<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Hi Bogdan,<br>
<br>
If the conn with B is still alive (the one created by SUBSCRIBE
requests), it should be reused when OpenSIPS has to send the
NOTIFY. Have you enabled the tcp aliases ?<br>
<br>
If still a problem, can you make a log (with debug 6) when the
NOTIFY is to be send + a listing from list_tcp_conns ?<br>
<br>
Regards,<br>
</tt>
<pre class="moz-signature" cols="72">Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
<a class="moz-txt-link-freetext" href="http://www.opensips-solutions.com">http://www.opensips-solutions.com</a></pre>
<div class="moz-cite-prefix">On 28.08.2015 20:53, Bogdan Chifor
wrote:<br>
</div>
<blockquote
cite="mid:CAGP9oUXuN_HtuJnyr6H1s2=RK=+z_63Un7dLPFBFV2z2pJY+Zw@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div style="">I have a question regarding the following
scenario:</div>
<div style=""><br>
</div>
<div style="">1. I have two devices connected to the server via
two-way TLS(TCP).</div>
<div style=""> 1.1 Device A is behind a NAT</div>
<div style=""> 1.2 Device B is directly connected to the server</div>
<div style=""><br>
</div>
<div style="">2. Device B subscribes to the presence of device
A.</div>
<div style=""><br>
</div>
<div style="">3. Device A gets offline and the server generates
a NOTIFY message to be sent to device B.</div>
<div style=""><br>
</div>
<div style="">4. The server does not find an existing tcp
connection (from the logs), even though the socket is visible
if the "opensipsctl fifo list_tcp_conns" or "netstat" commands
are used.</div>
<div style=""><br>
</div>
<div style="">5. Because the server does not find an existing
connection it initiates one (TLS). After that the proto tls
module logs the following error:
"NOTICE:proto_tls:verify_callback: verify
error:num=26:unsupported certificate purpose".</div>
<div style=""><br>
</div>
<div style="">6. This error is normal because device B does not
have a certificate with server authentication extended key
usage, it has only the client authentication extended key
usage (as normal). </div>
<div style=""><br>
</div>
<div style="">What is the reason behind the start of the new
connection and how should I handle this issue?</div>
<div style=""><br>
</div>
<div style="">This is my proto_tls config:</div>
<div style=""><br>
</div>
<div style="">
<div><b>modparam("proto_tls", "verify_cert", "1")</b></div>
<div><b>modparam("proto_tls", "require_cert", "1")</b></div>
<div><b>modparam("proto_tls", "tls_method", "TLSv1")</b></div>
<div><b>modparam("proto_tls", "certificate", "...")</b></div>
<div><b>modparam("proto_tls", "private_key", "...")</b></div>
<div><b>modparam("proto_tls", "ca_list", "...")</b><br>
</div>
<div><b>modparam("proto_tls", "ca_dir", "...")</b></div>
<div><br>
</div>
</div>
<div style=""><br>
</div>
<div style="">Any help is appreciated.</div>
<div style=""><br>
</div>
<div style="">Best regards,</div>
<div style=""><br>
</div>
<div style="">Bogdan.</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.opensips.org">Users@lists.opensips.org</a>
<a class="moz-txt-link-freetext" href="http://lists.opensips.org/cgi-bin/mailman/listinfo/users">http://lists.opensips.org/cgi-bin/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>