[SR-Users] Integration with multiple MS Teams instances
Daniel-Constantin Mierla
miconda at gmail.com
Mon Aug 2 21:21:13 CEST 2021
Hello,
do you force local send socket?
Cheers,
Daniel
On 02.08.21 18:21, Володимир Іванець wrote:
> Hello Daniel!
>
> I updated Kamailio to the latest released version. The problem is that
> still with tls_set_connect_server_id() I can not make a single
> instance of Kamailio connect to multiple MS Teams domains. I use a
> single IP address with different ports for different trunks. I can see
> it establishing a connection to one trunk and using it for other domains.
>
> Is there a way to force Kamailio to make a new TLS connection to the
> same peer address that it is already connected to?
>
> Thank you!
>
> Regards, Volodymyr Ivanets.
>
> пн, 2 серп. 2021 о 13:44 Daniel-Constantin Mierla <miconda at gmail.com
> <mailto:miconda at gmail.com>> пише:
>
> Hello,
>
> upgrading is the recommended way, indeed, if you want to use
> tls_set_connect_server_id(). For older version you may want to try
> looping back to kamailio (can be over udp) and the use the xavps.
> Adds some overhead and hops, but if you are stuck to a version and
> can't really upgrade soon, might be an option to look at.
>
> Cheers,
> Daniel
>
> On 29.07.21 18:48, Володимир Іванець wrote:
>> Hello Rob!
>>
>> Yes, I'm using Letsencrypt while I'm testing. But I would like to
>> be able to use different certificates with different sockets.
>>
>> I found this
>> discussion https://github.com/kamailio/kamailio/issues/2413
>> <https://github.com/kamailio/kamailio/issues/2413>. Looks like I
>> need to use "tls_set_connect_server_id()" instead of setting
>> $xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)".
>> Unfortunately I'm currently using Kamailio v5.4 on my test system
>> and this function is not available. I will update Kamailio and
>> give it another try. Then I will update everyone in the hope it
>> will be useful for someone :)
>>
>> Thank you!
>>
>> Regards, Volodymyr Ivanets
>>
>> чт, 29 лип. 2021 о 19:07 Rob van den Bulk
>> <rob.van.den.bulk at gmail.com <mailto:rob.van.den.bulk at gmail.com>>
>> пише:
>>
>> Hello, are u using letsencrypt?
>>
>> U can use a multi domain.
>>
>> Muti domain names in one certificate
>>
>> Outlook voor Android <https://aka.ms/AAb9ysg> downloaden
>> ------------------------------------------------------------------------
>> *From:* sr-users <sr-users-bounces at lists.kamailio.org
>> <mailto:sr-users-bounces at lists.kamailio.org>> on behalf of
>> Володимир Іванець <volodyaivanets at gmail.com
>> <mailto:volodyaivanets at gmail.com>>
>> *Sent:* Thursday, July 29, 2021 4:44:16 PM
>> *To:* Kamailio (SER) - Users Mailing List
>> <sr-users at lists.kamailio.org
>> <mailto:sr-users at lists.kamailio.org>>
>> *Subject:* [SR-Users] Integration with multiple MS Teams
>> instances
>>
>> Hello all!
>>
>> I was able to connect Kamailio with MS Teams and now trying
>> to add one more Teams instance. It looks like I have some
>> misconfiguration or there is a bug.
>>
>> My test server has 2 domain records pointing at it
>> (kamailio.domain1.com <http://kamailio.domain1.com> and
>> kamailio.domain2.com <http://kamailio.domain2.com>). My
>> tls.cfg configuration file looks like this. As you can see
>> the Default section is configured with a kamailio.domain1.com
>> <http://kamailio.domain1.com> sertificate:
>>
>> /[server:default]/
>> /method = TLSv1.0+/
>> /require_certificate = no/
>> /verify_certificate = no/
>> /private_key =
>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
>> <http://kamailio.domain1.com/server/key.pem>/
>> /certificate =
>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
>> <http://kamailio.domain1.com/server/cert.pem>/
>> /ca_list =
>> /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
>> <http://kamailio.domain1.com/CA/cert.pem>/
>>
>> /
>> /
>>
>> /[client:default]/
>> /method = TLSv1.0+/
>> /require_certificate = no/
>> /verify_certificate = no/
>> /private_key =
>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
>> <http://kamailio.domain1.com/server/key.pem>/
>> /certificate =
>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
>> <http://kamailio.domain1.com/server/cert.pem>/
>> /ca_list =
>> /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
>> <http://kamailio.domain1.com/CA/cert.pem>/
>>
>> /
>> /
>> /
>> /
>>
>> /[server:172.16.30.206:5062 <http://172.16.30.206:5062>]/
>> /method = TLSv1.0+/
>> /require_certificate = no/
>> /verify_certificate = no/
>> /private_key =
>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
>> <http://kamailio.domain1.com/server/key.pem>/
>> /certificate =
>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
>> <http://kamailio.domain1.com/server/cert.pem>/
>> /ca_list =
>> /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
>> <http://kamailio.domain1.com/CA/cert.pem>/
>> /server_name = "kamailio.domain1.com
>> <http://kamailio.domain1.com>"/
>> /server_id = "//"kamailio.domain1.com
>> <http://kamailio.domain1.com>"//
>> /
>>
>> /
>> /
>>
>> /[client:172.16.30.206:5062 <http://172.16.30.206:5062>]/
