[VOIPSEC] Snom Softphone with TLS and Openser

dennis m8939605 at yahoo.com.tw
Fri Feb 24 07:44:01 CST 2006 

Hi Martin,

I folllow your method, but I still have somme problem.

1.After receive ClientHello, openser will be
terminated.
  my openser is 1.0.0
1 1  0.0023 (0.0023)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_NULL_MD5
        TLS_RSA_WITH_NULL_SHA
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_DH_anon_WITH_RC4_128_MD5
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DH_anon_WITH_DES_CBC_SHA
        compression methods
                  NULL
1    0.2734 (0.2710)  S>C  TCP FIN
 ///////////////////////////////////
2. Add the tls_ciphers_list="NULL-SHA:NULL-MD5",
openser was ok, but snom soft phone was stuck
immediately after starting and did not accept any
input via the user interface.

1 1  0.0894 (0.0894)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_NULL_MD5
        TLS_RSA_WITH_NULL_SHA
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_DH_anon_WITH_RC4_128_MD5
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DH_anon_WITH_DES_CBC_SHA
        compression methods
                  NULL
1 2  0.0913 (0.0018)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          86 63 02 13 cd 51 12 d8 02 61 aa cc 66 63 84
d8
          21 42 01 8e c1 d6 8e b0 c3 b6 d1 26 68 73 0d
02
        cipherSuite         TLS_RSA_WITH_NULL_MD5
        compressionMethod                   NULL
1 3  0.0913 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0913 (0.0000)  S>C  Handshake
      ServerHelloDone
1    131.0737 (130.9823)  S>C  TCP FIN

When you re-executed the program, the ceritificate
will be clean away. I thought that the soft phone lost
it's certificate, so it hang on.
Another root causer may be openssl (0.97f), I will try
to upgrade or reinstall it.
///////////////////////////////////////
In my environment, Windows Messenger always has some
problems with Openser, when openser sent certificate,
WM  always pop up a error messange. 

3 1  0.8193 (0.8193)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        compression methods
                  NULL
3 2  0.8199 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
          1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
        cipherSuite        
TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
3 3  0.8199 (0.0000)  S>C  Handshake
      Certificate
3 4  0.8199 (0.0000)  S>C  Handshake
      ServerHelloDone
////////////////////////////////////
But after replaced key size from 2048 to 1024, there
was improvement in Windows Messenger, although it
still pop up the same error.

3 1  0.8193 (0.8193)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        compression methods
                  NULL
3 2  0.8199 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
          1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
        cipherSuite        
TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
3 3  0.8199 (0.0000)  S>C  Handshake
      Certificate
3 4  0.8199 (0.0000)  S>C  Handshake
      ServerHelloDone
3 5  0.8701 (0.0501)  C>S  Handshake
      ClientKeyExchange
3 6  0.8701 (0.0000)  C>S  ChangeCipherSpec
3 7  0.8701 (0.0000)  C>S  Handshake
3 8  0.8736 (0.0035)  S>C  ChangeCipherSpec
3 9  0.8738 (0.0001)  S>C  Handshake
3    1.6979 (0.8241)  C>S  TCP FIN
3 10 1.6985 (0.0006)  S>C  Alert
3    1.6986 (0.0000)  S>C  TCP FIN

The Alert was not a standard TLS alert description, so
I can't analyze it.
The Alter messange is below:
15 03 01 00 18 fe ef bc 84 a3 c7 8c 8c a5 91 e7 da e1
7c
            ^^^^^^^^ (there are some problems.....)
06 ee 35 9d 32 21 ec ef 8c 79 




--- Christian Stredicke <Christian.Stredicke at snom.de>
說:

> Instead of using DNS SRV you can also use a
> transport parameter in the
> outbound proxy. E.g.
> 
> server.example.at:5061;transport=tls
> 
> Christian
> 
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org 
> > [mailto:Voipsec-bounces at voipsa.org] On Behalf Of
> Martin Petraschek
> > Sent: Thursday, February 23, 2006 5:01 AM
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] Snom Softphone with TLS and
> Openser
> > 
> > Hi all,
> > 
> > I just wanted to share the experiences I made when
> trying to 
> > get the Snom 360 Softphone to work with TLS
> support together 
> > with Openser. Maybe my findings can be of use for
> other 
> > people having similar problems.
> > 
> > The Snom Softphone is one of the few Softphones I
> am aware of 
> > that support TLS as well as RTP encryption.
> Unfortunately it 
> > is not Open Source, but the binary is freely
> available at 
> > http://www.snom.com/download/snom360-5.3.exe
> > 
> > When trying to use TLS, one might be disappointed
> that the 
> > configuration menus do not offer any setting like
> "enable 
> > TLS". This is because the Snom phone uses DNS SRV
> queries in 
> > order to find out which connection method to use.
> The first 
> > task is therefore to configure SRV records of the
> DNS server. 
> > For bind, the following lines did the trick:
> > 
> > example.at.   IN NAPTR 10 50 "s" "SIPS+D2T" ""
> _sips._tcp.example.at.
> > example.at.   IN NAPTR 20 50 "s" "SIP+D2U" ""
> _sip._udp.example.at.
> > example.at.   IN NAPTR 30 50 "s" "SIP+D2T" ""
> _sip._tcp.example.at.
> > 
> > ; ----- SRV records -----
> > _sip._udp               IN SRV 0 0 5060
> server.example.at.
> > _sip._tcp               IN SRV 0 0 5060
> server.example.at.
> > _sips._tcp              IN SRV 0 0 5061
> server.example.at.
> > 
> > 
> > After that, the Snom phone tried to contact the
> SIP server via TLS. 
> > However, the program was stuck immediately after
> starting and 
> > did not accept any input via the user interface. I
> inspected 
> > the network traffic it generated with the help of
> the tool 
> > ssldump, which showed the following:
> > 
> > server:/etc/openser/tools# ssldump -i eth0 port
> 5061 New TCP 
> > connection #1: user.example.at(3695) <->
> server.example.at(5061)
> > 1 1  0.0124 (0.0124)  C>S  Handshake
> >        ClientHello
> >          Version 3.1
> >          cipher suites
> >          TLS_RSA_WITH_RC4_128_MD5
> >          TLS_RSA_WITH_RC4_128_SHA
> >          TLS_RSA_WITH_NULL_MD5
> >          TLS_RSA_WITH_NULL_SHA
> >          TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
> >          TLS_DH_anon_WITH_RC4_128_MD5
> >          TLS_RSA_WITH_DES_CBC_SHA
> >          TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> >          TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
> >          TLS_DH_anon_WITH_DES_CBC_SHA
> >          compression methods
> >                    NULL
> > 1 2  0.0145 (0.0021)  S>C  Handshake
> >        ServerHello
> >          Version 3.1
> >          session_id[32]=
> >            5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24
> 82 6a c3
> >            2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67
> 53 ab f0
> >          cipherSuite        
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
> >          compressionMethod                   NULL
> > 1 3  0.0146 (0.0000)  S>C  Handshake
> >        Certificate
> > 1 4  0.0146 (0.0000)  S>C  Handshake
> >        CertificateRequest
> >          certificate_types                  
> rsa_sign
> >          certificate_types                  
> dss_sign
> >        ServerHelloDone
> > 1    9.5153 (9.5006)  C>S  TCP RST
> > 
> > 
> > I noticed that the chosen ciphersuite was 1024 bit
> RSA. 
> > Checking the certificate file 
> > /etc/openser/tls/user/user-cert.pem, I found that
> the 
> > certificate configured for openser is 2048 bit! To
> overcome 
> > this problem, I changed the configuration files
> ca.conf and 
> > user.conf as well as gen_rootCA.sh (just replaced
> 2048 with 
> > 1024 at every occurence). 
> > After re-generating the certificates and restaring
> openser, 
> > the TLS connection finally worked like a charm.
> > 
> > Cheers,
> > 
> > Martin
> > 
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> >
>
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > 
> > 
> > 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
>
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 


___________________________________________________  最新版 Yahoo!奇摩即時通訊 7.0,免費網路電話任你打!  http://messenger.yahoo.com.tw/

More information about the Voipsec mailing list