[OpenSIPS-Users] Control TLS client domain

Bogdan-Andrei Iancu bogdan at opensips.org
Thu Mar 28 11:45:32 EDT 2019 

Hi Alexey,

oh, if it is MS related, I don't wanna hear about it :P.....Just joking 
- please open a bug report on the tracker.

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
> Hi Bogdan,
>
> Yes, of course this is real scenario. MS Teams integration. They 
> authenticate everything by TLS certificates used by connection. It 
> works fine for 1 integration.
> But if I send SIP with domain2 to the TLS connection encrypted with 
> certificate for domain1, I just fail.
> And actually everybody I checked reusing TLS sessions almost the same 
> way as TCP. So OpenSIPS will be the first doing this correct way.
> And I like comments from tls_mgm.c
> /* what if we have multiple connections to the same remote socket? 
> e.g. we can have
> connection 1: localIP1:localPort1 <--> remoteIP:remotePort
> connection 2: localIP2:localPort2 <--> remoteIP:remotePort
> but I think the is very unrealistic */
> So I got exactly this scenario.
>
>
> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <bogdan at opensips.org 
> <mailto:bogdan at opensips.org>>:
>
>     Hi Alexey,
>
>     It make sense (logically speaking) to get the TLS domain involved
>     in the
>     TCP conn re-usage alg - but my question is: have you came across a
>     real
>     scenario with such a need ?
>
>     Regards,
>
>     Bogdan-Andrei Iancu
>
>     OpenSIPS Founder and Developer
>     https://www.opensips-solutions.com
>     OpenSIPS Summit 2019
>     https://www.opensips.org/events/Summit-2019Amsterdam/
>
>     On 03/26/2019 02:23 PM, vasilevalex wrote:
>     > Hi Bogdan,
>     >
>     > Thanks for fix!
>     >
>     > What do you think about reusing TLS connections? In master
>     branch this
>     > behavior still the same. OpenSIPS reuses TLS connections the
>     same way as
>     > regular TCP connections, but it should not. For reusing TCP
>     connection we
>     > check, if connection with the same dst IP:PORT exists. But for
>     TLS it is not
>     > enough. We additionally should check, what certificate uses this
>     connection
>     > (or what domain it is related).
>     >
>     > And in documentation for tls_mgm module everywhere written:
>     Note: If there
>     > is already an existing TLS connection to the remote target, it
>     will be
>     > reused and setting this AVP has no effect.
>     >
>     > This is the same case - we have only 1 destination target, but
>     we should use
>     > several TLS connections to this target with different TLS
>     certificates. So
>     > first connection will be successful, but SIP message for second
>     domain which
>     > should use another certificate will try to reuse this first
>     connection, as
>     > target is the same. And this message will fail.
>     >
>     >
>     >
>     > -----
>     > ---
>     > Alexey Vasilyev
>     > --
>     > Sent from:
>     http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>     >
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> -- 
> Best regards
> Alexey Vasilyev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190328/ae46dc28/attachment.html>

More information about the Users mailing list