Hello Daniel, Yes, I have "socket=tls:172.16.30.206:5062" and "socket=tls: 172.16.30.206:5063" attributes for corresponding records in the Dispatcher configuration table. $fs prints out correct values in the "event_route[tm:local-request]".
But I thought that TCP/TLS connections are established from a random port to a destination port on the peer side. And then the remote peer connects from its random port to our port 5062/5063. If understood Kamailio log correctly when it is about to establish a second connection to the same peer it sees an active connection for the previous trunk and uses it instead of creating a new one. Thank you! Regards, Volodymyr Ivanets. пн, 2 серп. 2021 о 22:21 Daniel-Constantin Mierla <[email protected]> пише: > Hello, > > do you force local send socket? > > Cheers, > Daniel > On 02.08.21 18:21, Володимир Іванець wrote: > > Hello Daniel! > > I updated Kamailio to the latest released version. The problem is that > still with tls_set_connect_server_id() I can not make a single instance of > Kamailio connect to multiple MS Teams domains. I use a single IP address > with different ports for different trunks. I can see it establishing a > connection to one trunk and using it for other domains. > > Is there a way to force Kamailio to make a new TLS connection to the same > peer address that it is already connected to? > > Thank you! > > Regards, Volodymyr Ivanets. > > пн, 2 серп. 2021 о 13:44 Daniel-Constantin Mierla <[email protected]> > пише: > >> Hello, >> >> upgrading is the recommended way, indeed, if you want to use >> tls_set_connect_server_id(). For older version you may want to try looping >> back to kamailio (can be over udp) and the use the xavps. Adds some >> overhead and hops, but if you are stuck to a version and can't really >> upgrade soon, might be an option to look at. >> >> Cheers, >> Daniel >> On 29.07.21 18:48, Володимир Іванець wrote: >> >> Hello Rob! >> >> Yes, I'm using Letsencrypt while I'm testing. But I would like to be able >> to use different certificates with different sockets. >> >> I found this discussion https://github.com/kamailio/kamailio/issues/2413. >> Looks like I need to use "tls_set_connect_server_id()" instead of setting >> $xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)". Unfortunately I'm >> currently using Kamailio v5.4 on my test system and this function is not >> available. I will update Kamailio and give it another try. Then I will >> update everyone in the hope it will be useful for someone :) >> >> Thank you! >> >> Regards, Volodymyr Ivanets >> >> чт, 29 лип. 2021 о 19:07 Rob van den Bulk <[email protected]> >> пише: >> >>> Hello, are u using letsencrypt? >>> >>> U can use a multi domain. >>> >>> Muti domain names in one certificate >>> >>> Outlook voor Android <https://aka.ms/AAb9ysg> downloaden >>> ------------------------------ >>> *From:* sr-users <[email protected]> on behalf of >>> Володимир Іванець <[email protected]> >>> *Sent:* Thursday, July 29, 2021 4:44:16 PM >>> *To:* Kamailio (SER) - Users Mailing List <[email protected]> >>> *Subject:* [SR-Users] Integration with multiple MS Teams instances >>> >>> Hello all! >>> >>> I was able to connect Kamailio with MS Teams and now trying to add one >>> more Teams instance. It looks like I have some misconfiguration or there is >>> a bug. >>> >>> My test server has 2 domain records pointing at it (kamailio.domain1.com >>> and kamailio.domain2.com). My tls.cfg configuration file looks like >>> this. As you can see the Default section is configured with a >>> kamailio.domain1.com sertificate: >>> >>> *[server:default]* >>> *method = TLSv1.0+* >>> *require_certificate = no* >>> *verify_certificate = no* >>> *private_key = >>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem >>> <http://kamailio.domain1.com/server/key.pem>* >>> *certificate = >>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem >>> <http://kamailio.domain1.com/server/cert.pem>* >>> *ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem >>> <http://kamailio.domain1.com/CA/cert.pem>* >>> >>> >>> *[client:default]* >>> *method = TLSv1.0+* >>> *require_certificate = no* >>> *verify_certificate = no* >>> *private_key = >>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem >>> <http://kamailio.domain1.com/server/key.pem>* >>> *certificate = >>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem >>> <http://kamailio.domain1.com/server/cert.pem>* >>> *ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem >>> <http://kamailio.domain1.com/CA/cert.pem>* >>> >>> >>> >>> *[server:172.16.30.206:5062 <http://172.16.30.206:5062>]* >>> *method = TLSv1.0+* >>> *require_certificate = no* >>> *verify_certificate = no* >>> *private_key = >>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem >>> <http://kamailio.domain1.com/server/key.pem>* >>> *certificate = >>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem >>> <http://kamailio.domain1.com/server/cert.pem>* >>> *ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem >>> <http://kamailio.domain1.com/CA/cert.pem>* >>> *server_name = "kamailio.domain1.com <http://kamailio.domain1.com>"* >>> *server_id = "**"kamailio.domain1.com <http://kamailio.domain1.com>"* >>> >>> >>> *[client:172.16.30.206:5062 <http://172.16.30.206:5062>]* >>> *method = TLSv1.0+* >>> *require_certificate = no* >>> *verify_certificate = no* >>> *private_key = >>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem >>> <http://kamailio.domain1.com/server/key.pem>* >>> *certificate = >>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem >>> <http://kamailio.domain1.com/server/cert.pem>* >>> *ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem >>> <http://kamailio.domain1.com/CA/cert.pem>* >>> >>> >>> >>> *[server:172.16.30.206:5063 <http://172.16.30.206:5063>]* >>> *method = TLSv1.0+* >>> *require_certificate = no* >>> *verify_certificate = no* >>> *private_key = >>> /var/kamailio/certificates/kamailio.domain2.com/server/key.pem >>> <http://kamailio.domain2.com/server/key.pem>* >>> *certificate = >>> /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem >>> <http://kamailio.domain2.com/server/cert.pem>* >>> *ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem >>> <http://kamailio.domain2.com/CA/cert.pem>* >>> *server_name = "kamailio.domain2.com <http://kamailio.domain2.com>"* >>> >>> *server_id = "**"kamailio.domain2.com <http://kamailio.domain2.com>"* >>> >>> >>> *[client:172.16.30.206:5063 <http://172.16.30.206:5063>]* >>> *method = TLSv1.0+* >>> *require_certificate = no* >>> *verify_certificate = no* >>> *private_key = >>> /var/kamailio/certificates/kamailio.domain2.com/server/key.pem >>> <http://kamailio.domain2.com/server/key.pem>* >>> *certificate = >>> /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem >>> <http://kamailio.domain2.com/server/cert.pem>* >>> *ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem >>> <http://kamailio.domain2.com/CA/cert.pem>* >>> >>> >>> The dispatcher configuration table looks like this: >>> >>> >>> +----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+ >>> | id | setid | destination | flags | >>> priority | attrs >>> | description | >>> >>> +----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+ >>> | 1 | 1 | sip:sip.pstnhub.microsoft.com;transport=tls | 0 | >>> 3 | socket=tls:172.16.30.206:5062;ping_from=sip: >>> kamailio.domain1.com | MS Teams 1 | >>> | 2 | 2 | sip:sip.pstnhub.microsoft.com;transport=tls | 0 | >>> 3 | socket=tls:172.16.30.206:5063;ping_from=sip: >>> kamailio.domain2.com | MS Teams 2 | >>> >>> +----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+ >>> >>> >>> >>> When Kamailio is started only connection with the first trunk is >>> established: >>> >>> *# kamcmd tls.list* >>> *{* >>> * id: 1* >>> * timeout: 0* >>> * src_ip: 52.114.75.24* >>> * src_port: 5061* >>> * dst_ip: 172.16.30.206* >>> * dst_port: 0* >>> * cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA >>> Enc=AESGCM(256) Mac=AEAD* >>> * ct_wq_size: 0* >>> * enc_rd_buf: 0* >>> * flags: 2* >>> * state: established* >>> *}* >>> *{* >>> * id: 2* >>> * timeout: 0* >>> * src_ip: 52.114.75.24* >>> * src_port: 7810* >>> * dst_ip: 172.16.30.206* >>> * dst_port: 5062* >>> * cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA >>> Enc=AESGCM(256) Mac=AEAD* >>> * ct_wq_size: 0* >>> * enc_rd_buf: 0* >>> * flags: 2* >>> * state: established* >>> *}* >>> *{* >>> * id: 3* >>> * timeout: 596* >>> * src_ip: 52.114.75.24* >>> * src_port: 7811* >>> * dst_ip: 172.16.30.206* >>> * dst_port: 5062* >>> * cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA >>> Enc=AESGCM(256) Mac=AEAD* >>> * ct_wq_size: 0* >>> * enc_rd_buf: 0* >>> * flags: 2* >>> * state: established* >>> *}* >>> >>> >>> Here is what I can see in Kamailio log file when it sends an OPTIONS >>> request to the second trunk. Kamailio uses Default tls configuration and MS >>> Teams don't accept it: >>> >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: ALERT: <script>: == >>> TRACE. tm:local-request. fs is tls:172.16.30.206:5063 >>> <http://172.16.30.206:5063>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm >>> [uac.c:352]: t_run_local_req(): apply new updates without Via to sip msg* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/msg_translator.c:1796]: check_boundaries(): no multi-part body* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:612]: parse_msg(): method: <OPTIONS>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:614]: parse_msg(): uri: >>> <sip:sip.pstnhub.microsoft.com >>> <http://sip.pstnhub.microsoft.com>;transport=tls>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:616]: parse_msg(): version: <SIP/2.0>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, >>> <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:500]: parse_headers(): this is the first via* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header >>> reached, state=10* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; >>> uri=[sip:sip.pstnhub.microsoft.com >>> <http://sip.pstnhub.microsoft.com>;transport=tls]* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:174]: get_hdr_field(): to body >>> (47)[<sip:sip.pstnhub.microsoft.com >>> <http://sip.pstnhub.microsoft.com>;transport=tls>^M* >>> *], to tag (0)[]* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> >>> <OPTIONS>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:89]: get_hdr_field(): found end of header* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:612]: parse_msg(): method: <OPTIONS>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:614]: parse_msg(): uri: >>> <sip:sip.pstnhub.microsoft.com >>> <http://sip.pstnhub.microsoft.com>;transport=tls>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:616]: parse_msg(): version: <SIP/2.0>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, >>> <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:500]: parse_headers(): this is the first via* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header >>> reached, state=10* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; >>> uri=[sip:sip.pstnhub.microsoft.com >>> <http://sip.pstnhub.microsoft.com>;transport=tls]* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:174]: get_hdr_field(): to body >>> (47)[<sip:sip.pstnhub.microsoft.com >>> <http://sip.pstnhub.microsoft.com>;transport=tls>^M* >>> *], to tag (0)[]* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> >>> <OPTIONS>* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm >>> [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening >>> new one* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: >>> 52.114.75.24* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> >>> [core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls >>> [tls_server.c:199]: tls_complete_init(): completing tls connection >>> initialization* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls >>> [tls_server.c:162]: tls_get_connect_server_name(): xavp with outbound >>> server name not found* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls >>> [tls_server.c:142]: tls_get_connect_server_id(): xavp with outbound server >>> id not found* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls >>> [tls_server.c:228]: tls_complete_init(): Using initial TLS domain >>> TLSc<default> (dom 0x7f35509da688 ctx 0x7f3550b7a568 sn [])* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls >>> [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for >>> SSL_CTX-0x7f3550b7a568: (nil)* >>> *Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls >>> [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started* >>> *...* >>> >>> >>> If I change the Default configuration to use kamailio.domain2.com >>> certificate, the second trunk will connect but the first one will fail. >>> I tried to set "$xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)" >>> variables to the event_route[tm:local-request] section but log still stated >>> that server Name and ID were not found. >>> >>> Can someone please point me in the right direction, how can I make >>> Kamailio use the correct certificates when establishing multiple TLS >>> connections? >>> >>> Thanks a lot! >>> >>> Regards, Volodymyr Ivanets >>> __________________________________________________________ >>> Kamailio - Users Mailing List - Non Commercial Discussions >>> * [email protected] >>> Important: keep the mailing list in the recipients, do not reply only to >>> the sender! >>> Edit mailing list options or unsubscribe: >>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >>> >> >> __________________________________________________________ >> Kamailio - Users Mailing List - Non Commercial Discussions >> * [email protected] >> Important: keep the mailing list in the recipients, do not reply only to the >> sender! >> Edit mailing list options or unsubscribe: >> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> -- >> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- >> www.linkedin.com/in/miconda >> >> -- > Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- > www.linkedin.com/in/miconda > >
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
