Thanks Ovidiu, that is great information. I am using wolfssl as that seems to be the way to go these days. I wonder given the rising popularity of Direct Routing if it would be possible/sensible to have wolfsssl populate the $tls_peer_subject_cn variable in the future?
Mark. On Fri, 25 Feb 2022 at 17:32, Ovidiu Sas <o...@voipembedded.com> wrote: > With MS, you can authenticate based on $tls_peer_subject_cn. This > works ok with openssl but not with wolfssl. When wolfssl is using > session tickets to establish new connections, the $tls_peer_subject_cn > is not populated. > Another alternative is to perform a lookup for each request received > over a tls connection using the ip.resolve transformation and enable > dbs_cache to help a little bit. It's messy but it works. > > -ovidiu > > On Fri, Feb 25, 2022 at 6:51 AM Mark Farmer <farm...@gmail.com> wrote: > > > > Thanks Bogdan > > > > It's no secret really, I was just speaking generically. > > They are the MS Direct Routing domains, EG sip.pstnhub.microsoft.com > > > > Mark. > > > > > > > > On Tue, 22 Feb 2022 at 12:50, Bogdan-Andrei Iancu <bog...@opensips.org> > wrote: > >> > >> Hi Mark, > >> > >> You say the DNS is publishing only one IP for the domain, but one may > change ? If you want, you can PM me the actual domain to see how the DNS > records looks like. > >> > >> Regards, > >> > >> Bogdan-Andrei Iancu > >> > >> OpenSIPS Founder and Developer > >> https://www.opensips-solutions.com > >> OpenSIPS eBootcamp > >> https://www.opensips.org/Training/Bootcamp > >> > >> On 2/22/22 12:31 PM, Mark Farmer wrote: > >> > >> Hi Bogdan > >> > >> The GW's have 2 CNAME records which I have no control over. DR has > entries like subdomain.example.com:5061 > >> I suspect the issue arises when the CNAMES swap around resulting in a > mismatch. > >> > >> Currently I am using this to identify the source of the message which > is probably not the best in terms of security. > >> > >> $avp(fd) = "subdomain.example.com"; > >> if($(ct.fields(uri){s.index, $avp(fd)}) != NULL) > >> > >> Perhaps there is a better way? > >> > >> Best regards > >> Mark. > >> > >> > >> > >> On Tue, 22 Feb 2022 at 08:56, Bogdan-Andrei Iancu <bog...@opensips.org> > wrote: > >>> > >>> Hi Mark, > >>> > >>> If a gw is defined via FQDN, that will by DNS resolved (NAPTR, SRV, A > records) when DB data is (re)loaded by DR module, and used later for such > checks. All found IPs (from DNS) will be stored on the GW. > >>> > >>> How do you specify the GW address in DB and what kind of DNS records > do you have for it ? > >>> > >>> Best regards, > >>> > >>> Bogdan-Andrei Iancu > >>> > >>> OpenSIPS Founder and Developer > >>> https://www.opensips-solutions.com > >>> OpenSIPS eBootcamp > >>> https://www.opensips.org/Training/Bootcamp > >>> > >>> On 2/18/22 6:04 PM, Mark Farmer wrote: > >>> > >>> Hi everyone > >>> > >>> I am using is_from_gw() to match against a group of gateways specified > by DNS names which resolve to multiple IP addresses but it seems to be > failing to match. > >>> > >>> Is this supported functionality or do I need to do something else in > this case? > >>> > >>> Thanks and regards > >>> Mark. > >>> > >>> > >>> _______________________________________________ > >>> Users mailing list > >>> Users@lists.opensips.org > >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users > >>> > >>> > >> > >> > >> -- > >> Mark Farmer > >> farm...@gmail.com > >> > >> > > > > > > -- > > Mark Farmer > > farm...@gmail.com > > _______________________________________________ > > Users mailing list > > Users@lists.opensips.org > > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > > > > -- > VoIP Embedded, Inc. > http://www.voipembedded.com > > _______________________________________________ > Users mailing list > Users@lists.opensips.org > http://lists.opensips.org/cgi-bin/mailman/listinfo/users > -- Mark Farmer farm...@gmail.com
_______________________________________________ Users mailing list Users@lists.opensips.org http://lists.opensips.org/cgi-bin/mailman/listinfo/users