<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Hello,</p>
<p>for the moment a workaround could be to loop back the keepalive
to kamailio via event_route[tm:local-request], which can be done
via udp, then you get the OPTIONS in the request_route and there
do the logic to select the tls profile you want. It adds an extra
local hop on the path, but it should not have any big impact.<br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 05.01.21 12:06, Tim Chubb wrote:<br>
</div>
<blockquote type="cite"
cite="mid:DBAPR07MB69351001AB574E776929595EEFD10@DBAPR07MB6935.eurprd07.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}span.EmailStyle18
{mso-style-type:personal-compose;
font-family:"Times New Roman",serif;
color:#212121;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Hi All<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Is it possible to explicitly define
the tls cert to be used per destination by dispatcher? <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">I'm attempting to integrate with a
service that requires domain name presented to match that of
the cert. Where the use of dispatcher is probably not as
intended anyway as it targets the same set of destinations
multiple times (primary and secondary endpoints for the
service im integrating with), with multiple distinct set
id’s (basically a set per customer for multi tenancy) which
expects a sip ping per account to verify that connection is
alive and healthy.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">#Example Dispatcher list<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">#Account 1<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">1 <a
href="sip:a.cloudservice.com:5061;transport=tls"
moz-do-not-send="true">
sip:a.cloudservice.com:5061;transport=tls</a> 8 1
socket=tls:10.0.0.2:5061;ping_sni=sip.account1.com;ping_from=<a class="moz-txt-link-freetext" href="sip:sip.account1.com:5061">sip:sip.account1.com:5061</a><o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">1 <a
href="sip:b.cloudservice.com:5061;transport=tls"
moz-do-not-send="true">
sip:b.cloudservice.com:5061;transport=tls</a> 8 1
socket=tls:10.0.0.2:5061;ping_sni=sip.account1.com;ping_from=<a class="moz-txt-link-freetext" href="sip:sip.account1.com:5061">sip:sip.account1.com:5061</a>;<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">#Account 2<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">2 <a
href="sip:a.cloudservice.com:5061;transport=tls"
moz-do-not-send="true">
sip:a.cloudservice.com:5061;transport=tls</a> 8 1
socket=tls:10.0.0.2:5061;ping_sni=sip.account2.com;ping_from=<a class="moz-txt-link-freetext" href="sip:sip.account2.com:5061">sip:sip.account2.com:5061</a>;<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">2 <a
href="sip:b.cloudservice.com:5061;transport=tls"
moz-do-not-send="true">
sip:b.cloudservice.com:5061;transport=tls</a> 8 1
socket=tls:10.0.0.2:5061;ping_sni=sip.account2.com;ping_from=<a class="moz-txt-link-freetext" href="sip:sip.account2.com:5061">sip:sip.account2.com:5061</a>;<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Currently I'm running a solution based
around certs with multiple SAN (subject alternative name)
defined, but this is a pain to administrate, and not as
scalable as I would like. I want to be able to define
multiple client:any tls profiles and explicitly send via
that profile. Its easy enough to do that in config using
the tls xavps to define a server name and/or id. But for the
sip options ping by dispatcher to work you need to specify
the server name or id before the tm:local-request event
route fire's. <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">I've resorted to hacking away at
dispatcher to see what would happen if I set the tls server
name or id before the OPTIONS message is sent, and it works
great for the first tls client profile matched, but any
others you define re-use the initial tcp connection so
reuses the first connections tls config, thus presenting the
wrong cert (I'm probably wrong but logs show only one tls
complete_init() related to dispatcher pings and the second
set’s pings skips all the tls init logging so suggests some
thing is cached/reused, and logging on the service indicates
cert name mismatch with set1s cert being offered) <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">So I've hit a bit of a dead end, is
there a way to force a new tcp connection per server
name/id <o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">I fear outbound SNI might be a bit of
a can of worms, for it to work nicely with dispatcher as is,
would be an extension of the proto:host:port format to
include a name or id, maybe something like:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">tls(name=sub.domain.com):10.0.0.5:5061<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">But that looks like it would have a
lot of wide reaching knock-on effects, so setting it as an
attribute like ping_from works fine as I'm currently doing,
if I could force a new connection from dispatch.c….<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">The other thing that’s occurred to me
is that it might be better to stop trying to adapt a small
percentage of dispatcher’s functionality and trying to
hammer a round peg into a square hole and instead try and
create a new module similar to dispatcher in so much that it
sends pings (that’s all I really need in this case) and use
dispatcher as intended with a single set of non-repeated
destinations for routing. This would also allow much
simpler integration with MS teams (if added ability to set
contact address on the background pings) as well as the
service im trying to integrate, and a more natural data set
to be used as in my example you can see the only difference
is the customers domain between each set. How I would
imagine it to work would be to create a tls connection per
customer domain, then iterate through the connections per
destination in pseudo json the data would look like this:<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">{<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Destinations:[<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt;background:white"><span
style="color:#212121">[1,[“a.cloudservice.com”,”b.cloudservice.com”]],<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:36.0pt;background:white"><span
style="color:#212121">[2,[“sip.pstnhub.microsoft.com”,
“sip2.pstnhub.microsoft.com”, “sip3.pstnhub.microsoft.com”]<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">],<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Sources:[<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">{uri:”sip.account1.com”,destinationMapping:[1]},<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">{uri:”sip.account2.com”,destinationMapping:[1,2]}<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">]<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">}<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">And would just run in the background
sending pings with SNI support, and if based on dispatcher
should make it easy enough adapt things like the destination
up and down event routes, and would allow me to use Kamailio
much like I would use nginx for web stuff as a reverse proxy
and handle TLS offload on my edge gateway proxy.<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Any thoughts?, im frustratingly close
to having something that will do if I could get a new
connection to be created, but I fear my use case might be
sufficiently different from dispatchers to make a new module
a sensible approach..<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Regards<o:p></o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121"><o:p> </o:p></span></p>
<p class="MsoNormal" style="background:white"><span
style="color:#212121">Tim.<o:p></o:p></span></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</body>
</html>