Hello all!

Does anyone know if function tcp_set_otcpid() can be used in "event_route[tm:local-request]"? I added this to the configuration:
$var(conid) = 10;
tcp_set_otcpid("$var(conid)");
... and was expecting that Kamailio will not find a match (there is no connection id #10 at this point), go here https://github.com/kamailio/kamailio/blob/master/src/core/tcp_main.c#L1615 and then initiate a new connection https://github.com/kamailio/kamailio/blob/master/src/core/tcp_main.c#L1993. But it went to https://github.com/kamailio/kamailio/blob/master/src/core/tcp_main.c#L1594 and could find a match:
Aug  9 17:08:31 kamailio-dev-2 /usr/sbin/kamailio[3858]: DEBUG: <core> [core/tcp_main.c:1610]: _tcpconn_find(): found connection by peer address (id: 2)

Thanks a lot!

Regards, Volodymyr Ivanets.

пт, 6 серп. 2021 о 15:53 Володимир Іванець <volodyaivanets@gmail.com> пише:
Or maybe some special "id" to tell Kamailio to skip the verification and just create a new connection? Then I could use the real "id" for further outbound traffic.

Thank you!

Regards, Volodymyr Ivanets.

пт, 6 серп. 2021 о 15:45 Володимир Іванець <volodyaivanets@gmail.com> пише:
Hello Daniel!

Thank you for the suggestion. Unfortunately adding the "tcp_connection_match=1" did not made a difference. Kamailio found other connection to the same peer and used it instead:
<core> [core/tcp_main.c:1610]: _tcpconn_find(): found connection by peer address (id: 2)

Also, it looks like the answer is in this comment: https://github.com/kamailio/kamailio/blob/master/src/core/tcp_main.c#L1563. And below are active tls connections for the previous trunk. Is there a way to add an additional field like a "tag" that could be used in peer matching as well? Otherwise, I guess the only option I have is to run separate instances of Kamailio with a very basic configuration for each MS Teams connection.

# kamcmd tls.list
{
        id: 2
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 5061
        dst_ip: 172.16.30.206
        dst_port: 0
        cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 3
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 6272
        dst_ip: 172.16.30.206
        dst_port: 5063
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 4
        timeout: 581
        src_ip: 52.114.75.24
        src_port: 6273
        dst_ip: 172.16.30.206
        dst_port: 5063
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established

Thank you!

Regards, Volodymyr Ivanets.

ср, 4 серп. 2021 о 13:45 Daniel-Constantin Mierla <miconda@gmail.com> пише:

Hello,

can you set https://www.kamailio.org/wiki/cookbooks/5.5.x/core#tcp_connection_match ?

It may work only for connections accepted by Kamailio, but worth a try.

Cheers,
Daniel

On 03.08.21 14:48, Володимир Іванець wrote:
Hello Daniel,

Yes, I have "socket=tls:172.16.30.206:5062" and "socket=tls:172.16.30.206:5063" attributes for corresponding records in the Dispatcher configuration table. $fs prints out correct values in the "event_route[tm:local-request]".

But I thought that TCP/TLS connections are established from a random port to a destination port on the peer side. And then the remote peer connects from its random port to our port 5062/5063.

If understood Kamailio log correctly when it is about to establish a second connection to the same peer it sees an active connection for the previous trunk and uses it instead of creating a new one.

Thank you!

Regards, Volodymyr Ivanets.

пн, 2 серп. 2021 о 22:21 Daniel-Constantin Mierla <miconda@gmail.com> пише:

Hello,

do you force local send socket?

Cheers,
Daniel

On 02.08.21 18:21, Володимир Іванець wrote:
Hello Daniel!

I updated Kamailio to the latest released version. The problem is that still with tls_set_connect_server_id() I can not make a single instance of Kamailio connect to multiple MS Teams domains. I use a single IP address with different ports for different trunks. I can see it establishing a connection to one trunk and using it for other domains.

Is there a way to force Kamailio to make a new TLS connection to the same peer address that it is already connected to?

Thank you!

Regards, Volodymyr Ivanets.

пн, 2 серп. 2021 о 13:44 Daniel-Constantin Mierla <miconda@gmail.com> пише:

Hello,

upgrading is the recommended way, indeed, if you want to use tls_set_connect_server_id(). For older version you may want to try looping back to kamailio (can be over udp) and the use the xavps. Adds some overhead and hops, but if you are stuck to a version and can't really upgrade soon, might be an option to look at.

Cheers,
Daniel

On 29.07.21 18:48, Володимир Іванець wrote:
Hello Rob!

Yes, I'm using Letsencrypt while I'm testing. But I would like to be able to use different certificates with different sockets.

