[OpenSIPS-Users] NOTIFY and TLS issue

Damien Sandras dsandras at seconix.com
Mon Aug 31 11:29:13 CEST 2015


Hi Bogdan,
I'm not sure about that (see our previous discussions about connection
reuse).
It will only reuse the active SUBSCRIBE TCP connection if the Contact
header of the SUBSCRIBE indicates the same IP/port than the one used to
create the outbound SUBSCRIBE TCP connection. That is rarely the case.
Or am I missing something ?
Le lundi 31 août 2015 à 12:17 +0300, Bogdan-Andrei Iancu a écrit :
> Hi Bogdan,
> 
> If the conn with B is still alive (the one created by SUBSCRIBE
> requests), it should be reused when OpenSIPS has to send the NOTIFY.
> Have you enabled the tcp aliases ?
> 
> If still a problem, can you make a log (with debug 6) when the NOTIFY
> is to be send + a listing from list_tcp_conns ?
> 
> Regards,
>  Bogdan-Andrei Iancu
> OpenSIPS Founder and Developer
> http://www.opensips-solutions.com
> On 28.08.2015 20:53, Bogdan Chifor wrote:
> > Hello,
> > 
> > I have a question regarding the following scenario:
> > 
> > 1. I have two devices connected to the server via two-way TLS(TCP).
> >  1.1 Device A is behind a NAT
> >  1.2 Device B is directly connected to the server
> > 
> > 2. Device B subscribes to the presence of device A.
> > 
> > 3. Device A gets offline and the server generates a NOTIFY message
> > to be sent to device B.
> > 
> > 4. The server does not find an existing tcp connection (from the
> > logs), even though the socket is visible if the "opensipsctl fifo
> > list_tcp_conns" or "netstat" commands are used.
> > 
> > 5. Because the server does not find an existing connection it
> > initiates one (TLS). After that the proto tls module logs the
> > following error: "NOTICE:proto_tls:verify_callback: verify
> > error:num=26:unsupported certificate purpose".
> > 
> > 6. This error is normal because device B does not have a
> > certificate with server authentication extended key usage, it has
> > only the client authentication extended key usage (as normal). 
> > 
> > What is the reason behind the start of the new connection and how
> > should I handle this issue?
> > 
> > This is my proto_tls config:
> > 
> > modparam("proto_tls", "verify_cert", "1")
> > modparam("proto_tls", "require_cert", "1")
> > modparam("proto_tls", "tls_method", "TLSv1")
> > modparam("proto_tls", "certificate", "...")
> > modparam("proto_tls", "private_key", "...")
> > modparam("proto_tls", "ca_list", "...")
> > modparam("proto_tls", "ca_dir", "...")
> > 
> > 
> > Any help is appreciated.
> > 
> > Best regards,
> > 
> > Bogdan.
> > 
> > 
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-- 
Damien SANDRAS

Ekiga Project 
http://www.ekiga.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20150831/b09e1df1/attachment.htm>


More information about the Users mailing list