Re: [OpenSIPS-Users] Create REGISTER request from scratch
Hi Thomas, Please look at t_new_request: https://opensips.org/docs/modules/3.2.x/tm.html#func_t_new_request > 23 авг. 2021 г., в 22:59, Thomas Grande via Users > написал(а): > > Greetings, > > I'm considering migrating from Kamailio to OpenSIPS due to some modules that > are missing on Kamailio, however I'm struggling to see a correspondent to the > Kamailio's uac_req_send() function, that basically allows me to send any SIP > request that I may need. > > I checked B2BUA functionality, but for what I understood it only works for > INVITE dialogs. > > Could you enlighten me on this one? > > Best regards, > > -- > Thomás Alimena Del Grande > Engenharia - Aligera > Tel. 51 3500-0121 > ___ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS certificate reloading
Hi, yes there is an issue. Please follow here: https://github.com/OpenSIPS/opensips/issues/2433 - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] MS teams
But config is for 2.4 A lot of things has changed. You should go through the whole config and follow first this: https://www.opensips.org/Documentation/Migration-2-4-0-to-3-0-0 and then this: https://www.opensips.org/Documentation/Migration-3-0-0-to-3-1-0 - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] SIP to WebRTC via OpenSIPS mid-registrar fails: forced proto 6 not matching sips uri
Hi Mark, try this: if (nat_uac_test("123")) { if (is_method("REGISTER")) { fix_nated_register(); } else { fix_nated_contact(); } } - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] ms teams outgoing calls fails
Hi Pasan, This was explained here: http://opensips-open-sip-server.1449251.n2.nabble.com/TLS-handshake-failure-td7619394.html - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] TLS handshake failure
Hi Gregory, Starting from 01.07.2020 Microsoft requires Route headers with SBC_FQDN in SIP replies too. Instead of simple record_route() for SIP request from MS servers OpenSIPS should add FQDN. I've updated the article. Check it. https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/ - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS as Teams SBC
Ovidiu is right, MS follows RFC. Nothing special, no magic. Yes, blog article assumes some basic understanding of how SIP proxy works, but all the necessary steps are there. And of course, there is no single universal solution for everybody. You don't need to touch To, From, VIA headers and especially don't touch Contact. Contact header is modified only for OPTIONS request. James, you've posted doc from MS, there is part "Contact and Record-Route headers considerations" https://docs.microsoft.com/en-us/microsoftteams/direct-routing-protocols-sip#contact-and-record-route-headers-considerations They write there, use Contact modification only for OPTIONS, otherwise use Record-Route. That's it, nothing more. And it works exactly as written. May be your FS configured wrong? At least I don't understand, how properly configured PBX can put two times the same URI parameter "transport=tls". Check this please. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS as Teams SBC
Hi James, According to your Record-Route headers, OpenSIPS is changing transport from TLS to UDP for replies to your INVITE. But in Contact there is transport TLS. So how is FreeSWITCH connected to OpenSIPS over UDP or TLS? And if it's TLS, so your rr should look like this: record_route_preset("sbc.ip-sentinel.com:5091;transport=tls"); of course without: add_rr_param(";r2=on"); - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS as Teams SBC
Ok James, Can you please look at your config with more attention: if(has_body("application/sdp")){ xlog("[RTPPROXY] route[relay] we have sdp on this message\n$rm\n"); rtpproxy_offer("co", "137.117,136.143"); } } xlog("[INFO] Method=$rm, RURI=$ruri, SI=$si ,DU=$du\n"); if (!t_relay()) { send_reply(500,"Internal Error"); } exit; } onreply_route[handle_nat] { xlog("[INFO] onreply_route[handle_nat]: RR=$rr, RS=$rs, SI=$si\n$mb\n"); # we receive a reply, we need to check about application/sdp # on our body, if we have, we answer that if(is_method("ACK") && has_body("application/sdp")){ xlog("[RTPPROXY] onreply_route[handle_nat] ACK rtpproxy_answer\n"); rtpproxy_answer("co", "137.117,136.143"); } and change comma to point. May be this can help? - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPS as Teams SBC
