laurent Posted June 21, 2012 Report Share Posted June 21, 2012 Hello all, I try to setup a sip trunk from snomone to an audiocode M1000 with tls. we have generated a certificate for the M1000 and we have imported into the snomone the Root certificate. We have done the same process (generation of a certificate) for the snome one as you can see in the log bellow, the snomeone try to initiate the tls layer but it's not working. bellow, log of the snom one (level 9) and attached the wireshark capture tls_snomone_debug.zip any idea ? Laurent [7] 2012/06/21 17:54:50: UDP(IPv6): Opening socket on [::] [8] 2012/06/21 17:54:50: Trunk 2: sending discover message for sips.peoplefone.com [5] 2012/06/21 17:54:50: Set process affinity to 1 [9] 2012/06/21 17:54:50: Resolve 1: discover 95.128.80.120 [8] 2012/06/21 17:54:50: Trunk 2: Received reply for discover method [8] 2012/06/21 17:54:50: Trunk 2 (peoplefone) is associated with the following addresses: 95.128.80.120 [8] 2012/06/21 17:54:50: Trunk peoplefone: Sending registration to sips.peoplefone.com [9] 2012/06/21 17:54:50: Resolve 2: url sip:sips.peoplefone.com [9] 2012/06/21 17:54:50: Resolve 2: naptr sips.peoplefone.com [8] 2012/06/21 17:54:50: DNS: Use DNS server 62.12.130.66 [8] 2012/06/21 17:54:50: DNS: Request sips.peoplefone.com from server 62.12.130.66 [7] 2012/06/21 17:54:50: UDP(IPv4): Opening socket on 0.0.0.0:5060 [8] 2012/06/21 17:54:50: Joined multicast group 224.0.1.75 [7] 2012/06/21 17:54:50: UDP(IPv6): Opening socket on [::]:5060 [7] 2012/06/21 17:54:50: TCP(IPv4): Opening socket on 0.0.0.0:5060 [7] 2012/06/21 17:54:50: TCP(IPv6): Opening socket on [::]:5060 [7] 2012/06/21 17:54:50: TCP(IPv4): Opening socket on 0.0.0.0:5061 [7] 2012/06/21 17:54:50: TCP(IPv6): Opening socket on [::]:5061 [8] 2012/06/21 17:54:51: DNS: Add NAPTR sips.peoplefone.com (ttl=10800) [9] 2012/06/21 17:54:51: DNS: erasing NAPTR sips.peoplefone.com, id 1 retry count 1, [9] 2012/06/21 17:54:51: Resolve 2: naptr sips.peoplefone.com [9] 2012/06/21 17:54:51: Resolve 2: srv tls _sips._tcp.sips.peoplefone.com [8] 2012/06/21 17:54:51: DNS: Request _sips._tcp.sips.peoplefone.com from server 62.12.130.66 [8] 2012/06/21 17:54:51: DNS: Add SRV _sips._tcp.sips.peoplefone.com 4 4 sips.peoplefone.com 5067 (ttl=2400) [9] 2012/06/21 17:54:51: DNS: erasing SRV _sips._tcp.sips.peoplefone.com, id 2 retry count 0, [9] 2012/06/21 17:54:51: Resolve 2: srv tls _sips._tcp.sips.peoplefone.com [9] 2012/06/21 17:54:51: Resolve 2: a tls sips.peoplefone.com 5067 [8] 2012/06/21 17:54:51: DNS: Request sips.peoplefone.com from server 62.12.130.66 [8] 2012/06/21 17:54:51: DNS: Add A sips.peoplefone.com 95.128.80.120 (ttl=2400) [9] 2012/06/21 17:54:51: DNS: erasing A sips.peoplefone.com, id 3 retry count 0, [9] 2012/06/21 17:54:51: Resolve 2: a tls sips.peoplefone.com 5067 [9] 2012/06/21 17:54:51: Resolve 2: tls 95.128.80.120 5067 [8] 2012/06/21 17:54:51: Received SIP connection 1 from 95.128.80.120:5067 [5] 2012/06/21 17:54:51: SIP Tx tls:95.128.80.120:5067: REGISTER sip:sips.peoplefone.com SIP/2.0 Via: SIP/2.0/TLS 192.168.1.46:15865;branch=z9hG4bK-64e099b010dd6030e1d4f0afb4a79f21;rport From: "90543373418" <sip:90543373418@sips.peoplefone.com>;tag=13381 To: "90543373418" <sip:90543373418@sips.peoplefone.com> Call-ID: hfx5bq0f@pbx CSeq: 18149 REGISTER Max-Forwards: 70 Contact: <sip:90543373418@192.168.1.46:15865;transport=tls;line=c81e728d>;+sip.instance="<urn:uuid:30f55c9a-396c-425e-9aa0-f8fe602dd1f2>" User-Agent: snomONE/4.5.0.1075 Delta Aurigids Supported: outbound Expires: 3600 Content-Length: 0 [9] 2012/06/21 17:54:51: SIP 95.128.80.120:5067: send_client_hello(03014fe343cb2fd047c4b9641603a25e2c4ee845c285ccb0d89f3a54fa6ee39ec1a0000004000400050100001c000000180016000013736970732e70656f706c65666f6e652e636f6d) [1] 2012/06/21 17:54:51: TCP: TOS could not be set, code 0 [5] 2012/06/21 17:54:51: SIP 95.128.80.120:5067: Alert(2, 100) [5] 2012/06/21 17:55:00: Last message repeated 2 times [5] 2012/06/21 17:55:00: Table cdrt: Finished reading 6 rows [5] 2012/06/21 17:55:00: Table cdre: Finished reading 15 rows [5] 2012/06/21 17:55:00: Table cdri: Finished reading 6 rows [5] 2012/06/21 17:55:22: Registration on trunk 2 (peoplefone) failed with code 408. Retry in 60 seconds [2] 2012/06/21 17:55:22: Trunk status peoplefone (2) changed to "408 Request Timeout" (Registration failed, retry after 60 seconds) [6] 2012/06/21 17:55:51: SIP TCP/TLS timeout on 95.128.80.120:5067, closing connection [9] 2012/06/21 17:55:51: SIP 95.128.80.120:5067: send_alert(0100) [8] 2012/06/21 17:55:51: Release SIP thread 1 [0] 2012/06/21 17:55:58: Administrator logged in from IP address 127.0.0.1, session 59wqvzj3mbs3wgkbqitx [9] 2012/06/21 17:55:59: Remote site 127.0.0.1 closed the connection [9] 2012/06/21 17:56:06: Last message repeated 3 times [5] 2012/06/21 17:56:06: Could not send 32960 bytes to 127.0.0.1, error code 10054 [9] 2012/06/21 17:56:06: Remote site 127.0.0.1 closed the connection [9] 2012/06/21 17:56:22: Last message repeated 2 times [8] 2012/06/21 17:56:22: Trunk 2: Preparing for re-registration [8] 2012/06/21 17:56:22: Trunk 2: sending discover message for sips.peoplefone.com [9] 2012/06/21 17:56:22: Resolve 3: discover 95.128.80.120 [8] 2012/06/21 17:56:22: Trunk 2: Received reply for discover method [8] 2012/06/21 17:56:22: Trunk 2 (peoplefone) is associated with the following addresses: 95.128.80.120 [8] 2012/06/21 17:56:22: Trunk peoplefone: Sending registration to sips.peoplefone.com [9] 2012/06/21 17:56:22: Resolve 4: url sip:sips.peoplefone.com [9] 2012/06/21 17:56:22: Resolve 4: naptr sips.peoplefone.com [9] 2012/06/21 17:56:22: Resolve 4: srv tls _sips._tcp.sips.peoplefone.com [9] 2012/06/21 17:56:22: Resolve 4: a tls sips.peoplefone.com 5067 [9] 2012/06/21 17:56:22: Resolve 4: tls 95.128.80.120 5067 [8] 2012/06/21 17:56:22: Received SIP connection 2 from 95.128.80.120:5067 [5] 2012/06/21 17:56:22: SIP Tx tls:95.128.80.120:5067: REGISTER sip:sips.peoplefone.com SIP/2.0 Via: SIP/2.0/TLS 192.168.1.46:24771;branch=z9hG4bK-cbfe8b3e1d290c5c811789a9ff69417f;rport From: "90543373418" <sip:90543373418@sips.peoplefone.com>;tag=13381 