Hi Bogdan, Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail. And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way. And I like comments from tls_mgm.c /* what if we have multiple connections to the same remote socket? e.g. we can have connection 1: localIP1:localPort1 <--> remoteIP:remotePort connection 2: localIP2:localPort2 <--> remoteIP:remotePort but I think the is very unrealistic */ So I got exactly this scenario.
чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <bog...@opensips.org>: > Hi Alexey, > > It make sense (logically speaking) to get the TLS domain involved in the > TCP conn re-usage alg - but my question is: have you came across a real > scenario with such a need ? > > Regards, > > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer > https://www.opensips-solutions.com > OpenSIPS Summit 2019 > https://www.opensips.org/events/Summit-2019Amsterdam/ > > On 03/26/2019 02:23 PM, vasilevalex wrote: > > Hi Bogdan, > > > > Thanks for fix! > > > > What do you think about reusing TLS connections? In master branch this > > behavior still the same. OpenSIPS reuses TLS connections the same way as > > regular TCP connections, but it should not. For reusing TCP connection we > > check, if connection with the same dst IP:PORT exists. But for TLS it is > not > > enough. We additionally should check, what certificate uses this > connection > > (or what domain it is related). > > > > And in documentation for tls_mgm module everywhere written: Note: If > there > > is already an existing TLS connection to the remote target, it will be > > reused and setting this AVP has no effect. > > > > This is the same case - we have only 1 destination target, but we should > use > > several TLS connections to this target with different TLS certificates. > So > > first connection will be successful, but SIP message for second domain > which > > should use another certificate will try to reuse this first connection, > as > > target is the same. And this message will fail. > > > > > > > > ----- > > --- > > Alexey Vasilyev > > -- > > Sent from: > http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html > > > > _______________________________________________ > > Users mailing list > > Users@lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > -- Best regards Alexey Vasilyev
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users