[OpenSIPS-Users] Control TLS client domain
Bogdan-Andrei Iancu
bogdan at opensips.org
Mon Mar 25 13:37:49 EDT 2019
Hi Alexey,
Well, the AVPs (as variables) are not visible for the TLS send
operation. In local route, the actual "send" is outside the route
context, so the AVP you set in the local route are not impacting the
later TLS "send".
On the other hand, you can select the TLS certificate to use based on
the destination IP of the TLS connection (the IP of the GW, in your case).
Check this
https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .
And when you define the client_domain, you set the IP of your GW :
modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")
and you do not need the local route anymore, as the test1 TLS domain will be automatically picked when sending GW_IP:GW_PORT.
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/20/2019 02:40 PM, vasilevalex wrote:
> Hi all.
>
> OpenSIPS 2.4.4
> I have 2 gateways in Dynamic Routing module table. For both gateways I have
> different sockets:
> address: gw1, socket: tls:<IP1>:5061
> address: gw2, socket: tls:<IP2>:5061
>
> IP1 has certificate for TLS sip.domain1.com
> IP2 has certificate for TLS sip.domain2.com
>
> And something like this for tls management module:
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
> modparam("tls_mgm", "client_domain", "test1")
> modparam("tls_mgm","certificate",
> "[test1]/etc/opensips/tls/test1/fullchain.pem")
> modparam("tls_mgm","private_key",
> "[test1]/etc/opensips/tls/test1/privkey.pem")
> modparam("tls_mgm","verify_cert", "[test1]0")
> modparam("tls_mgm","require_cert", "[test1]0")
> modparam("tls_mgm","tls_method", "[test1]TLSv1")
> modparam("tls_mgm", "client_domain", "test2")
> modparam("tls_mgm","certificate",
> "[test2]/etc/opensips/tls/test2/fullchain.pem")
> modparam("tls_mgm","private_key",
> "[test2]/etc/opensips/tls/test2/privkey.pem")
> modparam("tls_mgm","verify_cert", "[test2]0")
> modparam("tls_mgm","require_cert", "[test2]0")
> modparam("tls_mgm","tls_method", "[test2]TLSv1")
> #Default domain
> modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
> modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
> modparam("tls_mgm","verify_cert", "0")
> modparam("tls_mgm","require_cert", "0")
> modparam("tls_mgm","tls_method", "TLSv1")
> modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
> modparam("tls_mgm","certificate",
> "[srv2]/etc/opensips/tls/test2/fullchain.pem")
> modparam("tls_mgm","private_key",
> "[srv2]/etc/opensips/tls/test2/privkey.pem")
> modparam("tls_mgm","verify_cert", "[srv2]0")
> modparam("tls_mgm","require_cert", "[srv2]0")
> modparam("tls_mgm","tls_method", "[srv2]TLSv1")
>
> Server part of TLS works fine.
> But I want OPTIONS to these gateways to be send with correct TLS
> certificate.
>
> local_route {
> if (is_method("OPTIONS")) {
> # Get IP for outgoing socket
> $var(ip_out) = $(fs{s.select,1,:});
> switch($var(ip_out)) {
> case "IP1":
> $avp(tls_cli_dom) = "test1";
> break;
> case "IP2":
> $avp(tls_cli_dom) = "test2";
> break;
> }
> xlog("AVP for TLS: $avp(tls_cli_dom) \n");
> }
> }
>
> So AVP for choosing client domain is set correctly during sending OPTIONS.
> OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
> for both gateways. What's wrong?
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list