OpenSIPS does not reuse existing TLS-connections on outbound requests

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenSIPS does not reuse existing TLS-connections on outbound requests

Franz Edler-3
Hi all,

I have successfully setup the OpenSIPS v1.5.1 with TLS and registering my
two eyebeam clients for alice and bob is o.k.

The problem is now that on a session setup between both clients OpenSIPS
does not reuse the existing TLS connection for the outbound INVITE request
but sets up a new TCP connection which is terminated by the client.

I see the following logs on the console:
   ERROR:core:tls_connect: SSL_ERROR_SYSCALL err=Success(0)

   ERROR:core:tls_connect: something wrong in SSL: 5 (ret=0) err=Success(0)

   ERROR:core:tcp_send: failed to send

   ERROR:tm:msg_send: tcp_send failed

   ERROR:tm:t_forward_nonack: sending request failed

I have set the "tls_send_timeout" to 120sec and have also enabled SIP
keep-alives at the eyebeam clients. The clients send keep-alives every 30sec
via the TLS connections, but OpenSIPS does not reuse these connections.

Any hints what might be wrong?

Regards
Franz


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS does not reuse existing TLS-connections on outbound requests

Bogdan-Andrei Iancu
Hi Franz,

OpenSIPS do reuses the TCP connections, but there are some conditions
for this to happen - when something needs to be sent out via TCP, first
i s checked if there is  an already existing connection  to the source
IP and  port. If so, it will be reused.

So, you say that the the clients do register via TCP (and the
connections are up) via C1 and C2. Now one of the clients tries to call
the other one, so the call is sent out (let;s say) via C1 to opensips
and opensips is failing to deliver the call via C2 to the second client,
right?

Regards,
Bogdan

Franz Edler wrote:

> Hi all,
>
> I have successfully setup the OpenSIPS v1.5.1 with TLS and registering my
> two eyebeam clients for alice and bob is o.k.
>
> The problem is now that on a session setup between both clients OpenSIPS
> does not reuse the existing TLS connection for the outbound INVITE request
> but sets up a new TCP connection which is terminated by the client.
>
> I see the following logs on the console:
>    ERROR:core:tls_connect: SSL_ERROR_SYSCALL err=Success(0)
>
>    ERROR:core:tls_connect: something wrong in SSL: 5 (ret=0) err=Success(0)
>
>    ERROR:core:tcp_send: failed to send
>
>    ERROR:tm:msg_send: tcp_send failed
>
>    ERROR:tm:t_forward_nonack: sending request failed
>
> I have set the "tls_send_timeout" to 120sec and have also enabled SIP
> keep-alives at the eyebeam clients. The clients send keep-alives every 30sec
> via the TLS connections, but OpenSIPS does not reuse these connections.
>
> Any hints what might be wrong?
>
> Regards
> Franz
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS does not reuse existing TLS-connections on outbound requests

Franz Edler-3
> OpenSIPS do reuses the TCP connections, but there are some conditions
> for this to happen - when something needs to be sent out via TCP, first
> i s checked if there is  an already existing connection  to the source
> IP and  port. If so, it will be reused.
>
> So, you say that the the clients do register via TCP (and the
> connections are up) via C1 and C2. Now one of the clients tries to call
> the other one, so the call is sent out (let;s say) via C1 to opensips
> and opensips is failing to deliver the call via C2 to the second client,
> right?

Yes. That's the case. And I already found the cause of the troubles:

The eyebeam-client does not use the port where the TLS connection has been
setup in the Contact header field. It uses at totally different port as
Contact:

Examples:
Alice registers via TLS at 10.0.0.1:2852 and uses as contact
sip:alice@10.0.0.1:18855.
Bob registers via TLS at 10.0.0.2:2692 and uses as contact
sip:bob@10.0.0.2:36251.

I verified the Contact addresses in the location database and thanks to
siptrace() I captured also easily the REGISTER request.

So it is clear that OpenSIPS forwards the request to a port where eyebeam is
not listening. Did anyone see such a strange behaviour?

I will post the issue at the eyebeam support forum.

Regards
Franz




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS does not reuse existingTLS-connections on outbound requests

Franz Edler-3
Hi Bogdan and all,

> I will post the issue at the eyebeam support forum.

