Kamailio TLS connection not establishing on TLS socket 5061

Question

I am trying to setup MS Teams Direct Routing with Kamailio version: kamailio 5.6.5 (x86_64/linux).I have setup a domain and get users registered with it.I have done all the configs following this tutorial https://skalatan.de/en/blog/kamailio-sbc-teams

but when I checked My TLS is not coming up

sudo netstat -tulpn | grep kamailio

udp 0 0 0.0.0.0:50600.0.0.0:* 1858/kamailio

It's listening on 5060 but not on tls.

my certificate works for my https but kamailio unable to listen on 5061. I checked the configs and they are fine followed other patterns but still not able to get kamailio listen on tls 5061.

Answer 1

You need to have

1. correct certificates in tls.cfg

2. listen directive

Like this:

listen=tls:IPADDRESS:5061

or

listen=tls:PRIVATEIP:5061 advertise PUBLICIP:5061

Most of manuals just not write last one, no idea why.

Answer 2

tls: 172.31.19.8:5061 advertise abcsbc.com:5061

It's now listening on tls port but now I get the below errors.

This is the error when sending options packet to Microsoft.

ERROR: tls [tls_server.c:1319]: tls_h_read_f(): protocol level error

ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (sni: unknown) ERROR: tls [tls_server.c:1323]: tls_h_read_f(): src addr: 52.114.132.46:5061 ERROR: tls [tls_server.c:1326]: tls_h_read_f(): dst addr: 172.31.19.8:0 ERROR: [core/tcp_read.c:1499]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fde1e939fd8 r: 0x7fde1e93a100 (-1) ERROR: tls [tls_server.c:1319]: tls_h_read_f(): protocol level error ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (sni: unknown)

These are my configs

kamailio.cfg listen=tls:172.31.19.8:5061 advertise abcsbc.com:5061

[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = no
private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem
certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem
server_name = abc.com
server_id = abc.com
ca_list = /etc/kamailio/ca_list.pem
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem
certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem
ca_list = /etc/kamailio/ca_list.pem

Answer 3

I am able to resolve the tls sni issue with this setting finally.

[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem
certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem
ca_list = /etc/kamailio/ca_list.pem
#ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem


[server:172.31.19.8:5061]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem
certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem
ca_list = /etc/kamailio/ca_list.pem
server_name = localhost


[client:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no
server_name = abcsbc.com

[client:172.31.19.8:5061]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem
certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem
ca_list = /etc/kamailio/ca_list.pem
server_name = localhost
server_id = localhost


#private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem
#certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem
#ca_list = /etc/kamailio/ca_list.pem
#ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem
But now the thing to worry is my dispatcher flag goes from AX to IP. :(

kamcmd dispatcher.list | egrep "URI|FLAGS"
URI: sip:sip.pstnhub.microsoft.com:5061;transport=tls
FLAGS: IP
URI: sip:sip2.pstnhub.microsoft.com:5061;transport=tls
FLAGS: IP
URI: sip:sip3.pstnhub.microsoft.com:5061;transport=tls
FLAGS: IP

now getting dispatcher in IP state why ?