[sr-dev] Playing with TCP and TLS

Olle E. Johansson oej at edvina.net
Fri Oct 26 22:03:45 CEST 2012


26 okt 2012 kl. 21:08 skrev Klaus Darilion <klaus.mailinglists at pernau.at>:

> Am 26.10.2012 14:08, schrieb Olle E. Johansson:
>> 25 okt 2012 kl. 19:05 skrev Klaus Darilion <klaus.mailinglists at pernau.at>:
>> 
>>> Kamailio uses the next hop target (probably the URI in the Path header) and searches for open TCP connections to this target. I guess the Path header contains the private IP address of the outbound proxy, thus it does not match the open TCP connection. If there is not outboundproxy, the solution is simple: as always use fix_nated_register() on REGISTER. Then, after lookup() the proxy will search for a TCP connection to the "received" IP:port and find and uses the existing connection.
>> Thinking about TLS - how do we match there?
> 
> AFAIK there is no difference to TLS. If there is a TLS connection whose remote address matches the next hop, it will be used.

That's bad. We need to check the domains in the certificate before re-using it. If they showed NO client cert, we should open a new one.
If they showed a client, we should verify.

Will the on-send route give me the possibility or is it triggered before kamailio selects a tcp connection? I'm a bit unclear of the
exact situation where the on-send route is called.

/O


More information about the sr-dev mailing list