Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different domains. I'm providing the socket attribute, which maps to a certificate in /etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed Microsoft's recommendations on how to configure SBC Teams for multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, mack@dopensource.com wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different domains. I'm providing the socket attribute, which maps to a certificate in /etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Yeah...I’m aware. I was just checking if dispatcher could match on the ip:port just in case I wanted to support other use cases with my Kamailio instance. I read thru the source and it looks like the uac module is being used to initiate the OPTIONS message.
Sent from my iPhone
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga pojogas@gmail.com wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed Microsoft's recommendations on how to configure SBC Teams for multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, mack@dopensource.com wrote: Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different domains. I'm providing the socket attribute, which maps to a certificate in /etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
see:
https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg
And the OPTIONS keepalive can be handled in event_route[tm:local-request].
Cheers, Daniel
On 18.06.20 02:48, Mack Hendricks wrote:
Yeah...I’m aware. I was just checking if dispatcher could match on the ip:port just in case I wanted to support other use cases with my Kamailio instance. I read thru the source and it looks like the uac module is being used to initiate the OPTIONS message.
Sent from my iPhone
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga pojogas@gmail.com wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed Microsoft's recommendations on how to configure SBC Teams for multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, <mack@dopensource.com mailto:mack@dopensource.com> wrote:
Hey All, I'm attempting to use dispatcher to send probe messages using TLS for two different domains. I'm providing the socket attribute, which maps to a certificate in /etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is not the certificate I want to use. My attrs column in dispatcher looks like this: socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com <http://mack.dopensource.com> socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com <http://levin.dopensource.com> Is there some way to force dispatcher to do TLS cert matching based on the host:ip? Thanks -Mack _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Thanks Daniel and Sergiu!
The other think I notice is that kamcmd tls.reload causes the following error:
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_domain.c:572]: load_ca_list(): TLSc<default>: Unable to load CA list '/etc/dsiprouter/certs/cacert.pem' Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D0AB041:asn1 encoding routines:x509_name_ex_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib
If I restart Kamailio it works fine. Let me know if you have any thoughts on this.
On Jun 18, 2020, at 2:42 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
see:
https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg And the OPTIONS keepalive can be handled in event_route[tm:local-request].
Cheers, Daniel
On 18.06.20 02:48, Mack Hendricks wrote:
Yeah...I’m aware. I was just checking if dispatcher could match on the ip:port just in case I wanted to support other use cases with my Kamailio instance. I read thru the source and it looks like the uac module is being used to initiate the OPTIONS message.
Sent from my iPhone
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga pojogas@gmail.com mailto:pojogas@gmail.com wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed Microsoft's recommendations on how to configure SBC Teams for multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, <mack@dopensource.com mailto:mack@dopensource.com> wrote: Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different domains. I'm providing the socket attribute, which maps to a certificate in /etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com http://mack.dopensource.com/ socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com http://levin.dopensource.com/
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.com http://www.asipto.com/ www.twitter.com/miconda http://www.twitter.com/miconda -- www.linkedin.com/in/miconda http://www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla https://www.paypal.me/dcmierla
check permissions on that file and the directories in path, if all are accessible by your user running Kamailio.
On Thu, Jun 18, 2020 at 2:12 PM Mack Hendricks mack@dopensource.com wrote:
Thanks Daniel and Sergiu!
The other think I notice is that kamcmd tls.reload causes the following error:
Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_domain.c:572]: load_ca_list(): TLSc<default>: Unable to load CA list '/etc/dsiprouter/certs/cacert.pem' Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D0AB041:asn1 encoding routines:x509_name_ex_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D079041:asn1 encoding routines:asn1_item_embed_new:malloc failure Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0907400D:PEM routines:PEM_X509_INFO_read_bio:ASN1 lib Jun 18 12:05:47 sbc2 /usr/sbin/kamailio[32058]: ERROR: tls [tls_util.h:42]: tls_err_ret(): load_ca_list:error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib
If I restart Kamailio it works fine. Let me know if you have any thoughts on this.
On Jun 18, 2020, at 2:42 AM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
see:
https://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.xavp_cfg
And the OPTIONS keepalive can be handled in event_route[tm:local-request].
Cheers, Daniel On 18.06.20 02:48, Mack Hendricks wrote:
Yeah...I’m aware. I was just checking if dispatcher could match on the ip:port just in case I wanted to support other use cases with my Kamailio instance. I read thru the source and it looks like the uac module is being used to initiate the OPTIONS message.
Sent from my iPhone
On Jun 17, 2020, at 8:09 PM, Sergiu Pojoga pojogas@gmail.com pojogas@gmail.com wrote:
Hi Mack,
You wouldn't have the burden of handling multiple domains whatsoever if you followed Microsoft's recommendations on how to configure SBC Teams for multiple tenants. Dispatcher would be used only for carrier's base domain.
On Wed, Jun 17, 2020, 7:11 PM Mack Hendricks, mack@dopensource.com wrote:
Hey All,
I'm attempting to use dispatcher to send probe messages using TLS for two different domains. I'm providing the socket attribute, which maps to a certificate in /etc/kamailio/tls.cfg. But, it seems to always select the default client cert, which is not the certificate I want to use.
My attrs column in dispatcher looks like this:
socket=tls:142.93.159.231:5061;ping_from=sip:mack.dopensource.com socket=tls:142.93.159.231:5062;ping_from=sip:levin.dopensource.com
Is there some way to force dispatcher to do TLS cert matching based on the host:ip?
Thanks
-Mack
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Bastian Triller -
Daniel-Constantin Mierla -
Mack Hendricks -
Mack Hendricks -
Sergiu Pojoga