[OpenSIPS-Users] Control TLS client domain

vasilevalex alexei.vasilyev at gmail.com
Wed Mar 20 08:40:23 EDT 2019 

Hi all.

OpenSIPS 2.4.4
I have 2 gateways in Dynamic Routing module table. For both gateways I have
different sockets:
address: gw1, socket: tls:<IP1>:5061
address: gw2, socket: tls:<IP2>:5061

IP1 has certificate for TLS sip.domain1.com
IP2 has certificate for TLS sip.domain2.com

And something like this for tls management module:

loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
modparam("tls_mgm", "client_domain", "test1")
modparam("tls_mgm","certificate",
"[test1]/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key",
"[test1]/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "[test1]0")
modparam("tls_mgm","require_cert", "[test1]0")
modparam("tls_mgm","tls_method", "[test1]TLSv1")
modparam("tls_mgm", "client_domain", "test2")
modparam("tls_mgm","certificate",
"[test2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[test2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[test2]0")
modparam("tls_mgm","require_cert", "[test2]0")
modparam("tls_mgm","tls_method", "[test2]TLSv1")
#Default domain
modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "0")
modparam("tls_mgm","require_cert", "0")
modparam("tls_mgm","tls_method", "TLSv1")
modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
modparam("tls_mgm","certificate",
"[srv2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[srv2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[srv2]0")
modparam("tls_mgm","require_cert", "[srv2]0")
modparam("tls_mgm","tls_method", "[srv2]TLSv1")

Server part of TLS works fine.
But I want OPTIONS to these gateways to be send with correct TLS
certificate.

local_route {
  if (is_method("OPTIONS")) {
    # Get IP for outgoing socket
    $var(ip_out) = $(fs{s.select,1,:});
    switch($var(ip_out)) {
      case "IP1":
        $avp(tls_cli_dom) = "test1";
      break;
      case "IP2":
        $avp(tls_cli_dom) = "test2";
      break;
    }
    xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
  }
}

So AVP for choosing client domain is set correctly during sending OPTIONS.
OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
for both gateways. What's wrong?



-----
---
Alexey Vasilyev
--
Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

More information about the Users mailing list