You can also check the issuer of the certificate, there should be some variable in the config returning that when incoming traffic is over tls and the peer has presented a certificate.
Cheers, Daniel On 23.02.23 11:39, Jon Bonilla (Manwe) wrote: > El Mon, 20 Feb 2023 20:08:50 +1000 > Richard Edmands <[email protected]> escribió: > >> Yeah, don’t trust that IP range blindly. It’s just Azure space. >> The only logical approach I’ve seen appears to be certificate validation and >> checking. > okok. > > I can see that the client certificate is being validated. But that means the > client certificate is valid. Doesn't mean that the certificate is microsoft. > > Is there a way to check the certificate owner in the config script? Or to > limit > the certificate to a certain "Subject Alternative Name"? > > Would it be nuts to limit the CA list allowed for that socket creating a > custom > ca list? It still would not filter just MS. > > In the end I guess I'll get an IP list and filter because opening two /14 nets > seems crazy to me. > > >>> On 20 Feb 2023, at 7:00 pm, Jon Bonilla (Manwe) <[email protected]> wrote: >>> >>> Hi >>> >>> Sorry for the OT but I think here's the place where I an find a lot of Ms >>> teams integrations >>> >>> I've been working on MS teams direct routing integration for PekePBX. It >>> works. I guess I've done it as everybody else, using Henning's guide as >>> base and extending it for multitenant setup (thanks Henning!) >>> >>> What I've realized is that the source IP address of calls coming from MS are >>> not always matching dispatcher hosts. Sometimes they come from another >>> source IP and failover to the dispatcher hosts when they receive no >>> response. That makes some of the calls to have an additional latency >>> >>> Searching in the MS doc I see that they document these nets as source of >>> their signaling: >>> >>> >>> 52.112.0.0/14 >>> 52.120.0.0/14 >>> >>> But I've seen IP addresses outside of this range as source. >>> In this blog >>> https://erwinbierens.com/microsoft-teams-direct-routing-ip-addresses/ >>> >>> The ranges are listed as >>> >>> >>> 52.112.0.0/16 >>> 52.113.0.0/16 >>> 52.114.0.0/16 >>> 52.115.0.0/16 >>> 52.120.0.0/16 >>> 52.121.0.0/16 >>> 52.122.0.0/16 >>> 52.123.0.0/16 >>> >>> which looks better but scares me out. Having no auth is it secure to bind so >>> many ranges to MS? >>> >>> Do you use anything else than certificate verification for these calls? >>> >>> >>> cheers, >>> >>> Jon >>> >>> >>> >>> -- >>> PekePBX, the multitenant PBX solution >>> https://pekepbx.com >>> __________________________________________________________ >>> Kamailio - Users Mailing List - Non Commercial Discussions >>> To unsubscribe send an email to [email protected] >>> Important: keep the mailing list in the recipients, do not reply only to >>> the sender! Edit mailing list options or unsubscribe: >> __________________________________________________________ >> Kamailio - Users Mailing List - Non Commercial Discussions >> To unsubscribe send an email to [email protected] >> Important: keep the mailing list in the recipients, do not reply only to the >> sender! Edit mailing list options or unsubscribe: > > -- > PekePBX, the multitenant PBX solution > https://pekepbx.com > > __________________________________________________________ > Kamailio - Users Mailing List - Non Commercial Discussions > To unsubscribe send an email to [email protected] > Important: keep the mailing list in the recipients, do not reply only to the > sender! > Edit mailing list options or unsubscribe: -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Kamailio World Conference - June 5-7, 2023 - www.kamailioworld.com Kamailio Advanced Training - Online - March 27-30, 2023 - www.asipto.com __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
