[OpenSIPS-Users] Control TLS client domain
bogdan at opensips.org
Thu Mar 28 11:45:32 EDT 2019
oh, if it is MS related, I don't wanna hear about it :P.....Just joking
- please open a bug report on the tracker.
OpenSIPS Founder and Developer
OpenSIPS Summit 2019
On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
> Hi Bogdan,
> Yes, of course this is real scenario. MS Teams integration. They
> authenticate everything by TLS certificates used by connection. It
> works fine for 1 integration.
> But if I send SIP with domain2 to the TLS connection encrypted with
> certificate for domain1, I just fail.
> And actually everybody I checked reusing TLS sessions almost the same
> way as TCP. So OpenSIPS will be the first doing this correct way.
> And I like comments from tls_mgm.c
> /* what if we have multiple connections to the same remote socket?
> e.g. we can have
> connection 1: localIP1:localPort1 <--> remoteIP:remotePort
> connection 2: localIP2:localPort2 <--> remoteIP:remotePort
> but I think the is very unrealistic */
> So I got exactly this scenario.
> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <bogdan at opensips.org
> <mailto:bogdan at opensips.org>>:
> Hi Alexey,
> It make sense (logically speaking) to get the TLS domain involved
> in the
> TCP conn re-usage alg - but my question is: have you came across a
> scenario with such a need ?
> Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> OpenSIPS Summit 2019
> On 03/26/2019 02:23 PM, vasilevalex wrote:
> > Hi Bogdan,
> > Thanks for fix!
> > What do you think about reusing TLS connections? In master
> branch this
> > behavior still the same. OpenSIPS reuses TLS connections the
> same way as
> > regular TCP connections, but it should not. For reusing TCP
> connection we
> > check, if connection with the same dst IP:PORT exists. But for
> TLS it is not
> > enough. We additionally should check, what certificate uses this
> > (or what domain it is related).
> > And in documentation for tls_mgm module everywhere written:
> Note: If there
> > is already an existing TLS connection to the remote target, it
> will be
> > reused and setting this AVP has no effect.
> > This is the same case - we have only 1 destination target, but
> we should use
> > several TLS connections to this target with different TLS
> certificates. So
> > first connection will be successful, but SIP message for second
> domain which
> > should use another certificate will try to reuse this first
> connection, as
> > target is the same. And this message will fail.
> > -----
> > ---
> > Alexey Vasilyev
> > --
> > Sent from:
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> Best regards
> Alexey Vasilyev
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users