$var(conid) = 10;tcp_set_otcpid("$var(conid)");
Aug 9 17:08:31 kamailio-dev-2 /usr/sbin/kamailio[3858]: DEBUG: <core> [core/tcp_main.c:1610]: _tcpconn_find(): found connection by peer address (id: 2)
Or maybe some special "id" to tell Kamailio to skip the verification and just create a new connection? Then I could use the real "id" for further outbound traffic.Thank you!Regards, Volodymyr Ivanets.пт, 6 серп. 2021 о 15:45 Володимир Іванець <volodyaivanets@gmail.com> пише:Hello Daniel!Thank you for the suggestion. Unfortunately adding the "tcp_connection_match=1" did not made a difference. Kamailio found other connection to the same peer and used it instead:Also, it looks like the answer is in this comment: https://github.com/kamailio/kamailio/blob/master/src/core/tcp_main.c#L1563. And below are active tls connections for the previous trunk. Is there a way to add an additional field like a "tag" that could be used in peer matching as well? Otherwise, I guess the only option I have is to run separate instances of Kamailio with a very basic configuration for each MS Teams connection.<core> [core/tcp_main.c:1610]: _tcpconn_find(): found connection by peer address (id: 2)# kamcmd tls.listThank you!
{
id: 2
timeout: 0
src_ip: 52.114.75.24
src_port: 5061
dst_ip: 172.16.30.206
dst_port: 0
cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ct_wq_size: 0
enc_rd_buf: 0
flags: 2
state: established
}
{
id: 3
timeout: 0
src_ip: 52.114.75.24
src_port: 6272
dst_ip: 172.16.30.206
dst_port: 5063
cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
ct_wq_size: 0
enc_rd_buf: 0
flags: 2
state: established
}
{
id: 4
timeout: 581
src_ip: 52.114.75.24
src_port: 6273
dst_ip: 172.16.30.206
dst_port: 5063
cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
ct_wq_size: 0
enc_rd_buf: 0
flags: 2
state: established}Regards, Volodymyr Ivanets.ср, 4 серп. 2021 о 13:45 Daniel-Constantin Mierla <miconda@gmail.com> пише:Hello,
can you set https://www.kamailio.org/wiki/cookbooks/5.5.x/core#tcp_connection_match ?
It may work only for connections accepted by Kamailio, but worth a try.
Cheers,
Daniel
On 03.08.21 14:48, Володимир Іванець wrote:
Hello Daniel,
Yes, I have "socket=tls:172.16.30.206:5062" and "socket=tls:172.16.30.206:5063" attributes for corresponding records in the Dispatcher configuration table. $fs prints out correct values in the "event_route[tm:local-request]".
But I thought that TCP/TLS connections are established from a random port to a destination port on the peer side. And then the remote peer connects from its random port to our port 5062/5063.
If understood Kamailio log correctly when it is about to establish a second connection to the same peer it sees an active connection for the previous trunk and uses it instead of creating a new one.
Thank you!
Regards, Volodymyr Ivanets.
пн, 2 серп. 2021 о 22:21 Daniel-Constantin Mierla <miconda@gmail.com> пише:
Hello,
do you force local send socket?
Cheers,
Daniel
On 02.08.21 18:21, Володимир Іванець wrote:
Hello Daniel!
I updated Kamailio to the latest released version. The problem is that still with tls_set_connect_server_id() I can not make a single instance of Kamailio connect to multiple MS Teams domains. I use a single IP address with different ports for different trunks. I can see it establishing a connection to one trunk and using it for other domains.
Is there a way to force Kamailio to make a new TLS connection to the same peer address that it is already connected to?
Thank you!
Regards, Volodymyr Ivanets.
пн, 2 серп. 2021 о 13:44 Daniel-Constantin Mierla <miconda@gmail.com> пише:
Hello,
upgrading is the recommended way, indeed, if you want to use tls_set_connect_server_id(). For older version you may want to try looping back to kamailio (can be over udp) and the use the xavps. Adds some overhead and hops, but if you are stuck to a version and can't really upgrade soon, might be an option to look at.
Cheers,
Daniel
On 29.07.21 18:48, Володимир Іванець wrote:
Hello Rob!
Yes, I'm using Letsencrypt while I'm testing. But I would like to be able to use different certificates with different sockets.
I found this discussion https://github.com/kamailio/kamailio/issues/2413. Looks like I need to use "tls_set_connect_server_id()" instead of setting $xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)". Unfortunately I'm currently using Kamailio v5.4 on my test system and this function is not available. I will update Kamailio and give it another try. Then I will update everyone in the hope it will be useful for someone :)
Thank you!
Regards, Volodymyr Ivanets
чт, 29 лип. 2021 о 19:07 Rob van den Bulk <rob.van.den.bulk@gmail.com> пише:
__________________________________________________________Hello, are u using letsencrypt?
U can use a multi domain.
Muti domain names in one certificateOutlook voor Android downloaden
From: sr-users <sr-users-bounces@lists.kamailio.org> on behalf of Володимир Іванець <volodyaivanets@gmail.com>
Sent: Thursday, July 29, 2021 4:44:16 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] Integration with multiple MS Teams instancesHello all!
I was able to connect Kamailio with MS Teams and now trying to add one more Teams instance. It looks like I have some misconfiguration or there is a bug.
My test server has 2 domain records pointing at it (kamailio.domain1.com and kamailio.domain2.com). My tls.cfg configuration file looks like this. As you can see the Default section is configured with a kamailio.domain1.com sertificate:[server:default]method = TLSv1.0+require_certificate = noverify_certificate = noprivate_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pemcertificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pemca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
[client:default]method = TLSv1.0+require_certificate = noverify_certificate = noprivate_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pemcertificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pemca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
[server:172.16.30.206:5062]method = TLSv1.0+require_certificate = noverify_certificate = noprivate_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pemcertificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pemca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pemserver_name = "kamailio.domain1.com"server_id = ""kamailio.domain1.com"
[client:172.16.30.206:5062]method = TLSv1.0+require_certificate = noverify_certificate = noprivate_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pemcertificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pemca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
[server:172.16.30.206:5063]method = TLSv1.0+require_certificate = noverify_certificate = noprivate_key = /var/kamailio/certificates/kamailio.domain2.com/server/key.pemcertificate = /var/kamailio/certificates/kamailio.domain2.com/server/cert.pemca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pemserver_name = "kamailio.domain2.com"server_id = ""kamailio.domain2.com"
[client:172.16.30.206:5063]method = TLSv1.0+require_certificate = noverify_certificate = noprivate_key = /var/kamailio/certificates/kamailio.domain2.com/server/key.pemcertificate = /var/kamailio/certificates/kamailio.domain2.com/server/cert.pemca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
The dispatcher configuration table looks like this:+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+| id | setid | destination | flags | priority | attrs | description |+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+| 1 | 1 | sip:sip.pstnhub.microsoft.com;transport=tls | 0 | 3 | socket=tls:172.16.30.206:5062;ping_from=sip:kamailio.domain1.com | MS Teams 1 || 2 | 2 | sip:sip.pstnhub.microsoft.com;transport=tls | 0 | 3 | socket=tls:172.16.30.206:5063;ping_from=sip:kamailio.domain2.com | MS Teams 2 |+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
When Kamailio is started only connection with the first trunk is established:# kamcmd tls.list{id: 1timeout: 0src_ip: 52.114.75.24src_port: 5061dst_ip: 172.16.30.206dst_port: 0cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEADct_wq_size: 0enc_rd_buf: 0flags: 2state: established}{id: 2timeout: 0src_ip: 52.114.75.24src_port: 7810dst_ip: 172.16.30.206dst_port: 5062cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEADct_wq_size: 0enc_rd_buf: 0flags: 2state: established}{id: 3timeout: 596src_ip: 52.114.75.24src_port: 7811dst_ip: 172.16.30.206dst_port: 5062cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEADct_wq_size: 0enc_rd_buf: 0flags: 2state: established}
Here is what I can see in Kamailio log file when it sends an OPTIONS request to the second trunk. Kamailio uses Default tls configuration and MS Teams don't accept it:Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: ALERT: <script>: == TRACE. tm:local-request. fs is tls:172.16.30.206:5063Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:352]: t_run_local_req(): apply new updates without Via to sip msgJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/msg_translator.c:1796]: check_boundaries(): no multi-part bodyJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:612]: parse_msg(): method: <OPTIONS>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:614]: parse_msg(): uri: <sip:sip.pstnhub.microsoft.com;transport=tls>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:616]: parse_msg(): version: <SIP/2.0>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:500]: parse_headers(): this is the first viaJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; uri=[sip:sip.pstnhub.microsoft.com;transport=tls]Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:174]: get_hdr_field(): to body (47)[<sip:sip.pstnhub.microsoft.com;transport=tls>^M], to tag (0)[]Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end of headerJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:612]: parse_msg(): method: <OPTIONS>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:614]: parse_msg(): uri: <sip:sip.pstnhub.microsoft.com;transport=tls>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:616]: parse_msg(): version: <SIP/2.0>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:500]: parse_headers(): this is the first viaJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; uri=[sip:sip.pstnhub.microsoft.com;transport=tls]Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:174]: get_hdr_field(): to body (47)[<sip:sip.pstnhub.microsoft.com;transport=tls>^M], to tag (0)[]Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new oneJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 52.114.75.24Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initializationJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:162]: tls_get_connect_server_name(): xavp with outbound server name not foundJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:142]: tls_get_connect_server_id(): xavp with outbound server id not foundJul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSc<default> (dom 0x7f35509da688 ctx 0x7f3550b7a568 sn [])Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f3550b7a568: (nil)Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started...
If I change the Default configuration to use kamailio.domain2.com certificate, the second trunk will connect but the first one will fail.I tried to set "$xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)" variables to the event_route[tm:local-request] section but log still stated that server Name and ID were not found.
Can someone please point me in the right direction, how can I make Kamailio use the correct certificates when establishing multiple TLS connections?
Thanks a lot!
Regards, Volodymyr Ivanets
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users@lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda