[OpenSIPS-Users] Control TLS client domain

Thu Mar 28 09:16:19 EDT 2019

Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They
authenticate everything by TLS certificates used by connection. It works
fine for 1 integration.
But if I send SIP with domain2 to the TLS connection encrypted with
certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same way
as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? e.g. we
can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.

чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <bogdan at opensips.org>:

> Hi Alexey,
>
> It make sense (logically speaking) to get the TLS domain involved in the
> TCP conn re-usage alg - but my question is: have you came across a real
> scenario with such a need ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>    https://www.opensips-solutions.com
> OpenSIPS Summit 2019
>    https://www.opensips.org/events/Summit-2019Amsterdam/
>
> On 03/26/2019 02:23 PM, vasilevalex wrote:
> > Hi Bogdan,
> >
> > Thanks for fix!
> >
> > What do you think about reusing TLS connections? In master branch this
> > behavior still the same. OpenSIPS reuses TLS connections the same way as
> > regular TCP connections, but it should not. For reusing TCP connection we
> > check, if connection with the same dst IP:PORT exists. But for TLS it is
> not
> > enough. We additionally should check, what certificate uses this
> connection
> > (or what domain it is related).
> >
> > And in documentation for tls_mgm module everywhere written: Note: If
> there
> > is already an existing TLS connection to the remote target, it will be
> > reused and setting this AVP has no effect.
> >
> > This is the same case - we have only 1 destination target, but we should
> use
> > several TLS connections to this target with different TLS certificates.
> So
> > first connection will be successful, but SIP message for second domain
> which
> > should use another certificate will try to reuse this first connection,
> as
> > target is the same. And this message will fail.
> >
> >
> >
> > -----
> > ---
> > Alexey Vasilyev
> > --
> > Sent from:
> http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

-- 
Best regards
Alexey Vasilyev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190328/ac4107fc/attachment.html>