Hi James, Just to be sure, that this is not a typo: check your SDP o= 137.117,136.143 c=IN IP4 137.117,136.143 This will definitely fail. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] ms teams ACK
Hi volga629, There were nothing special for ACK. You don't need to change To/From/Contact. All the necessary steps were in the article https://blog.opensips.org/2019/09/16/opensips-as-ms-teams-sbc/ and for most people it still works. So I'm not sure, that MS changed anything, because all the hardware SBCs should change behaviour, so they need new firmware. SBC vendors should inform customers to update etc. So this is not so simple process. And it definitely make no sense for anybody. And in the test lab for the article I've used absolutely the same architecture with asterisk, the only difference was RTPEngine to transcode SRTP-RTP. And within test lab I've tested not only calls, but transfers worked fine too. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] drouting probe_mode in active/passive cluster
Hi Bogdan, Yes, of course, in 3.0 you have implemented full support for the sharing tags. But when these commits were made, the sharing tags were only in process of discussion. So it's absolutely temporarily solution only for 2.4 branch. And for Jeff, there is no modparam. Just call "dr_enable_probing 0" after starting opensips. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] drouting probe_mode in active/passive cluster
Hi Jeff. I made one solution for 2.4. You can cherry-pick https://github.com/OpenSIPS/opensips/commit/05ca54a37d82c605e2cd6d10e5a62fb4f7c35b78 And may be this: https://github.com/OpenSIPS/opensips/commit/94a3ede1e276984a91f93f6ece832d174b071ab8 There is documentation in commits. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] msteams outgoing calls fail
Please forward requests to Asterisk with simple record_route(). Only to MS Teams you should use preset with domain name. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] HA ongoing call support in 2.4 - transaction replication
Hi Jeff, Transactions are not replicated. Here https://blog.opensips.org/2018/03/21/full-anycast-support-in-opensips-2-4/ Razvan explains why. Section "Distributed transactions handling". - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Usrloc Cluster
Hi Callum, I have almost the same problem. But with 2.4.6. Just today I opened issue: https://github.com/OpenSIPS/opensips/issues/1976 - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Remote Control Advice
Hi Mark, I'd use uaCSTA, if your phones support it. For example, snom or yealinks definitely can be controlled over SIP. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] mid_registrar question
Hi Igor, If the phone lost registration, it should also be deleted from mid_registrar. With nathelper, e.g. So next REGISTER should be forwarded, not consumed. But it would be really good solution to have feature like this https://github.com/OpenSIPS/opensips/issues/1769 <https://github.com/OpenSIPS/opensips/issues/1769> In the case of UDP, may be it make sense to use simple mirroring mode with nathelper pings. - Alexey Vasilyev alexei.vasil...@gmail.com <mailto:alexei.vasil...@gmail.com> > 27 Sep 2019, в 22:58, Igor Olhovskiy [via OpenSIPS (Open SIP Server)] > <mailto:ml+s1449251n761629...@n2.nabble.com>> написал(а): > > Enpoint B also have 3600 expiry time. So, 1000 + 2600 = 3600. > But you got the point. > > Actually I faced more interesting issue a bit later, maybe actually it was > the reason. > Only 1 phone involved. > Time 0 -> Enpoint A -> mid_registrar -> upstream_registrar (expires > 3600) > Time 1000 -> Enpoint A -> mid_registrar (just consume registration) > Time 3600 -> NOTHING. upstream_registrar expires. > 1000 sec GAP > Time 4600 -> Enpoint A -> mid_registrar -> upstream_registrar. > > Yes, looks like non logic behaviour, but some of my Yealink endpoints > sometimes just refreshes registration (maybe TCP network loss or so) in a > middle of expires period and than - just wait for full expire time to > re-register > > пт, 27 сент. 2019 г. в 18:53, Liviu Chircu <[hidden email] > >: > Hi, Igor! > > Correct me if I'm wrong, but doesn't endpoint B think it's registered > for another 1000 seconds at step 4) in your example? > > Anyway, logically speaking, on step 2), the mid-registrar should forward > the call to main reg, since there is no guarantee that any of the endpoints > will send a binding refresh register within the next 2600 seconds. For all > it's worth, A could lose its connection and B could wait between > 2601 to 3599 before re-registering, which would temporarily cause > registration > state to be incorrectly lost on the backend layer. > > Let me set up a test for this scenario and I will come back to you with > my findings. > > Regards, > > Liviu Chircu > OpenSIPS Developer > http://www.opensips-solutions.com <http://www.opensips-solutions.com/> > > On 27.09.2019 18:18, Igor Olhovskiy wrote: > > but Enpoint B still thinks it's registered at least 2599 seconds. > > ___ > Users mailing list > [hidden email] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > > > -- > Best regards, > Igor > > ___ > Users mailing list > [hidden email] > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> > > > If you reply to this email, your message will be added to the discussion > below: > http://opensips-open-sip-server.1449251.n2.nabble.com/mid-registrar-question-tp7616290p7616299.html > > <http://opensips-open-sip-server.1449251.n2.nabble.com/mid-registrar-question-tp7616290p7616299.html> > To start a new topic under OpenSIPS - Users, email > ml+s1449251n1449235...@n2.nabble.com > <mailto:ml+s1449251n1449235...@n2.nabble.com> > To unsubscribe from OpenSIPS - Users, click here > <http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code=1449235=YWxleGVpLnZhc2lseWV2QGdtYWlsLmNvbXwxNDQ5MjM1fC0xOTc3MDM4NDMy>. > NAML > <http://opensips-open-sip-server.1449251.n2.nabble.com/template/NamlServlet.jtp?macro=macro_viewer=instant_html%21nabble%3Aemail.naml=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] CentOS7: Possible SYN flooding on port 5061
Hi Bogdan, Yes, this is exactly what I need. I'll change it and will see, how it works with next switching. Thanks. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] CentOS7: Possible SYN flooding on port 5061
Hi, When switching Backup->Active with a lot of TLS clients I got this message on CentOS 7: kernel: TCP: request_sock_TCP: Possible SYN flooding on port 5061. Sending cookies. It is described for example here https://access.redhat.com/solutions/30453 And related to socket backlog limit. It's not a problem to increase kernel limit: sysctl -w net.core.somaxconn=2048 But the question is about OpenSIPS. What do you think, is this enough? https://github.com/OpenSIPS/opensips/blob/ca75c705a4d74a06aec8ffe6d6e5d5c5e6fb97d6/net/tcp_conn.h#L46 /*!< TCP listen backlog count */ #define DEFAULT_TCP_LISTEN_BACKLOG 10 If we have thousands TLS/TCP connections at the same time, and for example 32 processes, so we'll have only 10*32=320 socket backlog limit for OpenSIPS? Is this right? Should it be increased? - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] [OpenSIPS-Business] [Blog] OpenSIPS as MS Teams SBC
Thanks, Giovanni and Bogdan! If somebody has questions, I think we can discuss here. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Double SDP
This is absolutely normal. SDP can contain both RTP/AVP and RTP/SAVP. This is Invite from snom phone, for example: Sent to tls:135.42.212.82:5061 at Sep 4 14:19:18.641 (1383 bytes): INVITE sip:*7...@sip.test.dk SIP/2.0 Via: SIP/2.0/TLS 172.16.1.29:4169;branch=z9hG4bK-gci2vl6fe7cz;rport From: "Demo" ;tag=ncsplp1nvz To: Call-ID: 313536373539393535363232353137-eewp9wlm45rf CSeq: 2 INVITE Max-Forwards: 70 User-Agent: snom320/8.7.5.44 Contact: ;reg-id=1 X-Serialnumber: 000XXX P-Key-Flags: keys="3" Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE Allow-Events: talk, hold, refer, call-info Supported: timer, 100rel, replaces, from-change Session-Expires: 600 Min-SE: 90 Authorization: Digest username="200",realm="asterisk",nonce="7b2d56ec",uri="sip:*7...@sip.test.dk",response="7a9fe1f24a6f7585fb7323237a000167",algorithm=MD5 Content-Type: application/sdp Content-Length: 476 v=0 o=root 558099897 558099897 IN IP4 172.16.1.29 s=call c=IN IP4 172.16.1.29 t=0 0 m=audio 60812 RTP/SAVP 9 8 101 a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:ysn2nTlXXAuZYcpOhf1g/h+oG a=rtpmap:9 G722/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20 a=sendrecv m=audio 60812 RTP/AVP 9 8 101 a=rtpmap:9 G722/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20 a=sendrecv - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPs with mutual TLS and client CA lists
Hi Phil, Previous screenshot was cut by mailing list, so it is here https://screenshot.net/yzggmfv I've sent DNs for all CAs, which has Centos 7 (/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem). There are 133 CAs. You can build and try branch 3.0: https://github.com/vasilevalex/opensips/tree/mutual_tls branch 2.4: https://github.com/vasilevalex/opensips/tree/ca_client_24 If you use certificates in DB (as I do), you should add one more column (eg. for MySQL): ALTER TABLE tls_mgm_alone ADD COLUMN ca_client_send INT(1) DEFAULT 0; And set it to 1. If you don't use certificates from DB, there is parameter for domain: modparam("tls_mgm", "ca_client_send", "[dom]1") For this domain OpenSIPS adds DNs to Certificate request. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] OpenSIPs with mutual TLS and client CA lists
Hi Phil, I tried this mode, but was unsuccessful, my phone still send certificate, even its' CA not in the list. This is screenshot of Certificate request from OpenSIPS side: And it seems that it's not very good idea to send full list of trusted CAs. What so smart phones do you use, that they can choose to send or not its' certificate? If you like to test it in your environment? - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] rtpengine_offer error
Hi Dragomir. What do you expect RTPEngine to do? You tell rtpengine_offer("RTP/AVP RTP/SAVP replace-session-connection replace-origin ICE=remove"); So you tell it, that you want to get as result unencrypted body (RTP/AVP) AND encrypted body (RTP/SAVP). But it can be either encrypted or unencrypted. You should choose, what you want. Use only one profile as parameter. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
[OpenSIPS-Users] How to pass in-dialog data with topology_hiding?
Hello team, I'm using transaction statefull proxy with topology_hiding. Without dialog module. And I use rtpengine for part of calls. Decision, to use it or not, is made during initial INVITE. Without topology_hiding I can keep this decision in some param in RR and use on re-Invite: 1) add_rr_param(";rtpengine=yes"); ... 2) After loose_route() if (check_route_param("rtpengine=yes")) { route(rtpengine); exit; } With topology_hiding I have no RR and VIA headers. But instead of loose_route() I use topology_hiding_match() and it should restore RR headers. But it seems, that function topology_hiding() encodes only RR headers from original UAC request, not those ones that were added by OpenSIPS. So the question - how to pass this in-dialog data? Should we add functions add_th_param/get_th_param for this purpose? Thanks. - --- Alexey Vasilyev -- Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Control TLS client domain
Hi Bogdan, Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify search later: https://github.com/OpenSIPS/opensips/issues/1651 - Alexey Vasilyev alexei.vasil...@gmail.com > 28 Mar 2019, в 16:45, Bogdan-Andrei Iancu написал(а): > > Hi Alexey, > > oh, if it is MS related, I don't wanna hear about it :P.Just joking - > please open a bug report on the tracker. > > Regards, > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer > https://www.opensips-solutions.com <https://www.opensips-solutions.com/> > OpenSIPS Summit 2019 > https://www.opensips.org/events/Summit-2019Amsterdam/ > <https://www.opensips.org/events/Summit-2019Amsterdam/> > On 03/28/2019 03:16 PM, Alexey Vasilyev wrote: >> Hi Bogdan, >> >> Yes, of course this is real scenario. MS Teams integration. They >> authenticate everything by TLS certificates used by connection. It works >> fine for 1 integration. >> But if I send SIP with domain2 to the TLS connection encrypted with >> certificate for domain1, I just fail. >> And actually everybody I checked reusing TLS sessions almost the same way as >> TCP. So OpenSIPS will be the first doing this correct way. >> And I like comments from tls_mgm.c >> /* what if we have multiple connections to the same remote socket? e.g. we >> can have >> connection 1: localIP1:localPort1 <--> remoteIP:remotePort >> connection 2: localIP2:localPort2 <--> remoteIP:remotePort >> but I think the is very unrealistic */ >> >> So I got exactly this scenario. >> >> >> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu > <mailto:bog...