[OpenSIPS-Users] is_from_gw() DNS Names

Vlad Patrascu vladp at opensips.org
Tue Mar 1 09:53:12 UTC 2022


Hi Mark,

We are aware of this limitation with wolfssl, and do plan to address it 
somehow but we have not found a straight-forward solution yet. Keep an 
eye on the feature request Ovidiu mentioned.

Regards,

-- 
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com

On 28.02.2022 10:50, Mark Farmer wrote:
> Thanks Ovidiu, that is great information.
>
> I am using wolfssl as that seems to be the way to go these days.
> I wonder given the rising popularity of Direct Routing if it would be 
> possible/sensible to have wolfsssl populate the $tls_peer_subject_cn 
> variable in the future?
>
> Mark.
>
>
>
>
>
> On Fri, 25 Feb 2022 at 17:32, Ovidiu Sas <osas at voipembedded.com> wrote:
>
>     With MS, you can authenticate based on $tls_peer_subject_cn. This
>     works ok with openssl but not with wolfssl. When wolfssl is using
>     session tickets to establish new connections, the $tls_peer_subject_cn
>     is not populated.
>     Another alternative is to perform a lookup for each request received
>     over a tls connection using the ip.resolve transformation and enable
>     dbs_cache to help a little bit. It's messy but it works.
>
>     -ovidiu
>
>     On Fri, Feb 25, 2022 at 6:51 AM Mark Farmer <farmorg at gmail.com> wrote:
>     >
>     > Thanks Bogdan
>     >
>     > It's no secret really, I was just speaking generically.
>     > They are the MS Direct Routing domains, EG
>     sip.pstnhub.microsoft.com <http://sip.pstnhub.microsoft.com>
>     >
>     > Mark.
>     >
>     >
>     >
>     > On Tue, 22 Feb 2022 at 12:50, Bogdan-Andrei Iancu
>     <bogdan at opensips.org> wrote:
>     >>
>     >> Hi Mark,
>     >>
>     >> You say the DNS is publishing only one IP for the domain, but
>     one may change ? If you want, you can PM me the actual domain to
>     see how the DNS records looks like.
>     >>
>     >> Regards,
>     >>
>     >> Bogdan-Andrei Iancu
>     >>
>     >> OpenSIPS Founder and Developer
>     >> https://www.opensips-solutions.com
>     >> OpenSIPS eBootcamp
>     >> https://www.opensips.org/Training/Bootcamp
>     >>
>     >> On 2/22/22 12:31 PM, Mark Farmer wrote:
>     >>
>     >> Hi Bogdan
>     >>
>     >> The GW's have 2 CNAME records which I have no control over. DR
>     has entries like subdomain.example.com:5061
>     <http://subdomain.example.com:5061>
>     >> I suspect the issue arises when the CNAMES swap around
>     resulting in a mismatch.
>     >>
>     >> Currently I am using this to identify the source of the message
>     which is probably not the best in terms of security.
>     >>
>     >> $avp(fd) = "subdomain.example.com <http://subdomain.example.com>";
>     >> if($(ct.fields(uri){s.index, $avp(fd)}) != NULL)
>     >>
>     >> Perhaps there is a better way?
>     >>
>     >> Best regards
>     >> Mark.
>     >>
>     >>
>     >>
>     >> On Tue, 22 Feb 2022 at 08:56, Bogdan-Andrei Iancu
>     <bogdan at opensips.org> wrote:
>     >>>
>     >>> Hi Mark,
>     >>>
>     >>> If a gw is defined via FQDN, that will by DNS resolved (NAPTR,
>     SRV, A records) when DB data is (re)loaded by DR module, and used
>     later for such checks. All found IPs (from DNS) will be stored on
>     the GW.
>     >>>
>     >>> How do you specify the GW address in DB and what kind of DNS
>     records do you have for it ?
>     >>>
>     >>> Best regards,
>     >>>
>     >>> Bogdan-Andrei Iancu
>     >>>
>     >>> OpenSIPS Founder and Developer
>     >>> https://www.opensips-solutions.com
>     >>> OpenSIPS eBootcamp
>     >>> https://www.opensips.org/Training/Bootcamp
>     >>>
>     >>> On 2/18/22 6:04 PM, Mark Farmer wrote:
>     >>>
>     >>> Hi everyone
>     >>>
>     >>> I am using is_from_gw() to match against a group of gateways
>     specified by DNS names which resolve to multiple IP addresses but
>     it seems to be failing to match.
>     >>>
>     >>> Is this supported functionality or do I need to do something
>     else in this case?
>     >>>
>     >>> Thanks and regards
>     >>> Mark.
>     >>>
>     >>>
>     >>> _______________________________________________
>     >>> Users mailing list
>     >>> Users at lists.opensips.org
>     >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>     >>>
>     >>>
>     >>
>     >>
>     >> --
>     >> Mark Farmer
>     >> farmorg at gmail.com
>     >>
>     >>
>     >
>     >
>     > --
>     > Mark Farmer
>     > farmorg at gmail.com
>     > _______________________________________________
>     > Users mailing list
>     > Users at lists.opensips.org
>     > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>     -- 
>     VoIP Embedded, Inc.
>     http://www.voipembedded.com
>
>     _______________________________________________
>     Users mailing list
>     Users at lists.opensips.org
>     http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> -- 
> Mark Farmer
> farmorg at gmail.com
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20220301/1838cdab/attachment-0001.html>


More information about the Users mailing list