 2008, at 12:05 AM, Martin Joseph wrote:

[astmac at stillnewt.org]

On Sep 13, 2008, at 10:36 PM, Brian West wrote:

[brian at freeswitch.org]

Its still not the same as an MD5 flaw or collision. The Digest auth is time sensitive and unless you have a very weak password the chances are almost zero for someone to crack it. Needless to say you should be concerned about the signaling and the media... So TLS/SRTP all the way if at all possible.


/b

On Sep 14, 2008, at 12:30 PM, Martin Joseph wrote:

[mgg at giagnocavo.net]

[mike at jerris.com]

On Sep 14, 2008, at 1:52 PM, Michael Giagnocavo wrote:

[brian at freeswitch.org]

Still with a password thats secure the probability is rather low.

But if you're that concerned about the signaling you should be equally
concerned about the media. As entering your credit card or account
information over VoIP is just as bad and also travels in the RTP stream.

Also don't use VBR codecs on SRTP links.

/b

On Sep 14, 2008, at 2:49 PM, Michael Jerris wrote: