[OpenSIPS-Users] Control TLS client domain

Thu Mar 28 16:00:08 EDT 2019

Hi Bogdan,

Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify search later: https://github.com/OpenSIPS/opensips/issues/1651

-----
Alexey Vasilyev
alexei.vasilyev at gmail.com

> 28 Mar 2019, в 16:45, Bogdan-Andrei Iancu <bogdan at opensips.org> написал(а):
> 
> Hi Alexey,
> 
> oh, if it is MS related, I don't wanna hear about it :P.....Just joking - please open a bug report on the tracker.
> 
> Regards,
>  Bogdan-Andrei Iancu
> 
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com <https://www.opensips-solutions.com/>
> OpenSIPS Summit 2019
>   https://www.opensips.org/events/Summit-2019Amsterdam/ <https://www.opensips.org/events/Summit-2019Amsterdam/>
> On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
>> Hi Bogdan,
>> 
>> Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. 
>> But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail.
>> And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way.
>> And I like comments from tls_mgm.c
>> /* what if we have multiple connections to the same remote socket? e.g. we can have
>>   connection 1: localIP1:localPort1 <--> remoteIP:remotePort
>>   connection 2: localIP2:localPort2 <--> remoteIP:remotePort
>> but I think the is very unrealistic */
>> 
>> So I got exactly this scenario.
>> 
>> 
>> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <bogdan at opensips.org <mailto:bogdan at opensips.org>>:
>> Hi Alexey,
>> 
>> It make sense (logically speaking) to get the TLS domain involved in the 
>> TCP conn re-usage alg - but my question is: have you came across a real 
>> scenario with such a need ?
>> 
>> Regards,
>> 
>> Bogdan-Andrei Iancu
>> 
>> OpenSIPS Founder and Developer
>>    https://www.opensips-solutions.com <https://www.opensips-solutions.com/>
>> OpenSIPS Summit 2019
>>    https://www.opensips.org/events/Summit-2019Amsterdam/ <https://www.opensips.org/events/Summit-2019Amsterdam/>
>> 
>> On 03/26/2019 02:23 PM, vasilevalex wrote:
>> > Hi Bogdan,
>> >
>> > Thanks for fix!
>> >
>> > What do you think about reusing TLS connections? In master branch this
>> > behavior still the same. OpenSIPS reuses TLS connections the same way as
>> > regular TCP connections, but it should not. For reusing TCP connection we
>> > check, if connection with the same dst IP:PORT exists. But for TLS it is not
>> > enough. We additionally should check, what certificate uses this connection
>> > (or what domain it is related).
>> >
>> > And in documentation for tls_mgm module everywhere written: Note: If there
>> > is already an existing TLS connection to the remote target, it will be
>> > reused and setting this AVP has no effect.
>> >
>> > This is the same case - we have only 1 destination target, but we should use
>> > several TLS connections to this target with different TLS certificates. So
>> > first connection will be successful, but SIP message for second domain which
>> > should use another certificate will try to reuse this first connection, as
>> > target is the same. And this message will fail.
>> >
>> >
>> >
>> > -----
>> > ---
>> > Alexey Vasilyev
>> > --
>> > Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html <http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html>
>> >
>> > _______________________________________________
>> > Users mailing list
>> > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users <http://lists.opensips.org/cgi-bin/mailman/listinfo/users>
>> 
>> 
>> 
>> -- 
>> Best regards
>> Alexey Vasilyev
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190328/d93d7d74/attachment-0001.html>