Re: [OpenSIPS-Users] Control TLS client domain

2019-03-29 Thread Bogdan-Andrei Iancu 

Thank you Alexey,

I will look into it.

Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/28/2019 10:00 PM, Alexey Vasilyev wrote:

Hi Bogdan,

Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify 
search later: https://github.com/OpenSIPS/opensips/issues/1651



-
Alexey Vasilyev
alexei.vasil...@gmail.com 



28 Mar 2019, в 16:45, Bogdan-Andrei Iancu > написал(а):


Hi Alexey,

oh, if it is MS related, I don't wanna hear about it :P.Just 
joking - please open a bug report on the tracker.


Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:

Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They 
authenticate everything by TLS certificates used by connection. It 
works fine for 1 integration.
But if I send SIP with domain2 to the TLS connection encrypted with 
certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the 
same way as TCP. So OpenSIPS will be the first doing this correct way.

And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? 
e.g. we can have

connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu 
mailto:bog...@opensips.org>>:


Hi Alexey,

It make sense (logically speaking) to get the TLS domain
involved in the
TCP conn re-usage alg - but my question is: have you came across
a real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
https://www.opensips-solutions.com

OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master
branch this
> behavior still the same. OpenSIPS reuses TLS connections the
same way as
> regular TCP connections, but it should not. For reusing TCP
connection we
> check, if connection with the same dst IP:PORT exists. But for
TLS it is not
> enough. We additionally should check, what certificate uses
this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written:
Note: If there
> is already an existing TLS connection to the remote target, it
will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but
we should use
> several TLS connections to this target with different TLS
certificates. So
> first connection will be successful, but SIP message for
second domain which
> should use another certificate will try to reuse this first
connection, as
> target is the same. And this message will fail.
>
>
>
> -
> ---
> Alexey Vasilyev
> --
> Sent from:

http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> ___
> Users mailing list
> Users@lists.opensips.org 
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Best regards
Alexey Vasilyev






___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-28 Thread Alexey Vasilyev 
Hi Bogdan,

Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify search later: 
https://github.com/OpenSIPS/opensips/issues/1651


-
Alexey Vasilyev
alexei.vasil...@gmail.com



> 28 Mar 2019, в 16:45, Bogdan-Andrei Iancu  написал(а):
> 
> Hi Alexey,
> 
> oh, if it is MS related, I don't wanna hear about it :P.Just joking - 
> please open a bug report on the tracker.
> 
> Regards,
>  Bogdan-Andrei Iancu
> 
> OpenSIPS Founder and Developer
>   https://www.opensips-solutions.com 
> OpenSIPS Summit 2019
>   https://www.opensips.org/events/Summit-2019Amsterdam/ 
> 
> On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
>> Hi Bogdan,
>> 
>> Yes, of course this is real scenario. MS Teams integration. They 
>> authenticate everything by TLS certificates used by connection. It works 
>> fine for 1 integration. 
>> But if I send SIP with domain2 to the TLS connection encrypted with 
>> certificate for domain1, I just fail.
>> And actually everybody I checked reusing TLS sessions almost the same way as 
>> TCP. So OpenSIPS will be the first doing this correct way.
>> And I like comments from tls_mgm.c
>> /* what if we have multiple connections to the same remote socket? e.g. we 
>> can have
>>   connection 1: localIP1:localPort1 <--> remoteIP:remotePort
>>   connection 2: localIP2:localPort2 <--> remoteIP:remotePort
>> but I think the is very unrealistic */
>> 
>> So I got exactly this scenario.
>> 
>> 
>> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu > >:
>> Hi Alexey,
>> 
>> It make sense (logically speaking) to get the TLS domain involved in the 
>> TCP conn re-usage alg - but my question is: have you came across a real 
>> scenario with such a need ?
>> 
>> Regards,
>> 
>> Bogdan-Andrei Iancu
>> 
>> OpenSIPS Founder and Developer
>>https://www.opensips-solutions.com 
>> OpenSIPS Summit 2019
>>https://www.opensips.org/events/Summit-2019Amsterdam/ 
>> 
>> 
>> On 03/26/2019 02:23 PM, vasilevalex wrote:
>> > Hi Bogdan,
>> >
>> > Thanks for fix!
>> >
>> > What do you think about reusing TLS connections? In master branch this
>> > behavior still the same. OpenSIPS reuses TLS connections the same way as
>> > regular TCP connections, but it should not. For reusing TCP connection we
>> > check, if connection with the same dst IP:PORT exists. But for TLS it is 
>> > not
>> > enough. We additionally should check, what certificate uses this connection
>> > (or what domain it is related).
>> >
>> > And in documentation for tls_mgm module everywhere written: Note: If there
>> > is already an existing TLS connection to the remote target, it will be
>> > reused and setting this AVP has no effect.
>> >
>> > This is the same case - we have only 1 destination target, but we should 
>> > use
>> > several TLS connections to this target with different TLS certificates. So
>> > first connection will be successful, but SIP message for second domain 
>> > which
>> > should use another certificate will try to reuse this first connection, as
>> > target is the same. And this message will fail.
>> >
>> >
>> >
>> > -
>> > ---
>> > Alexey Vasilyev
>> > --
>> > Sent from: 
>> > http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>> >  
>> > 
>> >
>> > ___
>> > Users mailing list
>> > Users@lists.opensips.org 
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users 
>> > 
>> 
>> 
>> 
>> -- 
>> Best regards
>> Alexey Vasilyev
> 