I found this discussion https://github.com/kamailio/kamailio/issues/2413. Looks like I need to use "tls_set_connect_server_id()" instead of setting $xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)". Unfortunately I'm currently using Kamailio v5.4 on my test system and this function is not available. I will update Kamailio and give it another try. Then I will update everyone in the hope it will be useful for someone :)

Thank you!

Regards, Volodymyr Ivanets

чт, 29 лип. 2021 о 19:07 Rob van den Bulk <rob.van.den.bulk@gmail.com> пише:
Hello, are u using letsencrypt?

U can use a multi domain.

Muti domain names in one certificate 

From: sr-users <sr-users-bounces@lists.kamailio.org> on behalf of Володимир Іванець <volodyaivanets@gmail.com>
Sent: Thursday, July 29, 2021 4:44:16 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] Integration with multiple MS Teams instances
 
Hello all!

I was able to connect Kamailio with MS Teams and now trying to add one more Teams instance. It looks like I have some misconfiguration or there is a bug.

My test server has 2 domain records pointing at it (kamailio.domain1.com and kamailio.domain2.com). My tls.cfg configuration file looks like this. As you can see the Default section is configured with a kamailio.domain1.com sertificate:
[server:default]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem

[client:default]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem


method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
server_name = "kamailio.domain1.com"
server_id = ""kamailio.domain1.com"

method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem


method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain2.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
server_name = "kamailio.domain2.com"
server_id = ""kamailio.domain2.com"

method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain2.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem

The dispatcher configuration table looks like this:
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
| id | setid | destination                                  | flags | priority | attrs                                                              | description |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
|  1 |     1 | sip:sip.pstnhub.microsoft.com;transport=tls  |     0 |        3 | socket=tls:172.16.30.206:5062;ping_from=sip:kamailio.domain1.com   | MS Teams 1  |
|  2 |     2 | sip:sip.pstnhub.microsoft.com;transport=tls  |     0 |        3 | socket=tls:172.16.30.206:5063;ping_from=sip:kamailio.domain2.com   | MS Teams 2  |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+


When Kamailio is started only connection with the first trunk is established:
# kamcmd tls.list
{
        id: 1
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 5061
        dst_ip: 172.16.30.206
        dst_port: 0
        cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 2
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 7810
        dst_ip: 172.16.30.206
        dst_port: 5062
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 3
        timeout: 596
        src_ip: 52.114.75.24
        src_port: 7811
        dst_ip: 172.16.30.206
        dst_port: 5062
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}

Here is what I can see in Kamailio log file when it sends an OPTIONS request to the second trunk. Kamailio uses Default tls configuration and MS Teams don't accept it:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: ALERT: <script>: == TRACE. tm:local-request. fs is tls:172.16.30.206:5063
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:352]: t_run_local_req(): apply new updates without Via to sip msg
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/msg_translator.c:1796]: check_boundaries(): no multi-part body
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:612]: parse_msg():  method:  <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:614]: parse_msg():  uri:     <sip:sip.pstnhub.microsoft.com;transport=tls>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:616]: parse_msg():  version: <SIP/2.0>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:500]: parse_headers(): this is the first via
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; uri=[sip:sip.pstnhub.microsoft.com;transport=tls]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:174]: get_hdr_field(): to body (47)[<sip:sip.pstnhub.microsoft.com;transport=tls>^M
], to tag (0)[]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end of header
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:612]: parse_msg():  method:  <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:614]: parse_msg():  uri:     <sip:sip.pstnhub.microsoft.com;transport=tls>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:616]: parse_msg():  version: <SIP/2.0>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:500]: parse_headers(): this is the first via
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; uri=[sip:sip.pstnhub.microsoft.com;transport=tls]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:174]: get_hdr_field(): to body (47)[<sip:sip.pstnhub.microsoft.com;transport=tls>^M
], to tag (0)[]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new one
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 52.114.75.24
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:162]: tls_get_connect_server_name(): xavp with outbound server name not found
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:142]: tls_get_connect_server_id(): xavp with outbound server id not found
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSc<default> (dom 0x7f35509da688 ctx 0x7f3550b7a568 sn [])
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f3550b7a568: (nil)
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
...

If I change the Default configuration to use kamailio.domain2.com certificate, the second trunk will connect but the first one will fail.
I tried to set "$xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)" variables to the event_route[tm:local-request] section but log still stated that server Name and ID were not found.

Can someone please point me in the right direction, how can I make Kamailio use the correct certificates when establishing multiple TLS connections?

Thanks a lot!

Regards, Volodymyr Ivanets
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda