Hi Mark,
We are aware of this limitation with wolfssl, and do plan to address it
somehow but we have not found a straight-forward solution yet. Keep an
eye on the feature request Ovidiu mentioned.
Regards,
--
Vlad Patrascu
OpenSIPS Core Developer
http://www.opensips-solutions.com
On 28.02.2022 10:50, Mark Farmer wrote:
Thanks Ovidiu, that is great information.
I am using wolfssl as that seems to be the way to go these days.
I wonder given the rising popularity of Direct Routing if it would be
possible/sensible to have wolfsssl populate the $tls_peer_subject_cn
variable in the future?
Mark.
On Fri, 25 Feb 2022 at 17:32, Ovidiu Sas <o...@voipembedded.com> wrote:
With MS, you can authenticate based on $tls_peer_subject_cn. This
works ok with openssl but not with wolfssl. When wolfssl is using
session tickets to establish new connections, the $tls_peer_subject_cn
is not populated.
Another alternative is to perform a lookup for each request received
over a tls connection using the ip.resolve transformation and enable
dbs_cache to help a little bit. It's messy but it works.
-ovidiu
On Fri, Feb 25, 2022 at 6:51 AM Mark Farmer <farm...@gmail.com> wrote:
>
> Thanks Bogdan
>
> It's no secret really, I was just speaking generically.
> They are the MS Direct Routing domains, EG
sip.pstnhub.microsoft.com <http://sip.pstnhub.microsoft.com>
>
> Mark.
>
>
>
> On Tue, 22 Feb 2022 at 12:50, Bogdan-Andrei Iancu
<bog...@opensips.org> wrote:
>>
>> Hi Mark,
>>
>> You say the DNS is publishing only one IP for the domain, but
one may change ? If you want, you can PM me the actual domain to
see how the DNS records looks like.
>>
>> Regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>> https://www.opensips-solutions.com
>> OpenSIPS eBootcamp
>> https://www.opensips.org/Training/Bootcamp
>>
>> On 2/22/22 12:31 PM, Mark Farmer wrote:
>>
>> Hi Bogdan
>>
>> The GW's have 2 CNAME records which I have no control over. DR
has entries like subdomain.example.com:5061
<http://subdomain.example.com:5061>
>> I suspect the issue arises when the CNAMES swap around
resulting in a mismatch.
>>
>> Currently I am using this to identify the source of the message
which is probably not the best in terms of security.
>>
>> $avp(fd) = "subdomain.example.com <http://subdomain.example.com>";
>> if($(ct.fields(uri){s.index, $avp(fd)}) != NULL)
>>
>> Perhaps there is a better way?
>>
>> Best regards
>> Mark.
>>
>>
>>
>> On Tue, 22 Feb 2022 at 08:56, Bogdan-Andrei Iancu
<bog...@opensips.org> wrote:
>>>
>>> Hi Mark,
>>>
>>> If a gw is defined via FQDN, that will by DNS resolved (NAPTR,
SRV, A records) when DB data is (re)loaded by DR module, and used
later for such checks. All found IPs (from DNS) will be stored on
the GW.
>>>
>>> How do you specify the GW address in DB and what kind of DNS
records do you have for it ?
>>>
>>> Best regards,
>>>
>>> Bogdan-Andrei Iancu
>>>
>>> OpenSIPS Founder and Developer
>>> https://www.opensips-solutions.com
>>> OpenSIPS eBootcamp
>>> https://www.opensips.org/Training/Bootcamp
>>>
>>> On 2/18/22 6:04 PM, Mark Farmer wrote:
>>>
>>> Hi everyone
>>>
>>> I am using is_from_gw() to match against a group of gateways
specified by DNS names which resolve to multiple IP addresses but
it seems to be failing to match.
>>>
>>> Is this supported functionality or do I need to do something
else in this case?
>>>
>>> Thanks and regards
>>> Mark.
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users@lists.opensips.org
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>>>
>>
>>
>> --
>> Mark Farmer
>> farm...@gmail.com
>>
>>
>
>
> --
> Mark Farmer
> farm...@gmail.com
> _______________________________________________
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
VoIP Embedded, Inc.
http://www.voipembedded.com
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
--
Mark Farmer
farm...@gmail.com
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
