[SR-Users] Reuse TLS connections

Bruno Bresciani bruno.bresciani at gmail.com
Wed Feb 15 12:37:47 CET 2012


Thank's for reply klaus

you are correct when said "Unless you have s strange setup with strange
requirements", but I was reading RFC 5923 to try solve my strange
requirements and found some benefits to forcing all messages into a single
TLS connection.

I have included the flag *"tcp_accept_aliases = yes"* on kamailio.cfg and
now if kamailio received a message with the parameter "aliases" at header
Via, all messages will be forced into a single TLS connection with SIP
server. I'm testing this config yet.

Best Regards


2012/2/13 Klaus Darilion <klaus.mailinglists at pernau.at>

>
>
> On 13.02.2012 18:07, Bruno Bresciani wrote:
>
>> Hi all,
>>
>> There is the possibility to kamailio reuse the TLS connection created by
>> other SIP server?  When kamailio use t_relay function to send a SIP
>> request message to other server, kamailio verify if already exist some
>> connection established with the destiny and use it even if this
>> connection was created by the other SIP server.
>>
>> In short, I want to keep only one connection between kamailio and SIP
>> server. Sometimes kamailio will be a client and others a server.
>>
>
> This is quite difficult. For example, on a server with a single IP address
> may run several SIP proxy instances with different purposes. Each of these
> proxies uses another listening port, e.g: 1.1.1.1:5061, 1.1.1.1:6061,
> 1.1.1.1:7061.
>
> If on of these proxies establish a TCP connection to another proxy, e.g.
> 2.2.2.2:5061, it uses an ephemeral source-port. Thus, for the TLS-server
> (the receiver of the TLS connection) there is no way to know which of these
> SIP proxies on 1.1.1.1 established the connection. There are lots more
> issues e.g. with certificate validation - a proxy may use various
> certificates for several domains. Maybe you can overcome these problems if
> all the proxies are controlled by you, but in an open environment this kind
> of connection reuse does not work.
>
> Thus: connection reuse can only be used for transactions in the same
> direction with the same target domain. For example if you have a proxy at
> 1.1.1.1:5061 authoritative for a.example.com and b.example.com and you
> have a proxy at 2.2.2.2:5061 authoritative for y.example.com and
> z.example.com then you will end up with 4 TLS connections:
>
> 1. 1.1.1.1 as TLS client to a.example.com
> 2. 1.1.1.1 as TLS client to b.example.com
> 3. 2.2.2.2 as TLS client to y.example.com
> 4. 2.2.2.2 as TLS client to z.example.com
>
> Unless you have s strange setup with strange requirements I do not see any
> benefit in forcing all messages into a single TLS connection.
>
> regards
> Klaus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20120215/f33514a4/attachment.htm>


More information about the sr-users mailing list