Hi Alexey,
Well, the AVPs (as variables) are not visible for the TLS send
operation. In local route, the actual "send" is outside the route
context, so the AVP you set in the local route are not impacting the
later TLS "send".
On the other hand, you can select the TLS certificate to use based on
the destination IP of the TLS connection (the IP of the GW, in your case).
Check this
https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .
And when you define the client_domain, you set the IP of your GW :
modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")
and you do not need the local route anymore, as the test1 TLS domain will be
automatically picked when sending GW_IP:GW_PORT.
Best regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/20/2019 02:40 PM, vasilevalex wrote:
Hi all.
OpenSIPS 2.4.4
I have 2 gateways in Dynamic Routing module table. For both gateways I have
different sockets:
address: gw1, socket: tls:<IP1>:5061
address: gw2, socket: tls:<IP2>:5061
IP1 has certificate for TLS sip.domain1.com
IP2 has certificate for TLS sip.domain2.com
And something like this for tls management module:
loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
modparam("tls_mgm", "client_domain", "test1")
modparam("tls_mgm","certificate",
"[test1]/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key",
"[test1]/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "[test1]0")
modparam("tls_mgm","require_cert", "[test1]0")
modparam("tls_mgm","tls_method", "[test1]TLSv1")
modparam("tls_mgm", "client_domain", "test2")
modparam("tls_mgm","certificate",
"[test2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[test2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[test2]0")
modparam("tls_mgm","require_cert", "[test2]0")
modparam("tls_mgm","tls_method", "[test2]TLSv1")
#Default domain
modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "0")
modparam("tls_mgm","require_cert", "0")
modparam("tls_mgm","tls_method", "TLSv1")
modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
modparam("tls_mgm","certificate",
"[srv2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[srv2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[srv2]0")
modparam("tls_mgm","require_cert", "[srv2]0")
modparam("tls_mgm","tls_method", "[srv2]TLSv1")
Server part of TLS works fine.
But I want OPTIONS to these gateways to be send with correct TLS
certificate.
local_route {
if (is_method("OPTIONS")) {
# Get IP for outgoing socket
$var(ip_out) = $(fs{s.select,1,:});
switch($var(ip_out)) {
case "IP1":
$avp(tls_cli_dom) = "test1";
break;
case "IP2":
$avp(tls_cli_dom) = "test2";
break;
}
xlog("AVP for TLS: $avp(tls_cli_dom) \n");
}
}
So AVP for choosing client domain is set correctly during sending OPTIONS.
OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
for both gateways. What's wrong?
-----
---
Alexey Vasilyev
--
Sent from:
http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
