[SIPForum-discussion] Major issues with TLS-ports

Nils Ohlmeier nils at ohlmeier.com
Mon Apr 20 11:16:47 UTC 2009

Hi Franz,

that the UA uses a different port for outgoing connections over reliable
transports like TCP (TLS just uses TCP underneasth) is totally normal,
because when it listens on port 1766 it can not use that port any more for
outgoing connections. Whenever you listen on a TCP port or you have an
ogoing connection on one TCP port, this TCP port is blocked. This is not
the case for UDP, because it works connection less. And also SCTP,
although it is connection oriented, does not have the same limitation as
TCP (so you can listen and use the same port for sending).

For the incoming traffic you should first check if the UAs support
registering a SIPS or TLS URI at all. Most of the clients do not offer
this feature because: to be able listen for incoming TLS connection and
establish proper TLS connection the listener, the UA in this case, has to
present a valid X.509 certificate to the sender, the proxy in this
scenario. So if you install a valid X.509 certificate in the UA it might
work. But in most of the cases this is simply not done, because UAs have
usually dynamic IP addresses, e.g. from DHCP. So as soon as they get a new
IP address their certificate becomes invalid.
So offering support for incoming TLS connection is not a usual feature for
SIP UAs these days.
A typical workaround for this issue is, that the client opens a TLS
connection towards the server when it registeres itself, and then it keep
this connection open. And both sides, the UA and the proxy, re-use the
existing TLS connection for all incoming and outgoing SIP traffic. But
this needs to be supported by the proxy and the UA as well.

Best regards
  Nils Ohlmeier

> Hi experts,
> Maybe anyone might help me to clarify the following problem:
> I made some tests using TLS between a SIP client and a SIP server (Proxy
> and
> Registrar). Thereby I observed the following very strange behaviour:
> When the client sets-up the TLS connection selecting e.g.
> for
> the TLS connection it uses a different port in Via and Contact header
> field
> ( of the REGISTER request. The result is now that for an
> incoming SIP session the SIP proxy server uses the port advertised in the
> Contact of the REGISTER request ( but there is no TLS
> connection available.
> This makes me very confused. I first assumed it is a bug in the client,
> but
> now I tried several clients and every time the same behaviour: The
> port-number used in the Via and Contact header field of the REGISTER
> request
> is not identical with the port where the TLS connection has been set-up.
> I can send some trace-files if requested.
> The clients I used are (Eyebeam, Bria and Mercuro).
> Any help highly appreciated.
> Regards
> Franz
> _______________________________________________
> This is the SIP Forum discussion mailing list
> TO UNSUBSCRIBE, or edit your delivery options, please visit
> http://sipforum.org/mailman/listinfo/discussion
> Post to the list at discussion at sipforum.org

More information about the discussion mailing list