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-28 Thread Bogdan-Andrei Iancu 

Hi Alexey,

oh, if it is MS related, I don't wanna hear about it :P.Just joking 
- please open a bug report on the tracker.


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:

Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They 
authenticate everything by TLS certificates used by connection. It 
works fine for 1 integration.
But if I send SIP with domain2 to the TLS connection encrypted with 
certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same 
way as TCP. So OpenSIPS will be the first doing this correct way.

And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? 
e.g. we can have

connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu >:


Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved
in the
TCP conn re-usage alg - but my question is: have you came across a
real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 2019
https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master
branch this
> behavior still the same. OpenSIPS reuses TLS connections the
same way as
> regular TCP connections, but it should not. For reusing TCP
connection we
> check, if connection with the same dst IP:PORT exists. But for
TLS it is not
> enough. We additionally should check, what certificate uses this
connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written:
Note: If there
> is already an existing TLS connection to the remote target, it
will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but
we should use
> several TLS connections to this target with different TLS
certificates. So
> first connection will be successful, but SIP message for second
domain which
> should use another certificate will try to reuse this first
connection, as
> target is the same. And this message will fail.
>
>
>
> -
> ---
> Alexey Vasilyev
> --
> Sent from:

http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> ___
> Users mailing list
> Users@lists.opensips.org 
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Best regards
Alexey Vasilyev


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-28 Thread Alexey Vasilyev 
Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They
authenticate everything by TLS certificates used by connection. It works
fine for 1 integration.
But if I send SIP with domain2 to the TLS connection encrypted with
certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same way
as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? e.g. we
can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu :

> Hi Alexey,
>
> It make sense (logically speaking) to get the TLS domain involved in the
> TCP conn re-usage alg - but my question is: have you came across a real
> scenario with such a need ?
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>https://www.opensips-solutions.com
> OpenSIPS Summit 2019
>https://www.opensips.org/events/Summit-2019Amsterdam/
>
> On 03/26/2019 02:23 PM, vasilevalex wrote:
> > Hi Bogdan,
> >
> > Thanks for fix!
> >
> > What do you think about reusing TLS connections? In master branch this
> > behavior still the same. OpenSIPS reuses TLS connections the same way as
> > regular TCP connections, but it should not. For reusing TCP connection we
> > check, if connection with the same dst IP:PORT exists. But for TLS it is
> not
> > enough. We additionally should check, what certificate uses this
> connection
> > (or what domain it is related).
> >
> > And in documentation for tls_mgm module everywhere written: Note: If
> there
> > is already an existing TLS connection to the remote target, it will be
> > reused and setting this AVP has no effect.
> >
> > This is the same case - we have only 1 destination target, but we should
> use
> > several TLS connections to this target with different TLS certificates.
> So
> > first connection will be successful, but SIP message for second domain
> which
> > should use another certificate will try to reuse this first connection,
> as
> > target is the same. And this message will fail.
> >
> >
> >
> > -
> > ---
> > Alexey Vasilyev
> > --
> > Sent from:
> http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
> >
> > ___
> > Users mailing list
> > Users@lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

