Re: [SR-Users] Integration with multiple MS Teams instances

29 Jul 2021

Hello, are u using letsencrypt?

U can use a multi domain.

Muti domain names in one certificate

Outlook voor Android<https://aka.ms/AAb9ysg> downloaden
________________________________
From: sr-users &lt;sr-users-bounces(a)lists.kamailio.org&gt; on behalf of Володимир Іванець
&lt;volodyaivanets(a)gmail.com&gt;
Sent: Thursday, July 29, 2021 4:44:16 PM
To: Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt;
Subject: [SR-Users] Integration with multiple MS Teams instances

Hello all!

I was able to connect Kamailio with MS Teams and now trying to add one more Teams
instance. It looks like I have some misconfiguration or there is a bug.

My test server has 2 domain records pointing at it
(kamailio.domain1.com<http://kamailio.domain1.com> and
kamailio.domain2.com<http://kamailio.domain2.com>). My tls.cfg configuration file
looks like this. As you can see the Default section is configured with a
kamailio.domain1.com<http://kamailio.domain1.com> sertificate:
[server:default]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem<http://kamailio.domain1.com/server/key.pem>
certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem<http://kamailio.domain1.com/server/cert.pem>
ca_list =
/var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem<http://kamailio.domain1.com/CA/cert.pem>

[client:default]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem<http://kamailio.domain1.com/server/key.pem>
certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem<http://kamailio.domain1.com/server/cert.pem>
ca_list =
/var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem<http://kamailio.domain1.com/CA/cert.pem>

[server:172.16.30.206:5062<http://172.16.30.206:5062>]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem<http://kamailio.domain1.com/server/key.pem>
certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem<http://kamailio.domain1.com/server/cert.pem>
ca_list =
/var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem<http://kamailio.domain1.com/CA/cert.pem>
server_name = "kamailio.domain1.com<http://kamailio.domain1.com>"
server_id = ""kamailio.domain1.com<http://kamailio.domain1.com>"

[client:172.16.30.206:5062<http://172.16.30.206:5062>]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem<http://kamailio.domain1.com/server/key.pem>
certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem<http://kamailio.domain1.com/server/cert.pem>
ca_list =
/var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem<http://kamailio.domain1.com/CA/cert.pem>

[server:172.16.30.206:5063<http://172.16.30.206:5063>]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key =
/var/kamailio/certificates/kamailio.domain2.com/server/key.pem<http://kamailio.domain2.com/server/key.pem>
certificate =
/var/kamailio/certificates/kamailio.domain2.com/server/cert.pem<http://kamailio.domain2.com/server/cert.pem>
ca_list =
/var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem<http://kamailio.domain2.com/CA/cert.pem>
server_name = "kamailio.domain2.com<http://kamailio.domain2.com>"
server_id = ""kamailio.domain2.com<http://kamailio.domain2.com>"

[client:172.16.30.206:5063<http://172.16.30.206:5063>]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key =
/var/kamailio/certificates/kamailio.domain2.com/server/key.pem<http://kamailio.domain2.com/server/key.pem>
certificate =
/var/kamailio/certificates/kamailio.domain2.com/server/cert.pem<http://kamailio.domain2.com/server/cert.pem>
ca_list =
/var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem<http://kamailio.domain2.com/CA/cert.pem>

The dispatcher configuration table looks like this:
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
| id | setid | destination                                  | flags | priority | attrs    
                                                         | description |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
|  1 |     1 |
sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls  |    
0 |        3 |
socket=tls:172.16.30.206:5062;ping_from=sip:kamailio.domain1.com<http://kamailio.domain1.com>
  | MS Teams 1  |
|  2 |     2 |
sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls  |    
0 |        3 |
socket=tls:172.16.30.206:5063;ping_from=sip:kamailio.domain2.com<http://kamailio.domain2.com>
  | MS Teams 2  |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+

When Kamailio is started only connection with the first trunk is established:
# kamcmd tls.list
{
        id: 1
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 5061
        dst_ip: 172.16.30.206
        dst_port: 0
        cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256)
Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 2
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 7810
        dst_ip: 172.16.30.206
        dst_port: 5062
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256)
Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 3
        timeout: 596
        src_ip: 52.114.75.24
        src_port: 7811
        dst_ip: 172.16.30.206
        dst_port: 5062
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256)
Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}

Here is what I can see in Kamailio log file when it sends an OPTIONS request to the second
trunk. Kamailio uses Default tls configuration and MS Teams don't accept it:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: ALERT: <script>: == TRACE.
tm:local-request. fs is tls:172.16.30.206:5063<http://172.16.30.206:5063>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:352]:
t_run_local_req(): apply new updates without Via to sip msg
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/msg_translator.c:1796]: check_boundaries(): no multi-part body
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:610]: parse_msg(): SIP Request:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:612]: parse_msg():  method:  <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:614]: parse_msg():  uri:    
<sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:616]: parse_msg():  version: <SIP/2.0>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> =
<z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:500]: parse_headers(): this is the first via
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47];
uri=[sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:174]: get_hdr_field(): to body
(47)[<sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls>^M
], to tag (0)[]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10>
<OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:89]: get_hdr_field(): found end of header
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:610]: parse_msg(): SIP Request:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:612]: parse_msg():  method:  <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:614]: parse_msg():  uri:    
<sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:616]: parse_msg():  version: <SIP/2.0>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> =
<z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:500]: parse_headers(): this is the first via
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47];
uri=[sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:174]: get_hdr_field(): to body
(47)[<sip:sip.pstnhub.microsoft.com<http://sip.pstnhub.microsoft.com>;transport=tls>^M
], to tag (0)[]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10>
<OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:189]:
uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new one
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 52.114.75.24
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:162]:
tls_get_connect_server_name(): xavp with outbound server name not found
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:142]:
tls_get_connect_server_id(): xavp with outbound server id not found
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSc<default> (dom 0x7f35509da688 ctx
0x7f3550b7a568 sn [])
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f3550b7a568: (nil)
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
...

If I change the Default configuration to use
kamailio.domain2.com<http://kamailio.domain2.com> certificate, the second trunk will
connect but the first one will fail.
I tried to set "$xavp(tls=>server_name)" and
"$xavp(tls[0]=>server_id)" variables to the event_route[tm:local-request]
section but log still stated that server Name and ID were not found.

Can someone please point me in the right direction, how can I make Kamailio use the
correct certificates when establishing multiple TLS connections?

Thanks a lot!

Regards, Volodymyr Ivanets

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

Re: [SR-Users] Integration with multiple MS Teams instances