[SIPForum-discussion] Major issues with TLS-ports

Tomasz Zieleniewski tzieleniewski at gmail.com
Sun Apr 19 21:19:49 UTC 2009

Hi Franz,

Generally usage of a different port in Via Header is not wrong.
There is of course an explanation to this.
Investigation of the Via header in case of a TLS, which is a reliable
transport is used only
when there is a failure during response processing.
In normal circumstances the response is sent over the connection the
request arrived on. When sending response fails the server
examines the value of the sent-by in the topmost Via header.
In Your case Via header looks something like this, isn't it??
Via: SIP/2.0/TLS;branch=z9hG4bK...
This tells uas that in case of the connection failure it should
retry sending the response over TLS to the address.
What You need to check is that transport is TLS not some other!!!

It is important that when SIPS URI is used as the Request-URI of a
request, each hop over which the request is forwarded, until the request
reaches the SIP proxy entity responsible for the target domain is
secured with TLS.
When it reaches the domain request is handled according to the local policy.
The fact that Your client communicate (register) over TLS is caused
by the fact that registrar URI (REGISTER request URI) is SIPS URI.
This is something separate from registering a SIPS aor.
Do Your clients put a SIPS URI in the Contact header??
Perhaps it is not SIPS but just SIP URI?
If they do then should be listening for incoming connections.

For sure, some trace files would be nice, just to be sure:)

Kind Regards
- Tomasz Zieleniewski

2009/4/18 Franz Edler <franz-edler at aon.at>:
> Hi experts,
> Maybe anyone might help me to clarify the following problem:
> I made some tests using TLS between a SIP client and a SIP server (Proxy and
> Registrar). Thereby I observed the following very strange behaviour:
> When the client sets-up the TLS connection selecting e.g. for
> the TLS connection it uses a different port in Via and Contact header field
> ( of the REGISTER request. The result is now that for an
> incoming SIP session the SIP proxy server uses the port advertised in the
> Contact of the REGISTER request ( but there is no TLS
> connection available.
> This makes me very confused. I first assumed it is a bug in the client, but
> now I tried several clients and every time the same behaviour: The
> port-number used in the Via and Contact header field of the REGISTER request
> is not identical with the port where the TLS connection has been set-up.
> I can send some trace-files if requested.
> The clients I used are (Eyebeam, Bria and Mercuro).
> Any help highly appreciated.
> Regards
> Franz
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org

More information about the discussion mailing list