-- 
Best regards
Alexey Vasilyev
___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-28 Thread Bogdan-Andrei Iancu 

Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the 
TCP conn re-usage alg - but my question is: have you came across a real 
scenario with such a need ?


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:

Hi Bogdan,

Thanks for fix!

What do you think about reusing TLS connections? In master branch this
behavior still the same. OpenSIPS reuses TLS connections the same way as
regular TCP connections, but it should not. For reusing TCP connection we
check, if connection with the same dst IP:PORT exists. But for TLS it is not
enough. We additionally should check, what certificate uses this connection
(or what domain it is related).

And in documentation for tls_mgm module everywhere written: Note: If there
is already an existing TLS connection to the remote target, it will be
reused and setting this AVP has no effect.

This is the same case - we have only 1 destination target, but we should use
several TLS connections to this target with different TLS certificates. So
first connection will be successful, but SIP message for second domain which
should use another certificate will try to reuse this first connection, as
target is the same. And this message will fail.



-
---
Alexey Vasilyev
--
Sent from: 
http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-26 Thread vasilevalex 
Hi Bogdan,

Thanks for fix!

What do you think about reusing TLS connections? In master branch this
behavior still the same. OpenSIPS reuses TLS connections the same way as
regular TCP connections, but it should not. For reusing TCP connection we
check, if connection with the same dst IP:PORT exists. But for TLS it is not
enough. We additionally should check, what certificate uses this connection
(or what domain it is related).

And in documentation for tls_mgm module everywhere written: Note: If there
is already an existing TLS connection to the remote target, it will be
reused and setting this AVP has no effect.

This is the same case - we have only 1 destination target, but we should use
several TLS connections to this target with different TLS certificates. So
first connection will be successful, but SIP message for second domain which
should use another certificate will try to reuse this first connection, as
target is the same. And this message will fail.



-
---
Alexey Vasilyev
--
Sent from: 
http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-26 Thread Bogdan-Andrei Iancu 

Hi Alexey,

In your example, I saw you where sending the OPTIONS to some GWs in 
drouting, GWs with different IPs, so the IP-based domains should work in 
that case.


Now, if you have a different clients behind the same IP - I guess this 
is a different scenario. In this case I guess you need the AVP to 
control the selection of the client TLS domain. But a small question - 
if you interact with customers, do you still generate OPTIONS (or any 
locally generated requests) towards the customers ? usually you act as a 
sip proxy for the traffic to customers and in this case the AVP will be 
fine (the AVP limitation is only in local route).


Let me follow up on #1642 with a small patch that will expose the AVPs 
to the msg sending process.


BTW, in 3.0, the TLS mgm is completely reworked with better TLS domain 
selection, including SNI support .


Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/25/2019 09:53 PM, Alexey Vasilyev wrote:

Hi Bogdan,
It would be nice to get rid of these AVPs, and select client domain by 
destination IP, but the problem that I have only 1 destination gw IP for all 
customers domains.
I have cloud platform, which I’d like to connect from OpenSIPS. And I have many 
customers with their domains.

So the only way to choose client tls domain is AVP.

And why not to allow manipulate AVPs in local route? I modified 
modules/tm/uac.c little bit, and now I can select TLS client domain with AVP 
from local_route.
https://github.com/OpenSIPS/opensips/issues/1642
But I’m not sure about the code. And sorry, that I marked it as bug, I thought 
that it is normal to work with AVP variables from local_route.

