With MS, you can authenticate based on $tls_peer_subject_cn. This works ok with openssl but not with wolfssl. When wolfssl is using session tickets to establish new connections, the $tls_peer_subject_cn is not populated. Another alternative is to perform a lookup for each request received over a tls connection using the ip.resolve transformation and enable dbs_cache to help a little bit. It's messy but it works.
-ovidiu On Fri, Feb 25, 2022 at 6:51 AM Mark Farmer <farm...@gmail.com> wrote: > > Thanks Bogdan > > It's no secret really, I was just speaking generically. > They are the MS Direct Routing domains, EG sip.pstnhub.microsoft.com > > Mark. > > > > On Tue, 22 Feb 2022 at 12:50, Bogdan-Andrei Iancu <bog...@opensips.org> wrote: >> >> Hi Mark, >> >> You say the DNS is publishing only one IP for the domain, but one may change >> ? If you want, you can PM me the actual domain to see how the DNS records >> looks like. >> >> Regards, >> >> Bogdan-Andrei Iancu >> >> OpenSIPS Founder and Developer >> https://www.opensips-solutions.com >> OpenSIPS eBootcamp >> https://www.opensips.org/Training/Bootcamp >> >> On 2/22/22 12:31 PM, Mark Farmer wrote: >> >> Hi Bogdan >> >> The GW's have 2 CNAME records which I have no control over. DR has entries >> like subdomain.example.com:5061 >> I suspect the issue arises when the CNAMES swap around resulting in a >> mismatch. >> >> Currently I am using this to identify the source of the message which is >> probably not the best in terms of security. >> >> $avp(fd) = "subdomain.example.com"; >> if($(ct.fields(uri){s.index, $avp(fd)}) != NULL) >> >> Perhaps there is a better way? >> >> Best regards >> Mark. >> >> >> >> On Tue, 22 Feb 2022 at 08:56, Bogdan-Andrei Iancu <bog...@opensips.org> >> wrote: >>> >>> Hi Mark, >>> >>> If a gw is defined via FQDN, that will by DNS resolved (NAPTR, SRV, A >>> records) when DB data is (re)loaded by DR module, and used later for such >>> checks. All found IPs (from DNS) will be stored on the GW. >>> >>> How do you specify the GW address in DB and what kind of DNS records do you >>> have for it ? >>> >>> Best regards, >>> >>> Bogdan-Andrei Iancu >>> >>> OpenSIPS Founder and Developer >>> https://www.opensips-solutions.com >>> OpenSIPS eBootcamp >>> https://www.opensips.org/Training/Bootcamp >>> >>> On 2/18/22 6:04 PM, Mark Farmer wrote: >>> >>> Hi everyone >>> >>> I am using is_from_gw() to match against a group of gateways specified by >>> DNS names which resolve to multiple IP addresses but it seems to be failing >>> to match. >>> >>> Is this supported functionality or do I need to do something else in this >>> case? >>> >>> Thanks and regards >>> Mark. >>> >>> >>> _______________________________________________ >>> Users mailing list >>> Users@lists.opensips.org >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users >>> >>> >> >> >> -- >> Mark Farmer >> farm...@gmail.com >> >> > > > -- > Mark Farmer > farm...@gmail.com > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users -- VoIP Embedded, Inc. http://www.voipembedded.com _______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users