@opensips.org>>: >> Hi Alexey, >> >> It make sense (logically speaking) to get the TLS domain involved in the >> TCP conn re-usage alg - but my question is: have you came across a real >> scenario with such a need ? >> >> Regards, >> >> Bogdan-Andrei Iancu >> >> OpenSIPS Founder and Developer >>https://www.opensips-solutions.com <https://www.opensips-solutions.com/> >> OpenSIPS Summit 2019 >>https://www.opensips.org/events/Summit-2019Amsterdam/ >> <https://www.opensips.org/events/Summit-2019Amsterdam/> >> >> On 03/26/2019 02:23 PM, vasilevalex wrote: >> > Hi Bogdan, >> > >> > Thanks for fix! >> > >> > What do you think about reusing TLS connections? In master branch this >> > behavior still the same. OpenSIPS reuses TLS connections the same way as >> > regular TCP connections, but it should not. For reusing TCP connection we >> > check, if connection with the same dst IP:PORT exists. But for TLS it is >> > not >> > enough. We additionally should check, what certificate uses this connection >> > (or what domain it is related). >> > >> > And in documentation for tls_mgm module everywhere written: Note: If there >> > is already an existing TLS connection to the remote target, it will be >> > reused and setting this AVP has no effect. >> > >> > This is the same case - we have only 1 destination target, but we should >> > use >> > several TLS connections to this target with different TLS certificates. So >> > first connection will be successful, but SIP message for second domain >> > which >> > should use another certificate will try to reuse this first connection, as >> > target is the same. And this message will fail. >> > >> > >> > >> > ----- >> > --- >> > Alexey Vasilyev >> > -- >> > Sent from: >> > http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html >> > >> > <http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html> >> > >> > ___ >> > Users mailing list >> > Users@lists.opensips.org <mailto:Users@lists.opensips.org> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> >> >> >> -- >> Best regards >> Alexey Vasilyev > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Control TLS client domain
Hi Bogdan, Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail. And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way. And I like comments from tls_mgm.c /* what if we have multiple connections to the same remote socket? e.g. we can have connection 1: localIP1:localPort1 <--> remoteIP:remotePort connection 2: localIP2:localPort2 <--> remoteIP:remotePort but I think the is very unrealistic */ So I got exactly this scenario. чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu : > Hi Alexey, > > It make sense (logically speaking) to get the TLS domain involved in the > TCP conn re-usage alg - but my question is: have you came across a real > scenario with such a need ? > > Regards, > > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer >https://www.opensips-solutions.com > OpenSIPS Summit 2019 >https://www.opensips.org/events/Summit-2019Amsterdam/ > > On 03/26/2019 02:23 PM, vasilevalex wrote: > > Hi Bogdan, > > > > Thanks for fix! > > > > What do you think about reusing TLS connections? In master branch this > > behavior still the same. OpenSIPS reuses TLS connections the same way as > > regular TCP connections, but it should not. For reusing TCP connection we > > check, if connection with the same dst IP:PORT exists. But for TLS it is > not > > enough. We additionally should check, what certificate uses this > connection > > (or what domain it is related). > > > > And in documentation for tls_mgm module everywhere written: Note: If > there > > is already an existing TLS connection to the remote target, it will be > > reused and setting this AVP has no effect. > > > > This is the same case - we have only 1 destination target, but we should > use > > several TLS connections to this target with different TLS certificates. > So > > first connection will be successful, but SIP message for second domain > which > > should use another certificate will try to reuse this first connection, > as > > target is the same. And this message will fail. > > > > > > > > - > > --- > > Alexey Vasilyev > > -- > > Sent from: > http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html > > > > ___ > > Users mailing list > > Users@lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- Best regards Alexey Vasilyev ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] Control TLS client domain
