Unfortunately, I faced a different problem after the "tls_set_connect_server_id()" function was applied.

After Kamailio starts, second trunk is the first one to establish connection:
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/parser/msg_parser.c:154]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/parser/parse_hname2.c:294]: parse_sip_header_name(): parsed header name [Call-ID] type 6
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tm [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new one
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/ip_addr.c:577]: print_ip(): tcpconn_new: new tcp connection: 52.114.75.24
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_server.c:244]: tls_complete_init(): completing tls connection initialization
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_server.c:207]: tls_get_connect_server_name(): xavp with outbound server name not found
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_server.c:180]: tls_get_connect_server_id(): xavp with outbound server id not found
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_server.c:184]: tls_get_connect_server_id(): found global outbound server id: kamailio.domain2.com
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_domain.c:1583]: tls_lookup_cfg(): comparing addr: [172.16.30.206:5063]  [172.16.30.206:0] -- id: [kamailio.domain2.com] [kamailio.domain2.com]
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_domain.c:1586]: tls_lookup_cfg(): TLS config found by server id
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_server.c:274]: tls_complete_init(): Using initial TLS domain TLSc<172.16.30.206:5063> (dom 0x7f2d2a5f17a0 ctx 0x7f2d2abebad8 sn [kamailio.domain2.com])
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_domain.c:1208]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f2d2abebad8: (nil)
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tls [tls_domain.c:778]: sr_ssl_ctx_info_callback(): SSL handshake started
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/tcp_main.c:2888]: tcpconn_1st_send(): pending write on new connection 0x7f2d2afb4680 sock 10 (-1/517 bytes written) (err: 11 - Resource temporarily unavailable)
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tm [uac.c:686]: send_prepared_request_impl(): uac: 0x7f2d2afb1420  branch: 0  to 52.114.75.24:5061

# kamcmd core.tcp_list
{
        id: 1
        type: TLS
        state: CONN_OK
        timeout: 3
        lifetime: 600
        ref_count: 2
        src_ip: 52.114.75.24
        src_port: 5061
        dst_ip: 172.16.30.206
        dst_port: 0
}
{
        id: 2
        type: TLS
        state: CONN_OK
        timeout: 3
        lifetime: 600
        ref_count: 2
        src_ip: 52.114.75.24
        src_port: 4290
        dst_ip: 172.16.30.206
        dst_port: 5063
}
{
        id: 3
        type: TLS
        state: CONN_OK
        timeout: 566
        lifetime: 600
        ref_count: 1
        src_ip: 52.114.75.24
        src_port: 4291
        dst_ip: 172.16.30.206
        dst_port: 5063
}

Then Kamailio initiates connection for the first trunk:
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/parser/msg_parser.c:154]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/parser/parse_hname2.c:294]: parse_sip_header_name(): parsed header name [Call-ID] type 6
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tm [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: <core> [core/tcp_main.c:1610]: _tcpconn_find(): found connection by peer address (id: 1)
Jul 29 21:25:22 kamailio /usr/sbin/kamailio[2645]: DEBUG: tm [uac.c:686]: send_prepared_request_impl(): uac: 0x7f2d2afce198  branch: 0  to 52.114.75.24:5061

Although it has to connect from a different socket it sees an active connection to the same address and uses it instead. It looks like it sends SIP requests for both trunks through the single TLS connection.

Does anyone know how to make Kamailio create separate TLS connections from different sockets for different trunks?

Thank you!

Regards, Volodymyr Ivanets

чт, 29 лип. 2021 о 19:48 Володимир Іванець <volodyaivanets@gmail.com> пише:
Hello Rob!

Yes, I'm using Letsencrypt while I'm testing. But I would like to be able to use different certificates with different sockets.

I found this discussion https://github.com/kamailio/kamailio/issues/2413. Looks like I need to use "tls_set_connect_server_id()" instead of setting $xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)". Unfortunately I'm currently using Kamailio v5.4 on my test system and this function is not available. I will update Kamailio and give it another try. Then I will update everyone in the hope it will be useful for someone :)

Thank you!

Regards, Volodymyr Ivanets

чт, 29 лип. 2021 о 19:07 Rob van den Bulk <rob.van.den.bulk@gmail.com> пише:
Hello, are u using letsencrypt?

U can use a multi domain.

