[SR-Users] Reuse TLS connections
Klaus Darilion
klaus.mailinglists at pernau.at
Wed Feb 15 15:38:39 CET 2012
tcp_accept_aliases should work if you trust the other side. But do not
accept aliases from untrusted nodes (e.g. SIP phones)
regards
klaus
On 15.02.2012 12:37, Bruno Bresciani wrote:
> Thank's for reply klaus
>
> you are correct when said "Unless you have s strange setup with strange
> requirements", but I was reading RFC 5923 to try solve my strange
> requirements and found some benefits to forcing all messages into a
> single TLS connection.
>
> I have included the flag *"tcp_accept_aliases = yes"* on kamailio.cfg
> and now if kamailio received a message with the parameter "aliases" at
> header Via, all messages will be forced into a single TLS connection
> with SIP server. I'm testing this config yet.
>
> Best Regards
>
>
> 2012/2/13 Klaus Darilion <klaus.mailinglists at pernau.at
> <mailto:klaus.mailinglists at pernau.at>>
>
>
>
> On 13.02.2012 18:07, Bruno Bresciani wrote:
>
> Hi all,
>
> There is the possibility to kamailio reuse the TLS connection
> created by
> other SIP server? When kamailio use t_relay function to send a SIP
> request message to other server, kamailio verify if already
> exist some
> connection established with the destiny and use it even if this
> connection was created by the other SIP server.
>
> In short, I want to keep only one connection between kamailio
> and SIP
> server. Sometimes kamailio will be a client and others a server.
>
>
> This is quite difficult. For example, on a server with a single IP
> address may run several SIP proxy instances with different purposes.
> Each of these proxies uses another listening port, e.g: 1.1.1.1:5061
> <http://1.1.1.1:5061>, 1.1.1.1:6061 <http://1.1.1.1:6061>,
> 1.1.1.1:7061 <http://1.1.1.1:7061>.
>
> If on of these proxies establish a TCP connection to another proxy,
> e.g. 2.2.2.2:5061 <http://2.2.2.2:5061>, it uses an ephemeral
> source-port. Thus, for the TLS-server (the receiver of the TLS
> connection) there is no way to know which of these SIP proxies on
> 1.1.1.1 established the connection. There are lots more issues e.g.
> with certificate validation - a proxy may use various certificates
> for several domains. Maybe you can overcome these problems if all
> the proxies are controlled by you, but in an open environment this
> kind of connection reuse does not work.
>
> Thus: connection reuse can only be used for transactions in the same
> direction with the same target domain. For example if you have a
> proxy at 1.1.1.1:5061 <http://1.1.1.1:5061> authoritative for
> a.example.com <http://a.example.com> and b.example.com
> <http://b.example.com> and you have a proxy at 2.2.2.2:5061
> <http://2.2.2.2:5061> authoritative for y.example.com
> <http://y.example.com> and z.example.com <http://z.example.com> then
> you will end up with 4 TLS connections:
>
> 1. 1.1.1.1 as TLS client to a.example.com <http://a.example.com>
> 2. 1.1.1.1 as TLS client to b.example.com <http://b.example.com>
> 3. 2.2.2.2 as TLS client to y.example.com <http://y.example.com>
> 4. 2.2.2.2 as TLS client to z.example.com <http://z.example.com>
>
> Unless you have s strange setup with strange requirements I do not
> see any benefit in forcing all messages into a single TLS connection.
>
> regards
> Klaus
>
>
More information about the sr-users
mailing list