Hi Bogdan, It would be nice to get rid of these AVPs, and select client domain by destination IP, but the problem that I have only 1 destination gw IP for all customers domains. I have cloud platform, which I’d like to connect from OpenSIPS. And I have many customers with their domains. So the only way to choose client tls domain is AVP. And why not to allow manipulate AVPs in local route? I modified modules/tm/uac.c little bit, and now I can select TLS client domain with AVP from local_route. https://github.com/OpenSIPS/opensips/issues/1642 But I’m not sure about the code. And sorry, that I marked it as bug, I thought that it is normal to work with AVP variables from local_route. I have another issue, that OpenSIPS reuses TLS connections the same way as regular TCP connections, but it should not. For reusing TCP connection we check, if connection with the same dst IP:PORT exists. But for TLS it is not enough. We additionally should check, what certificate uses this connection (or what domain it is related). If on server side we have SNI, why not to have more control for client TLS side? - Alexey Vasilyev alexei.vasil...@gmail.com > 25 Mar 2019, в 18:37, Bogdan-Andrei Iancu написал(а): > > Hi Alexey, > > Well, the AVPs (as variables) are not visible for the TLS send operation. In > local route, the actual "send" is outside the route context, so the AVP you > set in the local route are not impacting the later TLS "send". > > On the other hand, you can select the TLS certificate to use based on the > destination IP of the TLS connection (the IP of the GW, in your case). > > Check this > https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param . > > And when you define the client_domain, you set the IP of your GW : > > modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT") > > and you do not need the local route anymore, as the test1 TLS domain will be > automatically picked when sending GW_IP:GW_PORT. > > > Best regards, > > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer > https://www.opensips-solutions.com > OpenSIPS Summit 2019 > https://www.opensips.org/events/Summit-2019Amsterdam/ > > On 03/20/2019 02:40 PM, vasilevalex wrote: >> Hi all. >> >> OpenSIPS 2.4.4 >> I have 2 gateways in Dynamic Routing module table. For both gateways I have >> different sockets: >> address: gw1, socket: tls::5061 >> address: gw2, socket: tls::5061 >> >> IP1 has certificate for TLS sip.domain1.com >> IP2 has certificate for TLS sip.domain2.com >> >> And something like this for tls management module: >> >> loadmodule "tls_mgm.so" >> modparam("tls_mgm", "client_domain_avp", "tls_cli_dom") >> modparam("tls_mgm", "client_domain", "test1") >> modparam("tls_mgm","certificate", >> "[test1]/etc/opensips/tls/test1/fullchain.pem") >> modparam("tls_mgm","private_key", >> "[test1]/etc/opensips/tls/test1/privkey.pem") >> modparam("tls_mgm","verify_cert", "[test1]0") >> modparam("tls_mgm","require_cert", "[test1]0") >> modparam("tls_mgm","tls_method", "[test1]TLSv1") >> modparam("tls_mgm", "client_domain", "test2") >> modparam("tls_mgm","certificate", >> "[test2]/etc/opensips/tls/test2/fullchain.pem") >> modparam("tls_mgm","private_key", >> "[test2]/etc/opensips/tls/test2/privkey.pem") >> modparam("tls_mgm","verify_cert", "[test2]0") >> modparam("tls_mgm","require_cert", "[test2]0") >> modparam("tls_mgm","tls_method", "[test2]TLSv1") >> #Default domain >> modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem") >> modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem") >> modparam("tls_mgm","verify_cert", "0") >> modparam("tls_mgm","require_cert", "0") >> modparam("tls_mgm","tls_method", "TLSv1") >> modparam("tls_mgm", "server_domain", "srv2=IP2:5061") >> modparam("tls_mgm","certificate", >> "[srv2]/etc/opensips/tls/test2/fullchain.pem") >> modparam("tls_mgm","private_key", >> "[srv2]/
Re: [OpenSIPS-Users] usrloc restart persistency on seed node