After many struggles I now come back to the OpenSIPS mailing list, because I
think now that it is a problem of OpenSIPS and not that of the SIP clients.

The problem is, that the clients use an ephemeral port for outgoing TCP
connections which is (as far as I have seen always) different from the port
they advertise for incoming connections. The problem for the inbound proxy
is to setup a separate TCP connection in this case. I did not have a NAT
environment; therefore the existing connection has not been re-used.

The problem gets obviously an additional complexity as in case of TLS a
separate TLS connection has to be setup (now in the reverse direction).
OpenSIPS in this case has problems to setup this second TLS connection
showing:
        ERROR:core:tls_blocking_write: too many retries with no operation
        ERROR:core:tcp_send: failed to send
        ERROR:tm:msg_send: tcp_send failed
        ERROR:tm:t_forward_nonack: sending request failed

I think now, that this is still an open issue in the implementation.

regards
Franz


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS does not reuse existingTLS-connections on outbound requests

Bogdan-Andrei Iancu
Hi Franz,

Franz Edler wrote:

> Hi Bogdan and all,
>
>  
>> I will post the issue at the eyebeam support forum.
>>    
>
> After many struggles I now come back to the OpenSIPS mailing list, because I
> think now that it is a problem of OpenSIPS and not that of the SIP clients.
>
> The problem is, that the clients use an ephemeral port for outgoing TCP
> connections which is (as far as I have seen always) different from the port
> they advertise for incoming connections. The problem for the inbound proxy
> is to setup a separate TCP connection in this case. I did not have a NAT
> environment; therefore the existing connection has not been re-used.
>
>  
I agree with you, but the question is where is the error? because from
proxy point of view, the inbound connection came from port A  (ephemeral
port) and the outbound connection needs to go to port B (registered
contact). Logically speaking, you can reuse the connection, but
realistically speaking you have no idea about the mapping between the
portA and portB ...
> The problem gets obviously an additional complexity as in case of TLS a
> separate TLS connection has to be setup (now in the reverse direction).
> OpenSIPS in this case has problems to setup this second TLS connection
> showing:
> ERROR:core:tls_blocking_write: too many retries with no operation
> ERROR:core:tcp_send: failed to send
> ERROR:tm:msg_send: tcp_send failed
> ERROR:tm:t_forward_nonack: sending request failed
>  
Actually the error is for writing and not for setting up the new TLS
connection. The mysterious "SSL_ERROR_WANT_WRITE" error.....
Can you check what is the the status of the connection ? init done?
still in init phase?

Thanks and regards,
Bogdan
> I think now, that this is still an open issue in the implementation.
>
> regards
> Franz
>
>
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: OpenSIPS does not reuse existingTLS-connections on outbound requests

woymiany
This post has NOT been accepted by the mailing list yet.
In reply to this post by Franz Edler-3
Hi Franz
    I also got the errors in OPenSIPS 1.6.
    I modify the tls_server.c. comment the following codes:
        /* avoid looping if nothing happens */
        /*if (n==0) {
                retries++;
                if (retries==MAX_SSL_RETRIES) {
                        LM_ERR("too many retries with no operation\n");
                        goto error;
                }
        } else {
                // reset the retries if we succeded in doing something
                retries = 0;
        }
*/
rebuild OpenSIPS,the cliets can work fine.

regards
woymiany

Franz Edler wrote
Hi Bogdan and all,

> I will post the issue at the eyebeam support forum.

After many struggles I now come back to the OpenSIPS mailing list, because I
think now that it is a problem of OpenSIPS and not that of the SIP clients.

The problem is, that the clients use an ephemeral port for outgoing TCP
connections which is (as far as I have seen always) different from the port
they advertise for incoming connections. The problem for the inbound proxy
is to setup a separate TCP connection in this case. I did not have a NAT
environment; therefore the existing connection has not been re-used.

The problem gets obviously an additional complexity as in case of TLS a
separate TLS connection has to be setup (now in the reverse direction).
OpenSIPS in this case has problems to setup this second TLS connection
showing:
        ERROR:core:tls_blocking_write: too many retries with no operation
        ERROR:core:tcp_send: failed to send
        ERROR:tm:msg_send: tcp_send failed
        ERROR:tm:t_forward_nonack: sending request failed

I think now, that this is still an open issue in the implementation.

regards
Franz


_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users