Muti domain names in one certificate 

Outlook voor Android downloaden
From: sr-users <sr-users-bounces@lists.kamailio.org> on behalf of Володимир Іванець <volodyaivanets@gmail.com>
Sent: Thursday, July 29, 2021 4:44:16 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: [SR-Users] Integration with multiple MS Teams instances
 
Hello all!

I was able to connect Kamailio with MS Teams and now trying to add one more Teams instance. It looks like I have some misconfiguration or there is a bug.

My test server has 2 domain records pointing at it (kamailio.domain1.com and kamailio.domain2.com). My tls.cfg configuration file looks like this. As you can see the Default section is configured with a kamailio.domain1.com sertificate:
[server:default]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem

[client:default]
method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem


method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
server_name = "kamailio.domain1.com"
server_id = ""kamailio.domain1.com"

method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem


method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain2.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
server_name = "kamailio.domain2.com"
server_id = ""kamailio.domain2.com"

method = TLSv1.0+
require_certificate = no
verify_certificate = no
private_key = /var/kamailio/certificates/kamailio.domain2.com/server/key.pem
certificate = /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem

The dispatcher configuration table looks like this:
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
| id | setid | destination                                  | flags | priority | attrs                                                              | description |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
|  1 |     1 | sip:sip.pstnhub.microsoft.com;transport=tls  |     0 |        3 | socket=tls:172.16.30.206:5062;ping_from=sip:kamailio.domain1.com   | MS Teams 1  |
|  2 |     2 | sip:sip.pstnhub.microsoft.com;transport=tls  |     0 |        3 | socket=tls:172.16.30.206:5063;ping_from=sip:kamailio.domain2.com   | MS Teams 2  |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+


When Kamailio is started only connection with the first trunk is established:
# kamcmd tls.list
{
        id: 1
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 5061
        dst_ip: 172.16.30.206
        dst_port: 0
        cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 2
        timeout: 0
        src_ip: 52.114.75.24
        src_port: 7810
        dst_ip: 172.16.30.206
        dst_port: 5062
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}
{
        id: 3
        timeout: 596
        src_ip: 52.114.75.24
        src_port: 7811
        dst_ip: 172.16.30.206
        dst_port: 5062
        cipher: AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
        ct_wq_size: 0
        enc_rd_buf: 0
        flags: 2
        state: established
}

Here is what I can see in Kamailio log file when it sends an OPTIONS request to the second trunk. Kamailio uses Default tls configuration and MS Teams don't accept it:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: ALERT: <script>: == TRACE. tm:local-request. fs is tls:172.16.30.206:5063
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:352]: t_run_local_req(): apply new updates without Via to sip msg
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/msg_translator.c:1796]: check_boundaries(): no multi-part body
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:612]: parse_msg():  method:  <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:614]: parse_msg():  uri:     <sip:sip.pstnhub.microsoft.com;transport=tls>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:616]: parse_msg():  version: <SIP/2.0>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:500]: parse_headers(): this is the first via
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; uri=[sip:sip.pstnhub.microsoft.com;transport=tls]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:174]: get_hdr_field(): to body (47)[<sip:sip.pstnhub.microsoft.com;transport=tls>^M
], to tag (0)[]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end of header
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:610]: parse_msg(): SIP Request:
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:612]: parse_msg():  method:  <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:614]: parse_msg():  uri:     <sip:sip.pstnhub.microsoft.com;transport=tls>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:616]: parse_msg():  version: <SIP/2.0>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232, <branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:500]: parse_headers(): this is the first via
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header reached, state=10
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47]; uri=[sip:sip.pstnhub.microsoft.com;transport=tls]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:174]: get_hdr_field(): to body (47)[<sip:sip.pstnhub.microsoft.com;transport=tls>^M
], to tag (0)[]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening new one
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 52.114.75.24
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core> [core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:162]: tls_get_connect_server_name(): xavp with outbound server name not found
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:142]: tls_get_connect_server_id(): xavp with outbound server id not found
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSc<default> (dom 0x7f35509da688 ctx 0x7f3550b7a568 sn [])
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f3550b7a568: (nil)
Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls [tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started
...

If I change the Default configuration to use kamailio.domain2.com certificate, the second trunk will connect but the first one will fail.
I tried to set "$xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)" variables to the event_route[tm:local-request] section but log still stated that server Name and ID were not found.

Can someone please point me in the right direction, how can I make Kamailio use the correct certificates when establishing multiple TLS connections?

Thanks a lot!

Regards, Volodymyr Ivanets
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
  * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users