[OpenSIPS-Users] Control TLS client domain

Bogdan-Andrei Iancu bogdan at opensips.org
Fri Mar 29 03:26:45 EDT 2019


Thank you Alexey,

I will look into it.

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/28/2019 10:00 PM, Alexey Vasilyev wrote:
> Hi Bogdan,
>
> Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify 
> search later: https://github.com/OpenSIPS/opensips/issues/1651
>
>
> -----
> Alexey Vasilyev
> alexei.vasilyev at gmail.com <mailto:alexei.vasilyev at gmail.com>
>
>
>
>> 28 Mar 2019, в 16:45, Bogdan-Andrei Iancu <bogdan at opensips.org 
>> <mailto:bogdan at opensips.org>> написал(а):
>>
>> Hi Alexey,
>>
>> oh, if it is MS related, I don't wanna hear about it :P.....Just 
>> joking - please open a bug report on the tracker.
>>
>> Regards,
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>    https://www.opensips-solutions.com
>> OpenSIPS Summit 2019
>>    https://www.opensips.org/events/Summit-2019Amsterdam/
>> On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
>>> Hi Bogdan,
>>>
>>> Yes, of course this is real scenario. MS Teams integration. They 
>>> authenticate everything by TLS certificates used by connection. It 
>>> works fine for 1 integration.
>>> But if I send SIP with domain2 to the TLS connection encrypted with 
>>> certificate for domain1, I just fail.
>>> And actually everybody I checked reusing TLS sessions almost the 
>>> same way as TCP. So OpenSIPS will be the first doing this correct way.
>>> And I like comments from tls_mgm.c
>>> /* what if we have multiple connections to the same remote socket? 
>>> e.g. we can have
>>> connection 1: localIP1:localPort1 <--> remoteIP:remotePort
>>> connection 2: localIP2:localPort2 <--> remoteIP:remotePort
>>> but I think the is very unrealistic */
>>> So I got exactly this scenario.
>>>
>>>
>>> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu 
>>> <bogdan at opensips.org <mailto:bogdan at opensips.org>>:
>>>
>>>     Hi Alexey,
>>>
>>>     It make sense (logically speaking) to get the TLS domain
>>>     involved in the
>>>     TCP conn re-usage alg - but my question is: have you came across
>>>     a real
>>>     scenario with such a need ?
>>>
>>>     Regards,
>>>
>>>     Bogdan-Andrei Iancu
>>>
>>>     OpenSIPS Founder and Developer
>>>     https://www.opensips-solutions.com
>>>     <https://www.opensips-solutions.com/>
>>>     OpenSIPS Summit 2019
>>>     https://www.opensips.org/events/Summit-2019Amsterdam/
>>>
>>>     On 03/26/2019 02:23 PM, vasilevalex wrote:
>>>     > Hi Bogdan,
>>>     >
>>>     > Thanks for fix!
>>>     >
>>>     > What do you think about reusing TLS connections? In master
>>>     branch this
>>>     > behavior still the same. OpenSIPS reuses TLS connections the
>>>     same way as
>>>     > regular TCP connections, but it should not. For reusing TCP
>>>     connection we
>>>     > check, if connection with the same dst IP:PORT exists. But for
>>>     TLS it is not
>>>     > enough. We additionally should check, what certificate uses
>>>     this connection
>>>     > (or what domain it is related).
>>>     >
>>>     > And in documentation for tls_mgm module everywhere written:
>>>     Note: If there
>>>     > is already an existing TLS connection to the remote target, it
>>>     will be
>>>     > reused and setting this AVP has no effect.
>>>     >
>>>     > This is the same case - we have only 1 destination target, but
>>>     we should use
>>>     > several TLS connections to this target with different TLS
>>>     certificates. So
>>>     > first connection will be successful, but SIP message for
>>>     second domain which
>>>     > should use another certificate will try to reuse this first
>>>     connection, as
>>>     > target is the same. And this message will fail.
>>>     >
>>>     >
>>>     >
>>>     > -----
>>>     > ---
>>>     > Alexey Vasilyev
>>>     > --
>>>     > Sent from:
>>>     http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>>>     >
>>>     > _______________________________________________
>>>     > Users mailing list
>>>     > Users at lists.opensips.org <mailto:Users at lists.opensips.org>
>>>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>>
>>> -- 
>>> Best regards
>>> Alexey Vasilyev
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20190329/cd8183a1/attachment.html>


More information about the Users mailing list