18 Jun
2020
18 Jun
'20
2:10 a.m.
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two
different domains. I'm providing the socket attribute, which maps to a
certificate in /etc/kamailio/tls.cfg. But, it seems to always select the
default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com
socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the
host:ip?
Thanks
-Mack
18 Jun
18 Jun
3:07 a.m.
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you
followed Microsoft's recommendations on how to configure SBC Teams for
multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, <mack(a)dopensource.com> wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two
different domains. I'm providing the socket attribute, which maps to a
certificate in /etc/kamailio/tls.cfg. But, it seems to always select the
default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com
socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the
host:ip?
Thanks
-Mack
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
3:48 a.m.
Yeah...I’m aware. I was just checking if dispatcher could match on the ip:port just in
case I wanted to support other use cases with my Kamailio instance. I read thru the
source and it looks like the uac module is being used to initiate the OPTIONS message.
Sent from my iPhone
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga
<pojogas(a)gmail.com> wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed
Microsoft's recommendations on how to configure SBC Teams for multiple tenants.
Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks,
<mack(a)dopensource.com> wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different
domains. I'm providing the socket attribute, which maps to a certificate in
/etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is
not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com
socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
9:42 a.m.
Hello,
see:
https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg
And the OPTIONS keepalive can be handled in event_route[tm:local-request].
Cheers,
Daniel
On 18.06.20 02:48, Mack Hendricks wrote:
Yeah...I’m aware. I was just checking if dispatcher
could match on
the ip:port just in case I wanted to support other use cases with my
Kamailio instance. I read thru the source and it looks like the uac
module is being used to initiate the OPTIONS message.
Sent from my iPhone
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga
<pojogas(a)gmail.com> wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever
if you followed Microsoft's recommendations on how to configure SBC
Teams for multiple tenants. Dispatcher would be used only for
carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, <mack(a)dopensource.com
<mailto:mack@dopensource.com>> wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS
for two different domains. I'm providing the socket attribute,
which maps to a certificate in /etc/kamailio/tls.cfg. But, it
seems to always select the default client cert, which is not the
certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com
<http://mack.dopensource.com>
socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
<http://levin.dopensource.com>
Is there some way to force dispatcher to do TLS cert matching
based on the host:ip?
Thanks
-Mack
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
3:11 p.m.
Thanks Daniel and Sergiu!
The other think I notice is that kamcmd tls.reload causes the following error:
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_domain.c:572]:
load_ca_list(): TLSc<default>: Unable to load CA list
'/etc/dsiprouter/certs/cacert.pem'
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0D0AB041:asn1 encoding routines:x509_name_ex_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib
If I restart Kamailio it works fine. Let me know if you have any thoughts on this.
On Jun 18, 2020, at 2:42 AM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
see:
https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg
<https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg>
And the OPTIONS keepalive can be handled in event_route[tm:local-request].
Cheers,
Daniel
On 18.06.20 02:48, Mack Hendricks wrote:
Yeah...I’m aware. I was just checking if
dispatcher could match on the ip:port just in case I wanted to support other use cases
with my Kamailio instance. I read thru the source and it looks like the uac module is
being used to initiate the OPTIONS message.
Sent from my iPhone
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com/>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Funding: https://www.paypal.me/dcmierla <https://www.paypal.me/dcmierla> On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga
<pojogas(a)gmail.com> <mailto:pojogas@gmail.com> wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed
Microsoft's recommendations on how to configure SBC Teams for multiple tenants.
Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, <mack(a)dopensource.com
<mailto:mack@dopensource.com>> wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different
domains. I'm providing the socket attribute, which maps to a certificate in
/etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is
not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com
<http://mack.dopensource.com/>
socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
<http://levin.dopensource.com/>
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users> 
4:12 p.m.
check permissions on that file and the directories in path, if all are
accessible by your user running Kamailio.
On Thu, Jun 18, 2020 at 2:12 PM Mack Hendricks <mack(a)dopensource.com> wrote:
Thanks Daniel and Sergiu!
The other think I notice is that kamcmd tls.reload causes the following
error:
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_domain.c:572]: load_ca_list(): TLSc<default>: Unable to load CA list
'/etc/dsiprouter/certs/cacert.pem'
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D0AB041:asn1 encoding
routines:x509_name_ex_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding
routines:asn1_item_embed_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding
routines:asn1_item_embed_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding
routines:asn1_item_embed_new:malloc failure
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1 error
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0907400D:PEM
routines:PEM_X509_INFO_read_bio:ASN1 lib
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): load_ca_list:error:0B084009:x509
certificate routines:X509_load_cert_crl_file:PEM lib
If I restart Kamailio it works fine. Let me know if you have any
thoughts on this.
On Jun 18, 2020, at 2:42 AM, Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:
Hello,
see:
https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg
And the OPTIONS keepalive can be handled in event_route[tm:local-request].
Cheers,
Daniel
On 18.06.20 02:48, Mack Hendricks wrote:
Yeah...I’m aware. I was just checking if dispatcher could match on the
ip:port just in case I wanted to support other use cases with my Kamailio
instance. I read thru the source and it looks like the uac module is
being used to initiate the OPTIONS message.
Sent from my iPhone
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga <pojogas(a)gmail.com>
<pojogas(a)gmail.com> wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if
you followed Microsoft's recommendations on how to configure SBC Teams for
multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, <mack(a)dopensource.com>
wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two
different domains. I'm providing the socket attribute, which maps to a
certificate in /etc/kamailio/tls.cfg. But, it seems to always select the
default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com
socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on
the host:ip?
Thanks
-Mack
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda --
www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1621
days inactive
1622
days old
5 comments
5 participants
participants (5)
-
Bastian Triller -
Daniel-Constantin Mierla -
Mack Hendricks -
Mack Hendricks -
Sergiu Pojoga