To: "90543373418" <sip:90543373418@sips.peoplefone.com> Call-ID: hfx5bq0f@pbx CSeq: 18150 REGISTER Max-Forwards: 70 Contact: <sip:90543373418@192.168.1.46:24771;transport=tls;line=c81e728d>;+sip.instance="<urn:uuid:30f55c9a-396c-425e-9aa0-f8fe602dd1f2>" User-Agent: snomONE/4.5.0.1075 Delta Aurigids Supported: outbound Expires: 3600 Content-Length: 0 [9] 2012/06/21 17:56:22: SIP 95.128.80.120:5067: send_client_hello(03014fe34426679aea4ba212708e2e8e2442776eeff79e216839c50ba6a37ac6e8a4000004000400050100001c000000180016000013736970732e70656f706c65666f6e652e636f6d) [1] 2012/06/21 17:56:22: TCP: TOS could not be set, code 0 [5] 2012/06/21 17:56:22: SIP 95.128.80.120:5067: Alert(2, 100) [5] 2012/06/21 17:56:27: Last message repeated 2 times [9] 2012/06/21 17:56:27: Remote site 127.0.0.1 closed the connection [9] 2012/06/21 17:56:54: Last message repeated 2 times [5] 2012/06/21 17:56:54: Registration on trunk 2 (peoplefone) failed with code 408. Retry in 60 seconds [6] 2012/06/21 17:57:22: SIP TCP/TLS timeout on 95.128.80.120:5067, closing connection [9] 2012/06/21 17:57:22: SIP 95.128.80.120:5067: send_alert(0100) [8] 2012/06/21 17:57:22: Release SIP thread 2 [8] 2012/06/21 17:57:54: Trunk 2: Preparing for re-registration [8] 2012/06/21 17:57:54: Trunk 2: sending discover message for sips.peoplefone.com [9] 2012/06/21 17:57:54: Resolve 5: discover 95.128.80.120 [8] 2012/06/21 17:57:54: Trunk 2: Received reply for discover method [8] 2012/06/21 17:57:54: Trunk 2 (peoplefone) is associated with the following addresses: 95.128.80.120 [8] 2012/06/21 17:57:54: Trunk peoplefone: Sending registration to sips.peoplefone.com [9] 2012/06/21 17:57:54: Resolve 6: url sip:sips.peoplefone.com [9] 2012/06/21 17:57:54: Resolve 6: naptr sips.peoplefone.com [9] 2012/06/21 17:57:54: Resolve 6: srv tls _sips._tcp.sips.peoplefone.com [9] 2012/06/21 17:57:54: Resolve 6: a tls sips.peoplefone.com 5067 [9] 2012/06/21 17:57:54: Resolve 6: tls 95.128.80.120 5067 [8] 2012/06/21 17:57:54: Received SIP connection 3 from 95.128.80.120:5067 [5] 2012/06/21 17:57:54: SIP Tx tls:95.128.80.120:5067: REGISTER sip:sips.peoplefone.com SIP/2.0 Via: SIP/2.0/TLS 192.168.1.46:33753;branch=z9hG4bK-d4ee6ce7c65657f6ba23064c0b4d378b;rport From: "90543373418" <sip:90543373418@sips.peoplefone.com>;tag=13381 To: "90543373418" <sip:90543373418@sips.peoplefone.com> Call-ID: hfx5bq0f@pbx CSeq: 18151 REGISTER Max-Forwards: 70 Contact: <sip:90543373418@192.168.1.46:33753;transport=tls;line=c81e728d>;+sip.instance="<urn:uuid:30f55c9a-396c-425e-9aa0-f8fe602dd1f2>" User-Agent: snomONE/4.5.0.1075 Delta Aurigids Supported: outbound Expires: 3600 Content-Length: 0 [9] 2012/06/21 17:57:54: SIP 95.128.80.120:5067: send_client_hello(03014fe34482230c38b414df1934914e2c735fd3f3f9a821212f217fcf08deff4d3a000004000400050100001c000000180016000013736970732e70656f706c65666f6e652e636f6d) [1] 2012/06/21 17:57:54: TCP: TOS could not be set, code 0 [5] 2012/06/21 17:57:54: SIP 95.128.80.120:5067: Alert(2, 100) [5] 2012/06/21 17:58:26: Last message repeated 2 times [5] 2012/06/21 17:58:26: Registration on trunk 2 (peoplefone) failed with code 408. Retry in 60 seconds [6] 2012/06/21 17:58:54: SIP TCP/TLS timeout on 95.128.80.120:5067, closing connection [9] 2012/06/21 17:58:54: SIP 95.128.80.120:5067: send_alert(0100) [8] 2012/06/21 17:58:54: Release SIP thread 3 [8] 2012/06/21 17:59:26: Trunk 2: Preparing for re-registration [8] 2012/06/21 17:59:26: Trunk 2: sending discover message for sips.peoplefone.com [9] 2012/06/21 17:59:26: Resolve 7: discover 95.128.80.120 [8] 2012/06/21 17:59:26: Trunk 2: Received reply for discover method [8] 2012/06/21 17:59:26: Trunk 2 (peoplefone) is associated with the following addresses: 95.128.80.120 [8] 2012/06/21 17:59:26: Trunk peoplefone: Sending registration to sips.peoplefone.com [9] 2012/06/21 17:59:26: Resolve 8: url sip:sips.peoplefone.com [9] 2012/06/21 17:59:26: Resolve 8: naptr sips.peoplefone.com [9] 2012/06/21 17:59:26: Resolve 8: srv tls _sips._tcp.sips.peoplefone.com [9] 2012/06/21 17:59:26: Resolve 8: a tls sips.peoplefone.com 5067 [9] 2012/06/21 17:59:26: Resolve 8: tls 95.128.80.120 5067 [8] 2012/06/21 17:59:26: Received SIP connection 4 from 95.128.80.120:5067 [5] 2012/06/21 17:59:26: SIP Tx tls:95.128.80.120:5067: REGISTER sip:sips.peoplefone.com SIP/2.0 Via: SIP/2.0/TLS 192.168.1.46:42695;branch=z9hG4bK-5d88db26b7512642f482708035915439;rport From: "90543373418" <sip:90543373418@sips.peoplefone.com>;tag=13381 To: "90543373418" <sip:90543373418@sips.peoplefone.com> Call-ID: hfx5bq0f@pbx CSeq: 18152 REGISTER Max-Forwards: 70 Contact: <sip:90543373418@192.168.1.46:42695;transport=tls;line=c81e728d>;+sip.instance="<urn:uuid:30f55c9a-396c-425e-9aa0-f8fe602dd1f2>" User-Agent: snomONE/4.5.0.1075 Delta Aurigids Supported: outbound Expires: 3600 Content-Length: 0 [9] 2012/06/21 17:59:26: SIP 95.128.80.120:5067: send_client_hello(03014fe344de27b514a9f3895056db8d11d13c764c489f406e511a62fc89b447541c000004000400050100001c000000180016000013736970732e70656f706c65666f6e652e636f6d) [1] 2012/06/21 17:59:26: TCP: TOS could not be set, code 0 [5] 2012/06/21 17:59:26: SIP 95.128.80.120:5067: Alert(2, 100) [5] 2012/06/21 17:59:58: Last message repeated 2 times [5] 2012/06/21 17:59:58: Registration on trunk 2 (peoplefone) failed with code 408. Retry in 60 seconds [6] 2012/06/21 18:00:26: SIP TCP/TLS timeout on 95.128.80.120:5067, closing connection [9] 2012/06/21 18:00:26: SIP 95.128.80.120:5067: send_alert(0100) [8] 2012/06/21 18:00:26: Release SIP thread 4 [8] 2012/06/21 18:00:58: Trunk 2: Preparing for re-registration [8] 2012/06/21 18:00:58: Trunk 2: sending discover message for sips.peoplefone.com [9] 2012/06/21 18:00:58: Resolve 9: discover 95.128.80.120 [8] 2012/06/21 18:00:58: Trunk 2: Received reply for discover method [8] 2012/06/21 18:00:58: Trunk 2 (peoplefone) is associated with the following addresses: 95.128.80.120 [8] 2012/06/21 18:00:58: Trunk peoplefone: Sending registration to sips.peoplefone.com [9] 2012/06/21 18:00:58: Resolve 10: url sip:sips.peoplefone.com [9] 2012/06/21 18:00:58: Resolve 10: naptr sips.peoplefone.com [9] 2012/06/21 18:00:58: Resolve 10: srv tls _sips._tcp.sips.peoplefone.com [9] 2012/06/21 18:00:58: Resolve 10: a tls sips.peoplefone.com 5067 [9] 2012/06/21 18:00:58: Resolve 10: tls 95.128.80.120 5067 [8] 2012/06/21 18:00:58: Received SIP connection 5 from 95.128.80.120:5067 [5] 2012/06/21 18:00:58: SIP Tx tls:95.128.80.120:5067: REGISTER sip:sips.peoplefone.com SIP/2.0 Via: SIP/2.0/TLS 192.168.1.46:51681;branch=z9hG4bK-3c0fd8624723f2b9cbce15cb06177aef;rport From: "90543373418" <sip:90543373418@sips.peoplefone.com>;tag=13381 To: "90543373418" <sip:90543373418@sips.peoplefone.com> Call-ID: hfx5bq0f@pbx CSeq: 18153 REGISTER Max-Forwards: 70 Contact: <sip:90543373418@192.168.1.46:51681;transport=tls;line=c81e728d>;+sip.instance="<urn:uuid:30f55c9a-396c-425e-9aa0-f8fe602dd1f2>" User-Agent: snomONE/4.5.0.1075 Delta Aurigids Supported: outbound Expires: 3600 Content-Length: 0 [9] 2012/06/21 18:00:58: SIP 95.128.80.120:5067: send_client_hello(03014fe3453aacb4e33a8202ffa7687d14c384e52a30f0b6495e7f4a001b1c41a054000004000400050100001c000000180016000013736970732e70656f706c65666f6e652e636f6d) [1] 2012/06/21 18:00:58: TCP: TOS could not be set, code 0 [5] 2012/06/21 18:00:58: SIP 95.128.80.120:5067: Alert(2, 100) [5] 2012/06/21 18:01:17: Last message repeated 2 times [9] 2012/06/21 18:01:17: Remote site 127.0.0.1 closed the connection [5] 2012/06/21 18:01:30: Registration on trunk 2 (peoplefone) failed with code 408. Retry in 60 seconds [6] 2012/06/21 18:01:58: SIP TCP/TLS timeout on 95.128.80.120:5067, closing connection [9] 2012/06/21 18:01:58: SIP 95.128.80.120:5067: send_alert(0100) [8] 2012/06/21 18:01:58: Release SIP thread 5 [8] 2012/06/21 18:02:30: Trunk 2: Preparing for re-registration [8] 2012/06/21 18:02:30: Trunk 2: sending discover message for sips.peoplefone.com [9] 2012/06/21 18:02:30: Resolve 11: discover 95.128.80.120 [8] 2012/06/21 18:02:30: Trunk 2: Received reply for discover method [8] 2012/06/21 18:02:30: Trunk 2 (peoplefone) is associated with the following addresses: 95.128.80.120 [8] 2012/06/21 18:02:30: Trunk peoplefone: Sending registration to sips.peoplefone.com [9] 2012/06/21 18:02:30: Resolve 12: url sip:sips.peoplefone.com [9] 2012/06/21 18:02:30: Resolve 12: naptr sips.peoplefone.com [9] 2012/06/21 18:02:30: Resolve 12: srv tls _sips._tcp.sips.peoplefone.com [9] 2012/06/21 18:02:30: Resolve 12: a tls sips.peoplefone.com 5067 [9] 2012/06/21 18:02:30: Resolve 12: tls 95.128.80.120 5067 [8] 2012/06/21 18:02:30: Received SIP connection 6 from 95.128.80.120:5067 [5] 2012/06/21 18:02:30: SIP Tx tls:95.128.80.120:5067: REGISTER sip:sips.peoplefone.com SIP/2.0 Via: SIP/2.0/TLS 192.168.1.46:60645;branch=z9hG4bK-f5504575306277380e1e52c7e4d31347;rport From: "90543373418" <sip:90543373418@sips.peoplefone.com>;tag=13381 To: "90543373418" <sip:90543373418@sips.peoplefone.com> Call-ID: hfx5bq0f@pbx CSeq: 18154 REGISTER Max-Forwards: 70 Contact: <sip:90543373418@192.168.1.46:60645;transport=tls;line=c81e728d>;+sip.instance="<urn:uuid:30f55c9a-396c-425e-9aa0-f8fe602dd1f2>" User-Agent: snomONE/4.5.0.1075 Delta Aurigids Supported: outbound Expires: 3600 Content-Length: 0 [9] 2012/06/21 18:02:30: SIP 95.128.80.120:5067: send_client_hello(03014fe3459692c679951bb16d23f97146dc84949290fc41df14782440f84c4eb86d000004000400050100001c000000180016000013736970732e70656f706c65666f6e652e636f6d) [1] 2012/06/21 18:02:30: TCP: TOS could not be set, code 0 [5] 2012/06/21 18:02:30: SIP 95.128.80.120:5067: Alert(2, 100) [5] 2012/06/21 18:03:02: Last message repeated 2 times [5] 2012/06/21 18:03:02: Registration on trunk 2 (peoplefone) failed with code 408. Retry in 60 seconds Quote Link to comment Share on other sites More sharing options...
Vodia support Posted June 21, 2012 Report Share Posted June 21, 2012 Have you tried using "Sip Gateway" on the trunk section instead of registration? Quote Link to comment Share on other sites More sharing options...
snomuk Posted June 21, 2012 Report Share Posted June 21, 2012 Hi, From the log you posted we send a TLS hello and we get nothing from the gateway so you get the error 100 Sent by the client in response to a hello request or by the server in response to a client hello after initial handshaking. Either of these would normally lead to renegotiation; when that is not appropriate, the recipient should respond with this alert; at that point, the original requester can decide whether to proceed with the connection. One case where this would be appropriate would be where a server has spawned a process to satisfy a request; the process might receive security parameters (key length, authentication, etc.) at startup and it might be difficult to communicate changes to these parameters after that point. This message is always a warning. The gateway basicly dissalows the connection so it may not be accepting registrations as Mr X pointed out. Quote Link to comment Share on other sites More sharing options...
laurent Posted June 21, 2012 Author Report Share Posted June 21, 2012 Hello, Yes I see that the TLS connection can not be started so the GW dont get the SIP message. I have laready tryed to change the trunk type but same problem. how can I debug the TLS negotiation ? Laurent Quote Link to comment Share on other sites More sharing options...
Vodia support Posted June 22, 2012 Report Share Posted June 22, 2012 Hello, Yes I see that the TLS connection can not be started so the GW dont get the SIP message. I have laready tryed to change the trunk type but same problem. how can I debug the TLS negotiation ? Laurent Have you tried entering the M1000 certificate on the pbx in this order? Trusted Root CA for server authentication Trusted Root CA for client authentication Domain certificate chain + private key Server certificate chain + private key Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted June 22, 2012 Report Share Posted June 22, 2012 I dont think it is a problem with the certificate, the server obviously does not accept the security parameters that the PBX is proposing. Check if you have enabled RC4 on the gateway. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.