Hi Alexey,
oh, if it is MS related, I don't wanna hear about it :P.....Just joking
- please open a bug report on the tracker.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
Hi Bogdan,
Yes, of course this is real scenario. MS Teams integration. They
authenticate everything by TLS certificates used by connection. It
works fine for 1 integration.
But if I send SIP with domain2 to the TLS connection encrypted with
certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same
way as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket?
e.g. we can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.
чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <[email protected]
<mailto:[email protected]>>:
Hi Alexey,
It make sense (logically speaking) to get the TLS domain involved
in the
TCP conn re-usage alg - but my question is: have you came across a
real
scenario with such a need ?
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master
branch this
> behavior still the same. OpenSIPS reuses TLS connections the
same way as
> regular TCP connections, but it should not. For reusing TCP
connection we
> check, if connection with the same dst IP:PORT exists. But for
TLS it is not
> enough. We additionally should check, what certificate uses this
connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written:
Note: If there
> is already an existing TLS connection to the remote target, it
will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but
we should use
> several TLS connections to this target with different TLS
certificates. So
> first connection will be successful, but SIP message for second
domain which
> should use another certificate will try to reuse this first
connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from:
http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [email protected] <mailto:[email protected]>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Best regards
Alexey Vasilyev
_______________________________________________
Users mailing list
[email protected]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