ially > have > > split-brain. > >> We can disable seed node at all and just let nodes work after > > disaster/restart. But it means that we can't guarantee consistency of > data. > > So nodes must show this with state. > >> Usually clusters use quorum to trust on. But for OpenSIPS I think this > > approach is too expensive. And of course for quorum we need minimum 3 > hosts. > >> For 2 hosts after loosing/restoring interconnection it is impossible to > > say, which host has consistent data. That's why OpenSIPS uses seed node > as > > artificial trust point. I think node doesn't solve syncing > problems, > > but it simplifies total work. > >> Let's imagine 3 nodes A,B,C. A is Active. A and B lost interconnection. > C > > is down. Then C is up and has 2 hosts for syncing. But A already has 200 > > phones re-registered for some reason. So we have 200 conflicts (on node B > > the same phones still in memory). Where to sync from? host will > > answer this question in 2 cases (A or B). Of course if C is so it > > just will be happy from the start. And I actually don't know what > happens, > > if we now run on C. Will it get all the contacts from A > > and B or not? > >> We operate with specific data, which is temporary. So syncing policy > can be > > more relaxed. May be it's a good idea to connect somehow node with > > Active role in the cluster. But again, if Active node restarts and still > > Active - we will have a problem. > >> - > >> Alexey Vasilyev > -- Best regards Alexey Vasilyev ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Re: [OpenSIPS-Users] usrloc restart persistency on seed node
Hi John, Next is just my opinion. And I didn’t explore source code OpenSIPS for syncing data. The problem is little bit deeper. As we have cluster, we potentially have split-brain. We can disable seed node at all and just let nodes work after disaster/restart. But it means that we can’t guarantee consistency of data. So nodes must show this with «Not in sync» state. Usually clusters use quorum to trust on. But for OpenSIPS I think this approach is too expensive. And of course for quorum we need minimum 3 hosts. For 2 hosts after loosing/restoring interconnection it is impossible to say, which host has consistent data. That’s why OpenSIPS uses seed node as artificial trust point. I think «seed» node doesn’t solve syncing problems, but it simplifies total work. Let’s imagine 3 nodes A,B,C. A is Active. A and B lost interconnection. C is down. Then C is up and has 2 hosts for syncing. But A already has 200 phones re-registered for some reason. So we have 200 conflicts (on node B the same phones still in memory). Where to sync from? «Seed» host will answer this question in 2 cases (A or B). Of course if C is «seed» so it just will be happy from the start. And I actually don’t know what happens, if we now run «ul_cluster_sync» on C. Will it get all the contacts from A and B or not? We operate with specific data, which is temporary. So syncing policy can be more relaxed. May be it’s a good idea to connect somehow «seed» node with Active role in the cluster. But again, if Active node restarts and still Active - we will have a problem. - Alexey Vasilyev > 31 Dec 2018, в 18:04, John Quick написал(а): > > Hi Alexei, > > Many thanks for your reply to my query about syncing the seed node for > usrloc registrations. > I just tried the command you suggested and it does solve the problem. I also > read the other thread you pointed to. > > I do not really understand the need for the seed node, especially not for > the case of memory based registrations. > A seed node makes sense if that node has a superior knowledge of the > topology or the data than the other nodes. It's view of the universe is to > be trusted more than the view held by any other node. > However, in the case of a cluster topology that is pre-defined (no > auto-discovery) and for full-sharing of usrloc registration data held > exclusively in memory, then all the nodes are equal - there is no superior > knowledge that can exist in one node. The one with the most accurate view of > the world is the one that has been running the longest. > > I am wondering if there is a justifiable case for an option that would > disable the concept of the seed node and make it so that, on startup, every > instance will attempt to get the usrloc data from any other running instance > that has data available. In effect, I can mimic this behaviour by adding the > command line you suggested just after opensips has started: > opensipsctl fifo ul_cluster_sync > > Am I missing something here about the concept of the seed node? > It concerns me that this seed concept is at odds with the concept of true > horizontal scalability. > All nodes are equal, but some are more equal than others! > > John Quick > Smartvox Limited > Web: www.smartvox.co.uk > > ___ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users