Hi Bogdan, Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify search later: https://github.com/OpenSIPS/opensips/issues/1651
----- Alexey Vasilyev alexei.vasil...@gmail.com > 28 Mar 2019, в 16:45, Bogdan-Andrei Iancu <bog...@opensips.org> написал(а): > > Hi Alexey, > > oh, if it is MS related, I don't wanna hear about it :P.....Just joking - > please open a bug report on the tracker. > > Regards, > Bogdan-Andrei Iancu > > OpenSIPS Founder and Developer > https://www.opensips-solutions.com <https://www.opensips-solutions.com/> > OpenSIPS Summit 2019 > https://www.opensips.org/events/Summit-2019Amsterdam/ > <https://www.opensips.org/events/Summit-2019Amsterdam/> > On 03/28/2019 03:16 PM, Alexey Vasilyev wrote: >> Hi Bogdan, >> >> Yes, of course this is real scenario. MS Teams integration. They >> authenticate everything by TLS certificates used by connection. It works >> fine for 1 integration. >> But if I send SIP with domain2 to the TLS connection encrypted with >> certificate for domain1, I just fail. >> And actually everybody I checked reusing TLS sessions almost the same way as >> TCP. So OpenSIPS will be the first doing this correct way. >> And I like comments from tls_mgm.c >> /* what if we have multiple connections to the same remote socket? e.g. we >> can have >> connection 1: localIP1:localPort1 <--> remoteIP:remotePort >> connection 2: localIP2:localPort2 <--> remoteIP:remotePort >> but I think the is very unrealistic */ >> >> So I got exactly this scenario. >> >> >> чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <bog...@opensips.org >> <mailto:bog...@opensips.org>>: >> Hi Alexey, >> >> It make sense (logically speaking) to get the TLS domain involved in the >> TCP conn re-usage alg - but my question is: have you came across a real >> scenario with such a need ? >> >> Regards, >> >> Bogdan-Andrei Iancu >> >> OpenSIPS Founder and Developer >> https://www.opensips-solutions.com <https://www.opensips-solutions.com/> >> OpenSIPS Summit 2019 >> https://www.opensips.org/events/Summit-2019Amsterdam/ >> <https://www.opensips.org/events/Summit-2019Amsterdam/> >> >> On 03/26/2019 02:23 PM, vasilevalex wrote: >> > Hi Bogdan, >> > >> > Thanks for fix! >> > >> > What do you think about reusing TLS connections? In master branch this >> > behavior still the same. OpenSIPS reuses TLS connections the same way as >> > regular TCP connections, but it should not. For reusing TCP connection we >> > check, if connection with the same dst IP:PORT exists. But for TLS it is >> > not >> > enough. We additionally should check, what certificate uses this connection >> > (or what domain it is related). >> > >> > And in documentation for tls_mgm module everywhere written: Note: If there >> > is already an existing TLS connection to the remote target, it will be >> > reused and setting this AVP has no effect. >> > >> > This is the same case - we have only 1 destination target, but we should >> > use >> > several TLS connections to this target with different TLS certificates. So >> > first connection will be successful, but SIP message for second domain >> > which >> > should use another certificate will try to reuse this first connection, as >> > target is the same. And this message will fail. >> > >> > >> > >> > ----- >> > --- >> > Alexey Vasilyev >> > -- >> > Sent from: >> > http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html >> > >> > <http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html> >> > >> > _______________________________________________ >> > Users mailing list >> > Users@lists.opensips.org <mailto:Users@lists.opensips.org> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users >> > <http://lists.opensips.org/cgi-bin/mailman/listinfo/users> >> >> >> >> -- >> Best regards >> Alexey Vasilyev >
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users