Control TLS client domain

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Control TLS client domain

vasilevalex
Hi all.

OpenSIPS 2.4.4
I have 2 gateways in Dynamic Routing module table. For both gateways I have
different sockets:
address: gw1, socket: tls:<IP1>:5061
address: gw2, socket: tls:<IP2>:5061

IP1 has certificate for TLS sip.domain1.com
IP2 has certificate for TLS sip.domain2.com

And something like this for tls management module:

loadmodule "tls_mgm.so"
modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
modparam("tls_mgm", "client_domain", "test1")
modparam("tls_mgm","certificate",
"[test1]/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key",
"[test1]/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "[test1]0")
modparam("tls_mgm","require_cert", "[test1]0")
modparam("tls_mgm","tls_method", "[test1]TLSv1")
modparam("tls_mgm", "client_domain", "test2")
modparam("tls_mgm","certificate",
"[test2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[test2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[test2]0")
modparam("tls_mgm","require_cert", "[test2]0")
modparam("tls_mgm","tls_method", "[test2]TLSv1")
#Default domain
modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
modparam("tls_mgm","verify_cert", "0")
modparam("tls_mgm","require_cert", "0")
modparam("tls_mgm","tls_method", "TLSv1")
modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
modparam("tls_mgm","certificate",
"[srv2]/etc/opensips/tls/test2/fullchain.pem")
modparam("tls_mgm","private_key",
"[srv2]/etc/opensips/tls/test2/privkey.pem")
modparam("tls_mgm","verify_cert", "[srv2]0")
modparam("tls_mgm","require_cert", "[srv2]0")
modparam("tls_mgm","tls_method", "[srv2]TLSv1")

Server part of TLS works fine.
But I want OPTIONS to these gateways to be send with correct TLS
certificate.

local_route {
  if (is_method("OPTIONS")) {
    # Get IP for outgoing socket
    $var(ip_out) = $(fs{s.select,1,:});
    switch($var(ip_out)) {
      case "IP1":
        $avp(tls_cli_dom) = "test1";
      break;
      case "IP2":
        $avp(tls_cli_dom) = "test2";
      break;
    }
    xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
  }
}

So AVP for choosing client domain is set correctly during sending OPTIONS.
OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
for both gateways. What's wrong?



-----
---
Alexey Vasilyev
--
Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
---
Alexey Vasilyev
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

Bogdan-Andrei Iancu-2
Hi Alexey,

Well, the AVPs (as variables) are not visible for the TLS send
operation. In local route, the actual "send" is outside the route
context, so the AVP you set in the local route are not impacting the
later TLS "send".

On the other hand, you can select the TLS certificate to use based on
the destination IP of the TLS connection (the IP of the GW, in your case).

Check this
https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .

And when you define the client_domain, you set the IP of your GW :

modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")

and you do not need the local route anymore, as the test1 TLS domain will be automatically picked when sending GW_IP:GW_PORT.


Best regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/20/2019 02:40 PM, vasilevalex wrote:

> Hi all.
>
> OpenSIPS 2.4.4
> I have 2 gateways in Dynamic Routing module table. For both gateways I have
> different sockets:
> address: gw1, socket: tls:<IP1>:5061
> address: gw2, socket: tls:<IP2>:5061
>
> IP1 has certificate for TLS sip.domain1.com
> IP2 has certificate for TLS sip.domain2.com
>
> And something like this for tls management module:
>
> loadmodule "tls_mgm.so"
> modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
> modparam("tls_mgm", "client_domain", "test1")
> modparam("tls_mgm","certificate",
> "[test1]/etc/opensips/tls/test1/fullchain.pem")
> modparam("tls_mgm","private_key",
> "[test1]/etc/opensips/tls/test1/privkey.pem")
> modparam("tls_mgm","verify_cert", "[test1]0")
> modparam("tls_mgm","require_cert", "[test1]0")
> modparam("tls_mgm","tls_method", "[test1]TLSv1")
> modparam("tls_mgm", "client_domain", "test2")
> modparam("tls_mgm","certificate",
> "[test2]/etc/opensips/tls/test2/fullchain.pem")
> modparam("tls_mgm","private_key",
> "[test2]/etc/opensips/tls/test2/privkey.pem")
> modparam("tls_mgm","verify_cert", "[test2]0")
> modparam("tls_mgm","require_cert", "[test2]0")
> modparam("tls_mgm","tls_method", "[test2]TLSv1")
> #Default domain
> modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
> modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
> modparam("tls_mgm","verify_cert", "0")
> modparam("tls_mgm","require_cert", "0")
> modparam("tls_mgm","tls_method", "TLSv1")
> modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
> modparam("tls_mgm","certificate",
> "[srv2]/etc/opensips/tls/test2/fullchain.pem")
> modparam("tls_mgm","private_key",
> "[srv2]/etc/opensips/tls/test2/privkey.pem")
> modparam("tls_mgm","verify_cert", "[srv2]0")
> modparam("tls_mgm","require_cert", "[srv2]0")
> modparam("tls_mgm","tls_method", "[srv2]TLSv1")
>
> Server part of TLS works fine.
> But I want OPTIONS to these gateways to be send with correct TLS
> certificate.
>
> local_route {
>    if (is_method("OPTIONS")) {
>      # Get IP for outgoing socket
>      $var(ip_out) = $(fs{s.select,1,:});
>      switch($var(ip_out)) {
>        case "IP1":
>          $avp(tls_cli_dom) = "test1";
>        break;
>        case "IP2":
>          $avp(tls_cli_dom) = "test2";
>        break;
>      }
>      xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
>    }
> }
>
> So AVP for choosing client domain is set correctly during sending OPTIONS.
> OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
> for both gateways. What's wrong?
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

vasilevalex
Hi Bogdan,
It would be nice to get rid of these AVPs, and select client domain by destination IP, but the problem that I have only 1 destination gw IP for all customers domains.
I have cloud platform, which I’d like to connect from OpenSIPS. And I have many customers with their domains.

So the only way to choose client tls domain is AVP.

And why not to allow manipulate AVPs in local route? I modified modules/tm/uac.c little bit, and now I can select TLS client domain with AVP from local_route.
https://github.com/OpenSIPS/opensips/issues/1642
But I’m not sure about the code. And sorry, that I marked it as bug, I thought that it is normal to work with AVP variables from local_route.

I have another issue, that OpenSIPS reuses TLS connections the same way as regular TCP connections, but it should not. For reusing TCP connection we check, if connection with the same dst IP:PORT exists. But for TLS it is not enough. We additionally should check, what certificate uses this connection (or what domain it is related).

If on server side we have SNI, why not to have more control for client TLS side?

-----
Alexey Vasilyev
[hidden email]



> 25 Mar 2019, в 18:37, Bogdan-Andrei Iancu <[hidden email]> написал(а):
>
> Hi Alexey,
>
> Well, the AVPs (as variables) are not visible for the TLS send operation. In local route, the actual "send" is outside the route context, so the AVP you set in the local route are not impacting the later TLS "send".
>
> On the other hand, you can select the TLS certificate to use based on the destination IP of the TLS connection (the IP of the GW, in your case).
>
> Check this https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .
>
> And when you define the client_domain, you set the IP of your GW :
>
> modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")
>
> and you do not need the local route anymore, as the test1 TLS domain will be automatically picked when sending GW_IP:GW_PORT.
>
>
> Best regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
> https://www.opensips-solutions.com
> OpenSIPS Summit 2019
> https://www.opensips.org/events/Summit-2019Amsterdam/
>
> On 03/20/2019 02:40 PM, vasilevalex wrote:
>> Hi all.
>>
>> OpenSIPS 2.4.4
>> I have 2 gateways in Dynamic Routing module table. For both gateways I have
>> different sockets:
>> address: gw1, socket: tls:<IP1>:5061
>> address: gw2, socket: tls:<IP2>:5061
>>
>> IP1 has certificate for TLS sip.domain1.com
>> IP2 has certificate for TLS sip.domain2.com
>>
>> And something like this for tls management module:
>>
>> loadmodule "tls_mgm.so"
>> modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
>> modparam("tls_mgm", "client_domain", "test1")
>> modparam("tls_mgm","certificate",
>> "[test1]/etc/opensips/tls/test1/fullchain.pem")
>> modparam("tls_mgm","private_key",
>> "[test1]/etc/opensips/tls/test1/privkey.pem")
>> modparam("tls_mgm","verify_cert", "[test1]0")
>> modparam("tls_mgm","require_cert", "[test1]0")
>> modparam("tls_mgm","tls_method", "[test1]TLSv1")
>> modparam("tls_mgm", "client_domain", "test2")
>> modparam("tls_mgm","certificate",
>> "[test2]/etc/opensips/tls/test2/fullchain.pem")
>> modparam("tls_mgm","private_key",
>> "[test2]/etc/opensips/tls/test2/privkey.pem")
>> modparam("tls_mgm","verify_cert", "[test2]0")
>> modparam("tls_mgm","require_cert", "[test2]0")
>> modparam("tls_mgm","tls_method", "[test2]TLSv1")
>> #Default domain
>> modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
>> modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
>> modparam("tls_mgm","verify_cert", "0")
>> modparam("tls_mgm","require_cert", "0")
>> modparam("tls_mgm","tls_method", "TLSv1")
>> modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
>> modparam("tls_mgm","certificate",
>> "[srv2]/etc/opensips/tls/test2/fullchain.pem")
>> modparam("tls_mgm","private_key",
>> "[srv2]/etc/opensips/tls/test2/privkey.pem")
>> modparam("tls_mgm","verify_cert", "[srv2]0")
>> modparam("tls_mgm","require_cert", "[srv2]0")
>> modparam("tls_mgm","tls_method", "[srv2]TLSv1")
>>
>> Server part of TLS works fine.
>> But I want OPTIONS to these gateways to be send with correct TLS
>> certificate.
>>
>> local_route {
>>  if (is_method("OPTIONS")) {
>>    # Get IP for outgoing socket
>>    $var(ip_out) = $(fs{s.select,1,:});
>>    switch($var(ip_out)) {
>>      case "IP1":
>>        $avp(tls_cli_dom) = "test1";
>>      break;
>>      case "IP2":
>>        $avp(tls_cli_dom) = "test2";
>>      break;
>>    }
>>    xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
>>  }
>> }
>>
>> So AVP for choosing client domain is set correctly during sending OPTIONS.
>> OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
>> for both gateways. What's wrong?
>>
>>
>>
>> -----
>> ---
>> Alexey Vasilyev
>> --
>> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
---
Alexey Vasilyev
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

Bogdan-Andrei Iancu-2
In reply to this post by Bogdan-Andrei Iancu-2
Hi Alexey,

In your example, I saw you where sending the OPTIONS to some GWs in
drouting, GWs with different IPs, so the IP-based domains should work in
that case.

Now, if you have a different clients behind the same IP - I guess this
is a different scenario. In this case I guess you need the AVP to
control the selection of the client TLS domain. But a small question -
if you interact with customers, do you still generate OPTIONS (or any
locally generated requests) towards the customers ? usually you act as a
sip proxy for the traffic to customers and in this case the AVP will be
fine (the AVP limitation is only in local route).

Let me follow up on #1642 with a small patch that will expose the AVPs
to the msg sending process.

BTW, in 3.0, the TLS mgm is completely reworked with better TLS domain
selection, including SNI support .

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/25/2019 09:53 PM, Alexey Vasilyev wrote:

> Hi Bogdan,
> It would be nice to get rid of these AVPs, and select client domain by destination IP, but the problem that I have only 1 destination gw IP for all customers domains.
> I have cloud platform, which I’d like to connect from OpenSIPS. And I have many customers with their domains.
>
> So the only way to choose client tls domain is AVP.
>
> And why not to allow manipulate AVPs in local route? I modified modules/tm/uac.c little bit, and now I can select TLS client domain with AVP from local_route.
> https://github.com/OpenSIPS/opensips/issues/1642
> But I’m not sure about the code. And sorry, that I marked it as bug, I thought that it is normal to work with AVP variables from local_route.
>
> I have another issue, that OpenSIPS reuses TLS connections the same way as regular TCP connections, but it should not. For reusing TCP connection we check, if connection with the same dst IP:PORT exists. But for TLS it is not enough. We additionally should check, what certificate uses this connection (or what domain it is related).
>
> If on server side we have SNI, why not to have more control for client TLS side?
>
> -----
> Alexey Vasilyev
> [hidden email]
>
>
>
>> 25 Mar 2019, в 18:37, Bogdan-Andrei Iancu <[hidden email]> написал(а):
>>
>> Hi Alexey,
>>
>> Well, the AVPs (as variables) are not visible for the TLS send operation. In local route, the actual "send" is outside the route context, so the AVP you set in the local route are not impacting the later TLS "send".
>>
>> On the other hand, you can select the TLS certificate to use based on the destination IP of the TLS connection (the IP of the GW, in your case).
>>
>> Check this https://opensips.org/html/docs/modules/2.4.x/tls_mgm.html#domains-param .
>>
>> And when you define the client_domain, you set the IP of your GW :
>>
>> modparam("tls_mgm", "client_domain", "test1=GW_IP:GW_PORT")
>>
>> and you do not need the local route anymore, as the test1 TLS domain will be automatically picked when sending GW_IP:GW_PORT.
>>
>>
>> Best regards,
>>
>> Bogdan-Andrei Iancu
>>
>> OpenSIPS Founder and Developer
>>   https://www.opensips-solutions.com
>> OpenSIPS Summit 2019
>>   https://www.opensips.org/events/Summit-2019Amsterdam/
>>
>> On 03/20/2019 02:40 PM, vasilevalex wrote:
>>> Hi all.
>>>
>>> OpenSIPS 2.4.4
>>> I have 2 gateways in Dynamic Routing module table. For both gateways I have
>>> different sockets:
>>> address: gw1, socket: tls:<IP1>:5061
>>> address: gw2, socket: tls:<IP2>:5061
>>>
>>> IP1 has certificate for TLS sip.domain1.com
>>> IP2 has certificate for TLS sip.domain2.com
>>>
>>> And something like this for tls management module:
>>>
>>> loadmodule "tls_mgm.so"
>>> modparam("tls_mgm", "client_domain_avp", "tls_cli_dom")
>>> modparam("tls_mgm", "client_domain", "test1")
>>> modparam("tls_mgm","certificate",
>>> "[test1]/etc/opensips/tls/test1/fullchain.pem")
>>> modparam("tls_mgm","private_key",
>>> "[test1]/etc/opensips/tls/test1/privkey.pem")
>>> modparam("tls_mgm","verify_cert", "[test1]0")
>>> modparam("tls_mgm","require_cert", "[test1]0")
>>> modparam("tls_mgm","tls_method", "[test1]TLSv1")
>>> modparam("tls_mgm", "client_domain", "test2")
>>> modparam("tls_mgm","certificate",
>>> "[test2]/etc/opensips/tls/test2/fullchain.pem")
>>> modparam("tls_mgm","private_key",
>>> "[test2]/etc/opensips/tls/test2/privkey.pem")
>>> modparam("tls_mgm","verify_cert", "[test2]0")
>>> modparam("tls_mgm","require_cert", "[test2]0")
>>> modparam("tls_mgm","tls_method", "[test2]TLSv1")
>>> #Default domain
>>> modparam("tls_mgm","certificate", "/etc/opensips/tls/test1/fullchain.pem")
>>> modparam("tls_mgm","private_key", "/etc/opensips/tls/test1/privkey.pem")
>>> modparam("tls_mgm","verify_cert", "0")
>>> modparam("tls_mgm","require_cert", "0")
>>> modparam("tls_mgm","tls_method", "TLSv1")
>>> modparam("tls_mgm", "server_domain", "srv2=IP2:5061")
>>> modparam("tls_mgm","certificate",
>>> "[srv2]/etc/opensips/tls/test2/fullchain.pem")
>>> modparam("tls_mgm","private_key",
>>> "[srv2]/etc/opensips/tls/test2/privkey.pem")
>>> modparam("tls_mgm","verify_cert", "[srv2]0")
>>> modparam("tls_mgm","require_cert", "[srv2]0")
>>> modparam("tls_mgm","tls_method", "[srv2]TLSv1")
>>>
>>> Server part of TLS works fine.
>>> But I want OPTIONS to these gateways to be send with correct TLS
>>> certificate.
>>>
>>> local_route {
>>>    if (is_method("OPTIONS")) {
>>>      # Get IP for outgoing socket
>>>      $var(ip_out) = $(fs{s.select,1,:});
>>>      switch($var(ip_out)) {
>>>        case "IP1":
>>>          $avp(tls_cli_dom) = "test1";
>>>        break;
>>>        case "IP2":
>>>          $avp(tls_cli_dom) = "test2";
>>>        break;
>>>      }
>>>      xlog("AVP for TLS:  $avp(tls_cli_dom) \n");
>>>    }
>>> }
>>>
>>> So AVP for choosing client domain is set correctly during sending OPTIONS.
>>> OpenSIPS uses different sockets for sending OPTIONS, but default TLS domain
>>> for both gateways. What's wrong?
>>>
>>>
>>>
>>> -----
>>> ---
>>> Alexey Vasilyev
>>> --
>>> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