I have another issue, that OpenSIPS reuses TLS connections the same way as 
regular TCP connections, but it should not. For reusing TCP connection we 
check, if connection with the same dst IP:PORT exists. But for TLS it is not 
enough. We additionally should check, what certificate uses this connection (or 
what domain it is related).

If on server side we have SNI, why not to have more control for client TLS side?

-
Alexey Vasilyev
alexei.vasil...@gmail.com




25 Mar 2019, в 18:37, Bogdan-Andrei Iancu  написал(а):

Hi Alexey,

Well, the AVPs (as variables) are not visible for the TLS send operation. In local route, the 
actual "send" is outside the route context, so the AVP you set in the local route are not 
impacting the later TLS "send".

On the other hand, you can select the TLS certificate to use based on the 
destination IP of the TLS connection (the IP of the GW, in your case).

Check this 
https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .

And when you define the client_domain, you set the IP of your GW :

modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")

and you do not need the local route anymore, as the test1 TLS domain will be 
automatically picked when sending GW_IP:GW_PORT.


Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/20/2019 02:40 PM, vasilevalex wrote:

Hi all.

OpenSIPS 2.4.4
I have 2 gateways in Dynamic Routing module table. For both gateways I have
different sockets:
address: gw1, socket: tls::5061
address: gw2, socket: tls::5061

IP1 has certificate for TLS sip.domain1.com
IP2 has certificate for TLS sip.domain2.com

And something like this for tls management module:

loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
modparam("tls_mgm", "client_domain", "test1")
modparam("tls_mgm","certificate",
"[test1]/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key",
"[test1]/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "[test1]0")
modparam("tls_mgm","require_cert", "[test1]0")
modparam("tls_mgm","tls_method", "[test1]TLSv1")
modparam("tls_mgm", "client_domain", "test2")
modparam("tls_mgm","certificate",
"[test2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[test2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[test2]0")
modparam("tls_mgm","require_cert", "[test2]0")
modparam("tls_mgm","tls_method", "[test2]TLSv1")
#Default domain
modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "0")
modparam("tls_mgm","require_cert", "0")
modparam("tls_mgm","tls_method", "TLSv1")
modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
modparam("tls_mgm","certificate",
"[srv2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[srv2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[srv2]0")
modparam("tls_mgm","require_cert", "[srv2]0")
modparam("tls_mgm","tls_method", "[srv2]T

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-25 Thread Alexey Vasilyev 
Hi Bogdan,
It would be nice to get rid of these AVPs, and select client domain by 
destination IP, but the problem that I have only 1 destination gw IP for all 
customers domains.
I have cloud platform, which I’d like to connect from OpenSIPS. And I have many 
customers with their domains.

So the only way to choose client tls domain is AVP.

And why not to allow manipulate AVPs in local route? I modified 
modules/tm/uac.c little bit, and now I can select TLS client domain with AVP 
from local_route. 
https://github.com/OpenSIPS/opensips/issues/1642
But I’m not sure about the code. And sorry, that I marked it as bug, I thought 
that it is normal to work with AVP variables from local_route.

I have another issue, that OpenSIPS reuses TLS connections the same way as 
regular TCP connections, but it should not. For reusing TCP connection we 
check, if connection with the same dst IP:PORT exists. But for TLS it is not 
enough. We additionally should check, what certificate uses this connection (or 
what domain it is related).

If on server side we have SNI, why not to have more control for client TLS side?

