[OpenSIPS-Users] Control TLS client domain

Bogdan-Andrei Iancu bogdan at opensips.org
Thu Mar 28 08:47:05 EDT 2019


Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the 
TCP conn re-usage alg - but my question is: have you came across a real 
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master branch this
> behavior still the same. OpenSIPS reuses TLS connections the same way as
> regular TCP connections, but it should not. For reusing TCP connection we
> check, if connection with the same dst IP:PORT exists. But for TLS it is not
> enough. We additionally should check, what certificate uses this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written: Note: If there
> is already an existing TLS connection to the remote target, it will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but we should use
> several TLS connections to this target with different TLS certificates. So
> first connection will be successful, but SIP message for second domain which
> should use another certificate will try to reuse this first connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list