vasilevalex
Hi Bogdan,

Thanks for fix!

What do you think about reusing TLS connections? In master branch this
behavior still the same. OpenSIPS reuses TLS connections the same way as
regular TCP connections, but it should not. For reusing TCP connection we
check, if connection with the same dst IP:PORT exists. But for TLS it is not
enough. We additionally should check, what certificate uses this connection
(or what domain it is related).

And in documentation for tls_mgm module everywhere written: Note: If there
is already an existing TLS connection to the remote target, it will be
reused and setting this AVP has no effect.

This is the same case - we have only 1 destination target, but we should use
several TLS connections to this target with different TLS certificates. So
first connection will be successful, but SIP message for second domain which
should use another certificate will try to reuse this first connection, as
target is the same. And this message will fail.



-----
---
Alexey Vasilyev
--
Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
---
Alexey Vasilyev
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

Bogdan-Andrei Iancu-2
Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the
TCP conn re-usage alg - but my question is: have you came across a real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:

> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master branch this
> behavior still the same. OpenSIPS reuses TLS connections the same way as
> regular TCP connections, but it should not. For reusing TCP connection we
> check, if connection with the same dst IP:PORT exists. But for TLS it is not
> enough. We additionally should check, what certificate uses this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written: Note: If there
> is already an existing TLS connection to the remote target, it will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but we should use
> several TLS connections to this target with different TLS certificates. So
> first connection will be successful, but SIP message for second domain which
> should use another certificate will try to reuse this first connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

vasilevalex
Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. 
But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? e.g. we can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <[hidden email]>:
Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the
TCP conn re-usage alg - but my question is: have you came across a real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master branch this
> behavior still the same. OpenSIPS reuses TLS connections the same way as
> regular TCP connections, but it should not. For reusing TCP connection we
> check, if connection with the same dst IP:PORT exists. But for TLS it is not
> enough. We additionally should check, what certificate uses this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written: Note: If there
> is already an existing TLS connection to the remote target, it will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but we should use
> several TLS connections to this target with different TLS certificates. So
> first connection will be successful, but SIP message for second domain which
> should use another certificate will try to reuse this first connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Best regards
Alexey Vasilyev

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
---
Alexey Vasilyev
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

Bogdan-Andrei Iancu-2
Hi Alexey,

oh, if it is MS related, I don't wanna hear about it :P.....Just joking - please open a bug report on the tracker.

Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. 
But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? e.g. we can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <[hidden email]>:
Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the
TCP conn re-usage alg - but my question is: have you came across a real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master branch this
> behavior still the same. OpenSIPS reuses TLS connections the same way as
> regular TCP connections, but it should not. For reusing TCP connection we
> check, if connection with the same dst IP:PORT exists. But for TLS it is not
> enough. We additionally should check, what certificate uses this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written: Note: If there
> is already an existing TLS connection to the remote target, it will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but we should use
> several TLS connections to this target with different TLS certificates. So
> first connection will be successful, but SIP message for second domain which
> should use another certificate will try to reuse this first connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Best regards
Alexey Vasilyev


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

vasilevalex
Hi Bogdan,

Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify search later: https://github.com/OpenSIPS/opensips/issues/1651


-----
Alexey Vasilyev



28 Mar 2019, в 16:45, Bogdan-Andrei Iancu <[hidden email]> написал(а):

Hi Alexey,

oh, if it is MS related, I don't wanna hear about it :P.....Just joking - please open a bug report on the tracker.

Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. 
But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? e.g. we can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <[hidden email]>:
Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the
TCP conn re-usage alg - but my question is: have you came across a real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master branch this
> behavior still the same. OpenSIPS reuses TLS connections the same way as
> regular TCP connections, but it should not. For reusing TCP connection we
> check, if connection with the same dst IP:PORT exists. But for TLS it is not
> enough. We additionally should check, what certificate uses this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written: Note: If there
> is already an existing TLS connection to the remote target, it will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but we should use
> several TLS connections to this target with different TLS certificates. So
> first connection will be successful, but SIP message for second domain which
> should use another certificate will try to reuse this first connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Best regards
Alexey Vasilyev



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
---
Alexey Vasilyev
Reply | Threaded
Open this post in threaded view
|

Re: Control TLS client domain

Bogdan-Andrei Iancu-2
Thank you Alexey,

I will look into it.

Best regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/28/2019 10:00 PM, Alexey Vasilyev wrote:
Hi Bogdan,

Sorry that I mentioned He-Who-Must-Not-Be-Named. Just to simplify search later: https://github.com/OpenSIPS/opensips/issues/1651


-----
Alexey Vasilyev



28 Mar 2019, в 16:45, Bogdan-Andrei Iancu <[hidden email]> написал(а):

Hi Alexey,

oh, if it is MS related, I don't wanna hear about it :P.....Just joking - please open a bug report on the tracker.

Regards,
Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
  https://www.opensips-solutions.com
OpenSIPS Summit 2019
  https://www.opensips.org/events/Summit-2019Amsterdam/
On 03/28/2019 03:16 PM, Alexey Vasilyev wrote:
Hi Bogdan,

Yes, of course this is real scenario. MS Teams integration. They authenticate everything by TLS certificates used by connection. It works fine for 1 integration. 
But if I send SIP with domain2 to the TLS connection encrypted with certificate for domain1, I just fail.
And actually everybody I checked reusing TLS sessions almost the same way as TCP. So OpenSIPS will be the first doing this correct way.
And I like comments from tls_mgm.c
/* what if we have multiple connections to the same remote socket? e.g. we can have
connection 1: localIP1:localPort1 <--> remoteIP:remotePort
connection 2: localIP2:localPort2 <--> remoteIP:remotePort
but I think the is very unrealistic */
So I got exactly this scenario.


чт, 28 мар. 2019 г. в 13:47, Bogdan-Andrei Iancu <[hidden email]>:
Hi Alexey,

It make sense (logically speaking) to get the TLS domain involved in the
TCP conn re-usage alg - but my question is: have you came across a real
scenario with such a need ?

Regards,

Bogdan-Andrei Iancu

OpenSIPS Founder and Developer
   https://www.opensips-solutions.com
OpenSIPS Summit 2019
   https://www.opensips.org/events/Summit-2019Amsterdam/

On 03/26/2019 02:23 PM, vasilevalex wrote:
> Hi Bogdan,
>
> Thanks for fix!
>
> What do you think about reusing TLS connections? In master branch this
> behavior still the same. OpenSIPS reuses TLS connections the same way as
> regular TCP connections, but it should not. For reusing TCP connection we
> check, if connection with the same dst IP:PORT exists. But for TLS it is not
> enough. We additionally should check, what certificate uses this connection
> (or what domain it is related).
>
> And in documentation for tls_mgm module everywhere written: Note: If there
> is already an existing TLS connection to the remote target, it will be
> reused and setting this AVP has no effect.
>
> This is the same case - we have only 1 destination target, but we should use
> several TLS connections to this target with different TLS certificates. So
> first connection will be successful, but SIP message for second domain which
> should use another certificate will try to reuse this first connection, as
> target is the same. And this message will fail.
>
>
>
> -----
> ---
> Alexey Vasilyev
> --
> Sent from: http://opensips-open-sip-server.1449251.n2.nabble.com/OpenSIPS-Users-f1449235.html
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



--
Best regards
Alexey Vasilyev




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users