-
Alexey Vasilyev
alexei.vasil...@gmail.com



> 25 Mar 2019, в 18:37, Bogdan-Andrei Iancu  написал(а):
> 
> Hi Alexey,
> 
> Well, the AVPs (as variables) are not visible for the TLS send operation. In 
> local route, the actual "send" is outside the route context, so the AVP you 
> set in the local route are not impacting the later TLS "send".
> 
> On the other hand, you can select the TLS certificate to use based on the 
> destination IP of the TLS connection (the IP of the GW, in your case).
> 
> Check this 
> https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .
> 
> And when you define the client_domain, you set the IP of your GW :
> 
> modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")
> 
> and you do not need the local route anymore, as the test1 TLS domain will be 
> automatically picked when sending GW_IP:GW_PORT.
> 
> 
> Best regards,
> 
> Bogdan-Andrei Iancu
> 
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com
> OpenSIPS Summit 2019
> https://www.opensips.org/events/Summit-2019Amsterdam/
> 
> On 03/20/2019 02:40 PM, vasilevalex wrote:
>> Hi all.
>> 
>> OpenSIPS 2.4.4
>> I have 2 gateways in Dynamic Routing module table. For both gateways I have
>> different sockets:
>> address: gw1, socket: tls::5061
>> address: gw2, socket: tls::5061
>> 
>> IP1 has certificate for TLS sip.domain1.com
>> IP2 has certificate for TLS sip.domain2.com
>> 
>> And something like this for tls management module:
>> 
>> loadmodule "tls_mgm.so"
>> modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
>> modparam("tls_mgm", "client_domain", "test1")
>> modparam("tls_mgm","certificate",
>> "[test1]/etc/opensips/tls/test1/fullchain.pem")
>> modparam("tls_mgm","private_key",
>> "[test1]/etc/opensips/tls/test1/privkey.pem")
>> modparam("tls_mgm","verify_cert", "[test1]0")
>> modparam("tls_mgm","require_cert", "[test1]0")
>> modparam("tls_mgm","tls_method", "[test1]TLSv1")
>> modparam("tls_mgm", "client_domain", "test2")
>> modparam("tls_mgm","certificate",
>> "[test2]/etc/opensips/tls/test2/fullchain.pem")
>> modparam("tls_mgm","private_key",
>> "[test2]/etc/opensips/tls/test2/privkey.pem")
>> modparam("tls_mgm","verify_cert", "[test2]0")
>> modparam("tls_mgm","require_cert", "[test2]0")
>> modparam("tls_mgm","tls_method", "[test2]TLSv1")
>> #Default domain
>> modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
>> modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
>> modparam("tls_mgm","verify_cert", "0")
>> modparam("tls_mgm","require_cert", "0")
>> modparam("tls_mgm","tls_method", "TLSv1")
>> modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
>> modparam("tls_mgm","certificate",
>> "[srv2]/etc/opensips/tls/test2/fullchain.pem")
>> modparam("tls_mgm","private_key",
>> "[srv2]/etc/opensips/tls/test2/privkey.pem")
>> modparam("tls_mgm","verify_cert", "[srv2]0")
>> modparam("tls_mgm","require_cert", "[srv2]0")
>> modparam("tls_mgm","tls_method", "[srv2]TLSv1")
>> 
>> Server part of TLS works fine.
>> But I want OPTIONS to these gateways to be send with correct TLS
>> certificate.
>> 
>> local_route {
>>  if (is_method("OPTIONS")) {
>># Get IP for outgoing socket
>>$var(ip_out) = $(fs{s.select,1,:});
>>switch($var(ip_out)) {
>>  case "IP1":
>>$avp(tls_cli_dom) = "test1";
>>  break;
>>  case "IP2":
>>$avp(tls_cli_dom) = "test2";
>>  break;
>>}
>>xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
>>  }
>> }
>> 
>> So AVP for choosing client domain is set correctly during sending OPTIONS.
>> OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
>> for both gateways. What's wrong?
>> 
>> 
>> 
>> -
>> ---
>> Alexey Vasilyev
>> --
>> Sent from: 
>> http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>> 
>> _

Re: [OpenSIPS-Users] Control TLS client domain

2019-03-25 Thread Bogdan-Andrei Iancu 

Hi Alexey,

Well, the AVPs (as variables) are not visible for the TLS send 
operation. In local route, the actual "send" is outside the route 
context, so the AVP you set in the local route are not impacting the 
later TLS "send".


On the other hand, you can select the TLS certificate to use based on 
the destination IP of the TLS connection (the IP of the GW, in your case).


Check this 
https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .


And when you define the client_domain, you set the IP of your GW :

modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")

and you do not need the local route anymore, as the test1 TLS domain will be 
automatically picked when sending GW_IP:GW_PORT.


Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/20/2019 02:40 PM, vasilevalex wrote:

Hi all.

OpenSIPS 2.4.4
I have 2 gateways in Dynamic Routing module table. For both gateways I have
different sockets:
address: gw1, socket: tls::5061
address: gw2, socket: tls::5061

IP1 has certificate for TLS sip.domain1.com
IP2 has certificate for TLS sip.domain2.com

And something like this for tls management module:

loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
modparam("tls_mgm", "client_domain", "test1")
modparam("tls_mgm","certificate",
"[test1]/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key",
"[test1]/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "[test1]0")
modparam("tls_mgm","require_cert", "[test1]0")
modparam("tls_mgm","tls_method", "[test1]TLSv1")
modparam("tls_mgm", "client_domain", "test2")
modparam("tls_mgm","certificate",
"[test2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[test2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[test2]0")
modparam("tls_mgm","require_cert", "[test2]0")
modparam("tls_mgm","tls_method", "[test2]TLSv1")
#Default domain
modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "0")
modparam("tls_mgm","require_cert", "0")
modparam("tls_mgm","tls_method", "TLSv1")
modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
modparam("tls_mgm","certificate",
"[srv2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[srv2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[srv2]0")
modparam("tls_mgm","require_cert", "[srv2]0")
modparam("tls_mgm","tls_method", "[srv2]TLSv1")

Server part of TLS works fine.
But I want OPTIONS to these gateways to be send with correct TLS
certificate.

local_route {
   if (is_method("OPTIONS")) {
 # Get IP for outgoing socket
 $var(ip_out) = $(fs{s.select,1,:});
 switch($var(ip_out)) {
   case "IP1":
 $avp(tls_cli_dom) = "test1";
   break;
   case "IP2":
 $avp(tls_cli_dom) = "test2";
   break;
 }
 xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
   }
}

So AVP for choosing client domain is set correctly during sending OPTIONS.
OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
for both gateways. What's wrong?



-
---
Alexey Vasilyev
--
Sent from: 
http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] Control TLS client domain

2019-03-20 Thread vasilevalex 
Hi all.

OpenSIPS 2.4.4
I have 2 gateways in Dynamic Routing module table. For both gateways I have
different sockets:
address: gw1, socket: tls::5061
address: gw2, socket: tls::5061

IP1 has certificate for TLS sip.domain1.com
IP2 has certificate for TLS sip.domain2.com

And something like this for tls management module:

loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
modparam("tls_mgm", "client_domain", "test1")
modparam("tls_mgm","certificate",
"[test1]/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key",
"[test1]/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "[test1]0")
modparam("tls_mgm","require_cert", "[test1]0")
modparam("tls_mgm","tls_method", "[test1]TLSv1")
modparam("tls_mgm", "client_domain", "test2")
modparam("tls_mgm","certificate",
"[test2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[test2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[test2]0")
modparam("tls_mgm","require_cert", "[test2]0")
modparam("tls_mgm","tls_method", "[test2]TLSv1")
#Default domain
modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "0")
modparam("tls_mgm","require_cert", "0")
modparam("tls_mgm","tls_method", "TLSv1")
modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
modparam("tls_mgm","certificate",
"[srv2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[srv2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[srv2]0")
modparam("tls_mgm","require_cert", "[srv2]0")
modparam("tls_mgm","tls_method", "[srv2]TLSv1")

Server part of TLS works fine.
But I want OPTIONS to these gateways to be send with correct TLS
certificate.

local_route {
  if (is_method("OPTIONS")) {
# Get IP for outgoing socket
$var(ip_out) = $(fs{s.select,1,:});
switch($var(ip_out)) {
  case "IP1":
$avp(tls_cli_dom) = "test1";
  break;
  case "IP2":
$avp(tls_cli_dom) = "test2";
  break;
}
xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
  }
}

So AVP for choosing client domain is set correctly during sending OPTIONS.
OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
for both gateways. What's wrong?



-
---
Alexey Vasilyev
--
Sent from: 
http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users