Howto:Debugging SRTP/SIPS connections: Difference between revisions

From innovaphone wiki
Jump to navigation Jump to search
mNo edit summary
 
(4 intermediate revisions by one other user not shown)
Line 1: Line 1:
===Question:===
What to do if no connection via SIP/TLS come about?
Was tun, wenn keine Verbindung über SIP/TLS zustande kommt?


Fehlermeldung im Trace:
Error message in the trace:


   Remote server certificate mismatch: IP0010-2b-00-a3 (194.204.29.9)
   Remote server certificate mismatch: IP0010-2b-00-a3 (194.204.29.9)


If the above error message can be found in the trace, the TLS layer of the client has already accepted the Server-Zertifikat.
Here it is the SIP stack that does not agree with the server certificate.
The SIP stack opens a connection towards "194.204.29.9" and received certificate "IP0010-2b-00-a3" from the server.
The mismatch irritates the SIP stack.


===Answer:===
It would also irritate a web browser, if you're trying to connect with "banking.postbank.de" and the connected server presents a certificate for "blabla.nonsense.de".
Wenn die genannte Fehlermeldung im Trace zu finden ist,
Even if the TLS layer has accepted certificate "blabla.nonsense.de" since it is an officially signed certificate.
hat der TLS-Layer des Client das Sevrer-Zertifikat aktzeptiert.
The web browser won't accept.
Hier ist es der SIP-Stack, der mit dem Server-Zertifikat nicht einverstanden ist.
Der SIP-Stack baut eine Verbindung zu "194.204.29.9" und bekommt vom Server ein Zertifikat "IP0010-2b-00-a3".
Das kommt dem SIP-Stack verdächtig vor.


Das würde ein Browser auch tun, wenn man eine Verbindung zu "banking.postbank.de" aufbaut
Certificate and connection destination must match!
und der Server ein Zertifikat für "blabla.nonsense.de" vorlegt.
Auch wenn das Server-Zertifikat offiziell signiert ist und der TLS-Layer grünes Licht gibt,
wird der Browser das nicht akzeptieren.


Zertifikat und Rufziel müssen zusammenpassen.
Either you update the server certificate and add "194.204.29.9" as alternative name or
Entweder, man trägt ins Server-Zertifikat "194.204.29.9" als Alternativ-Name ein,
you make the client open the connection towards "IP0010-2b-00-a3".
oder andersherum:
In the seconds case you must make the client resolve "IP0010-2b-00-a3" into an ip address.
Man sorgt dafür, dass der SIP-Stack eine Verbindung zu "IP0010-2b-00-a3" aufbaut.
You can add a local DNS entry for "IP0010-2b-00-a3" on the client box (Services/DNS/Hosts).
Man könnte "IP0010-2b-00-a3" also als Proxy eintragen.
Allerdings muss der Client aus "IP0010-2b-00-a3" dann noch eine IP-Adresse machen können.
Das geht, indem man auf dem Client einen lokalen DNS-Entry für "IP0010-2b-00-a3" anlegt.
 
[http://translate.google.de/#auto/en/%3D%3D%3DQuestion%3A%3D%3D%3D%0AWas%20tun%2C%20wenn%20keine%20Verbindung%20%C3%BCber%20SIP%2FTLS%20zustande%20kommt%3F%0A%0AFehlermeldung%20im%20Trace%3A%0A%0A%20%20Remote%20server%20certificate%20mismatch%3A%20IP0010-2b-00-a3%20%28194.204.29.9%29%0A%0A%0A%3D%3D%3DAnswer%3A%3D%3D%3D%0AWenn%20die%20genannte%20Fehlermeldung%20im%20Trace%20zu%20finden%20ist%2C%0Ahat%20der%20TLS-Layer%20des%20Client%20das%20Sevrer-Zertifikat%20aktzeptiert.%0AHier%20ist%20es%20der%20SIP-Stack%2C%20der%20mit%20dem%20Server-Zertifikat%20nicht%20einverstanden%20ist.%0ADer%20SIP-Stack%20baut%20eine%20Verbindung%20zu%20%22194.204.29.9%22%20und%20bekommt%20vom%20Server%20ein%20Zertifikat%20%22IP0010-2b-00-a3%22.%0ADas%20kommt%20dem%20SIP-Stack%20verd%C3%A4chtig%20vor.%0A%0ADas%20w%C3%BCrde%20ein%20Browser%20auch%20tun%2C%20wenn%20man%20eine%20Verbindung%20zu%20%22banking.postbank.de%22%20aufbaut%0Aund%20der%20Server%20ein%20Zertifikat%20f%C3%BCr%20%22blabla.nonsense.de%22%20vorlegt.%0AAuch%20wenn%20das%20Server-Zertifikat%20offiziell%20signiert%20ist%20und%20der%20TLS-Layer%20gr%C3%BCnes%20Licht%20gibt%2C%0Awird%20der%20Browser%20das%20nicht%20akzeptieren.%0A%0AZertifikat%20und%20Rufziel%20m%C3%BCssen%20zusammenpassen.%0AEntweder%2C%20man%20tr%C3%A4gt%20ins%20Server-Zertifikat%20%22194.204.29.9%22%20als%20Alternativ-Name%20ein%2C%0Aoder%20andersherum%3A%0AMan%20sorgt%20daf%C3%BCr%2C%20dass%20der%20SIP-Stack%20eine%20Verbindung%20zu%20%22IP0010-2b-00-a3%22%20aufbaut.%0AMan%20k%C3%B6nnte%20%22IP0010-2b-00-a3%22%20also%20als%20Proxy%20eintragen.%0AAllerdings%20muss%20der%20Client%20aus%20%22IP0010-2b-00-a3%22%20dann%20noch%20eine%20IP-Adresse%20machen%20k%C3%B6nnen.%0ADas%20geht%2C%20indem%20man%20auf%20dem%20Client%20einen%20lokalen%20DNS-Entry%20f%C3%BCr%20%22IP0010-2b-00-a3%22%20anlegt. English]


[[Category:Howto|{{PAGENAME}}]]
[[Category:Howto|{{PAGENAME}}]]

Latest revision as of 09:47, 28 November 2012

What to do if no connection via SIP/TLS come about?

Error message in the trace: 

 Remote server certificate mismatch: IP0010-2b-00-a3 (194.204.29.9)

If the above error message can be found in the trace, the TLS layer of the client has already accepted the Server-Zertifikat. Here it is the SIP stack that does not agree with the server certificate. The SIP stack opens a connection towards "194.204.29.9" and received certificate "IP0010-2b-00-a3" from the server. The mismatch irritates the SIP stack.

It would also irritate a web browser, if you're trying to connect with "banking.postbank.de" and the connected server presents a certificate for "blabla.nonsense.de". Even if the TLS layer has accepted certificate "blabla.nonsense.de" since it is an officially signed certificate. The web browser won't accept.

Certificate and connection destination must match!

Either you update the server certificate and add "194.204.29.9" as alternative name or you make the client open the connection towards "IP0010-2b-00-a3". In the seconds case you must make the client resolve "IP0010-2b-00-a3" into an ip address. You can add a local DNS entry for "IP0010-2b-00-a3" on the client box (Services/DNS/Hosts).

Retrieved from "https://wiki.innovaphone.com/index.php?title=Howto:Debugging_SRTP/SIPS_connections&oldid=27608"