>> /method = TLSv1.0+/
>> /require_certificate = no/
>> /verify_certificate = no/
>> /private_key =
>> /var/kamailio/certificates/kamailio.domain1.com/server/key.pem
>> <http://kamailio.domain1.com/server/key.pem>/
>> /certificate =
>> /var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
>> <http://kamailio.domain1.com/server/cert.pem>/
>> /ca_list =
>> /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
>> <http://kamailio.domain1.com/CA/cert.pem>/
>>
>> /
>>
>> /
>>
>> /[server:172.16.30.206:5063 <http://172.16.30.206:5063>]/
>> /method = TLSv1.0+/
>> /require_certificate = no/
>> /verify_certificate = no/
>> /private_key =
>> /var/kamailio/certificates/kamailio.domain2.com/server/key.pem
>> <http://kamailio.domain2.com/server/key.pem>/
>> /certificate =
>> /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
>> <http://kamailio.domain2.com/server/cert.pem>/
>> /ca_list =
>> /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
>> <http://kamailio.domain2.com/CA/cert.pem>/
>> /server_name = "kamailio.domain2.com
>> <http://kamailio.domain2.com>"/
>>
>> /server_id = "//"kamailio.domain2.com
>> <http://kamailio.domain2.com>"/
>>
>> /
>> /
>>
>> /[client:172.16.30.206:5063 <http://172.16.30.206:5063>]/
>> /method = TLSv1.0+/
>> /require_certificate = no/
>> /verify_certificate = no/
>> /private_key =
>> /var/kamailio/certificates/kamailio.domain2.com/server/key.pem
>> <http://kamailio.domain2.com/server/key.pem>/
>> /certificate =
>> /var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
>> <http://kamailio.domain2.com/server/cert.pem>/
>> /ca_list =
>> /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
>> <http://kamailio.domain2.com/CA/cert.pem>/
>>
>>
>> The dispatcher configuration table looks like this:
>>
>> +----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
>> | id | setid | destination
>> | flags | priority | attrs
>> | description |
>> +----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
>> | 1 | 1 | sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls | 0
>> | 3 |
>> socket=tls:172.16.30.206:5062;ping_from=sip:kamailio.domain1.com
>> <http://kamailio.domain1.com> | MS Teams 1 |
>> | 2 | 2 | sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls | 0
>> | 3 |
>> socket=tls:172.16.30.206:5063;ping_from=sip:kamailio.domain2.com
>> <http://kamailio.domain2.com> | MS Teams 2 |
>> +----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
>>
>>
>>
>> When Kamailio is started only connection with the first trunk
>> is established:
>>
>> /# kamcmd tls.list/
>> /{/
>> / id: 1/
>> / timeout: 0/
>> / src_ip: 52.114.75.24/
>> / src_port: 5061/
>> / dst_ip: 172.16.30.206/
>> / dst_port: 0/
>> / cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2
>> Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD/
>> / ct_wq_size: 0/
>> / enc_rd_buf: 0/
>> / flags: 2/
>> / state: established/
>> /}/
>> /{/
>> / id: 2/
>> / timeout: 0/
>> / src_ip: 52.114.75.24/
>> / src_port: 7810/
>> / dst_ip: 172.16.30.206/
>> / dst_port: 5062/
>> / cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA
>> Au=RSA Enc=AESGCM(256) Mac=AEAD/
>> / ct_wq_size: 0/
>> / enc_rd_buf: 0/
>> / flags: 2/
>> / state: established/
>> /}/
>> /{/
>> / id: 3/
>> / timeout: 596/
>> / src_ip: 52.114.75.24/
>> / src_port: 7811/
>> / dst_ip: 172.16.30.206/
>> / dst_port: 5062/
>> / cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA
>> Au=RSA Enc=AESGCM(256) Mac=AEAD/
>> / ct_wq_size: 0/
>> / enc_rd_buf: 0/
>> / flags: 2/
>> / state: established/
>> /}/
>>
>>
>> Here is what I can see in Kamailio log file when it sends an
>> OPTIONS request to the second trunk. Kamailio uses Default
>> tls configuration and MS Teams don't accept it:
>>
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> ALERT: <script>: == TRACE. tm:local-request. fs is
>> tls:172.16.30.206:5063 <http://172.16.30.206:5063>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tm [uac.c:352]: t_run_local_req(): apply new
>> updates without Via to sip msg/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/msg_translator.c:1796]:
>> check_boundaries(): no multi-part body/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:610]:
>> parse_msg(): SIP Request:/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:612]:
>> parse_msg(): method: <OPTIONS>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:614]:
>> parse_msg(): uri: <sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:616]:
>> parse_msg(): version: <SIP/2.0>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/parse_via.c:1303]:
>> parse_via_param(): Found param type 232, <branch> =
>> <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/parse_via.c:2639]:
>> parse_via(): end of header reached, state=5/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:498]:
>> parse_headers(): Via found, flags=2/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:500]:
>> parse_headers(): this is the first via/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/parse_addr_spec.c:864]:
>> parse_addr_spec(): end of header reached, state=10/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:171]:
>> get_hdr_field(): <To> [47];
>> uri=[sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls]/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:174]:
>> get_hdr_field(): to body
>> (47)[<sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls>^M/
>> /], to tag (0)[]/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:152]:
>> get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:185]:
>> get_hdr_field(): content_length=0/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:89]:
>> get_hdr_field(): found end of header/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:610]:
>> parse_msg(): SIP Request:/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:612]:
>> parse_msg(): method: <OPTIONS>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:614]:
>> parse_msg(): uri: <sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:616]:
>> parse_msg(): version: <SIP/2.0>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/parse_via.c:1303]:
>> parse_via_param(): Found param type 232, <branch> =
>> <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/parse_via.c:2639]:
>> parse_via(): end of header reached, state=5/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:498]:
>> parse_headers(): Via found, flags=2/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:500]:
>> parse_headers(): this is the first via/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/parse_addr_spec.c:864]:
>> parse_addr_spec(): end of header reached, state=10/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:171]:
>> get_hdr_field(): <To> [47];
>> uri=[sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls]/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:174]:
>> get_hdr_field(): to body
>> (47)[<sip:sip.pstnhub.microsoft.com
>> <http://sip.pstnhub.microsoft.com>;transport=tls>^M/
>> /], to tag (0)[]/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/parser/msg_parser.c:152]:
>> get_hdr_field(): cseq <CSeq>: <10> <OPTIONS>/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tm [uac.c:189]: uac_refresh_hdr_shortcuts(): cseq:
>> [CSeq: 10]/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/tcp_main.c:1993]: tcp_send(): no open
>> tcp connection found, opening new one/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/ip_addr.c:229]: print_ip():
>> tcpconn_new: new tcp connection: 52.114.75.24/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/tcp_main.c:1175]: tcpconn_new(): on
>> port 5061, type 3, socket -1/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: <core> [core/tcp_main.c:1498]: tcpconn_add():
>> hashes: 2831:67:0, 1/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tls [tls_server.c:199]: tls_complete_init():
>> completing tls connection initialization/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tls [tls_server.c:162]:
>> tls_get_connect_server_name(): *xavp with outbound server
>> name not found*/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tls [tls_server.c:142]:
>> tls_get_connect_server_id(): *xavp with outbound server
>> id not found*/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tls [tls_server.c:228]: tls_complete_init():
>> *Using initial TLS domain TLSc<default>* (dom
>> 0x7f35509da688 ctx 0x7f3550b7a568 sn [])/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tls [tls_domain.c:1177]: tls_lookup_private_key():
>> Private key lookup for SSL_CTX-0x7f3550b7a568: (nil)/
>> /Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]:
>> DEBUG: tls [tls_domain.c:747]:
>> sr_ssl_ctx_info_callback(): SSL handshake started/
>> /.../
>>
>>
>> If I change the Default configuration to use
>> kamailio.domain2.com <http://kamailio.domain2.com>
>> certificate, the second trunk will connect but the first one
>> will fail.
>> I tried to set "$xavp(tls=>server_name)" and
>> "$xavp(tls[0]=>server_id)" variables to
>> the event_route[tm:local-request] section but log still
>> stated that server Name and ID were not found.
>>
>> Can someone please point me in the right direction, how can I
>> make Kamailio use the correct certificates when establishing
>> multiple TLS connections?
>>
>> Thanks a lot!
>>
>> Regards, Volodymyr Ivanets
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users at lists.kamailio.org
>> <mailto:sr-users at lists.kamailio.org>
>> Important: keep the mailing list in the recipients, do not
>> reply only to the sender!
>> Edit mailing list options or unsubscribe:
>> *
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>> <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>>
>>
>> __________________________________________________________
>> Kamailio - Users Mailing List - Non Commercial Discussions
>> * sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> Important: keep the mailing list in the recipients, do not reply only to the sender!
>> Edit mailing list options or unsubscribe:
>> * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>
> --
> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
>
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210802/35339454/attachment.htm>
More information about the sr-users
mailing list