[SR-Users] Integration with multiple MS Teams instances
Володимир Іванець
volodyaivanets at gmail.com
Thu Jul 29 16:44:16 CEST 2021
Hello all!
I was able to connect Kamailio with MS Teams and now trying to add one more
Teams instance. It looks like I have some misconfiguration or there is a
bug.
My test server has 2 domain records pointing at it (kamailio.domain1.com
and kamailio.domain2.com). My tls.cfg configuration file looks like this.
As you can see the Default section is configured with a kamailio.domain1.com
sertificate:
*[server:default]*
*method = TLSv1.0+*
*require_certificate = no*
*verify_certificate = no*
*private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem
<http://kamailio.domain1.com/server/key.pem>*
*certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
<http://kamailio.domain1.com/server/cert.pem>*
*ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
<http://kamailio.domain1.com/CA/cert.pem>*
*[client:default]*
*method = TLSv1.0+*
*require_certificate = no*
*verify_certificate = no*
*private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem
<http://kamailio.domain1.com/server/key.pem>*
*certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
<http://kamailio.domain1.com/server/cert.pem>*
*ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
<http://kamailio.domain1.com/CA/cert.pem>*
*[server:172.16.30.206:5062 <http://172.16.30.206:5062>]*
*method = TLSv1.0+*
*require_certificate = no*
*verify_certificate = no*
*private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem
<http://kamailio.domain1.com/server/key.pem>*
*certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
<http://kamailio.domain1.com/server/cert.pem>*
*ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
<http://kamailio.domain1.com/CA/cert.pem>*
*server_name = "kamailio.domain1.com <http://kamailio.domain1.com>"*
*server_id = "**"kamailio.domain1.com <http://kamailio.domain1.com>"*
*[client:172.16.30.206:5062 <http://172.16.30.206:5062>]*
*method = TLSv1.0+*
*require_certificate = no*
*verify_certificate = no*
*private_key =
/var/kamailio/certificates/kamailio.domain1.com/server/key.pem
<http://kamailio.domain1.com/server/key.pem>*
*certificate =
/var/kamailio/certificates/kamailio.domain1.com/server/cert.pem
<http://kamailio.domain1.com/server/cert.pem>*
*ca_list = /var/kamailio/certificates/kamailio.domain1.com/CA/cert.pem
<http://kamailio.domain1.com/CA/cert.pem>*
*[server:172.16.30.206:5063 <http://172.16.30.206:5063>]*
*method = TLSv1.0+*
*require_certificate = no*
*verify_certificate = no*
*private_key =
/var/kamailio/certificates/kamailio.domain2.com/server/key.pem
<http://kamailio.domain2.com/server/key.pem>*
*certificate =
/var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
<http://kamailio.domain2.com/server/cert.pem>*
*ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
<http://kamailio.domain2.com/CA/cert.pem>*
*server_name = "kamailio.domain2.com <http://kamailio.domain2.com>"*
*server_id = "**"kamailio.domain2.com <http://kamailio.domain2.com>"*
*[client:172.16.30.206:5063 <http://172.16.30.206:5063>]*
*method = TLSv1.0+*
*require_certificate = no*
*verify_certificate = no*
*private_key =
/var/kamailio/certificates/kamailio.domain2.com/server/key.pem
<http://kamailio.domain2.com/server/key.pem>*
*certificate =
/var/kamailio/certificates/kamailio.domain2.com/server/cert.pem
<http://kamailio.domain2.com/server/cert.pem>*
*ca_list = /var/kamailio/certificates/kamailio.domain2.com/CA/cert.pem
<http://kamailio.domain2.com/CA/cert.pem>*
The dispatcher configuration table looks like this:
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
| id | setid | destination | flags |
priority | attrs
| description |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
| 1 | 1 | sip:sip.pstnhub.microsoft.com;transport=tls | 0 |
3 | socket=tls:172.16.30.206:5062;ping_from=sip:kamailio.domain1.com |
MS Teams 1 |
| 2 | 2 | sip:sip.pstnhub.microsoft.com;transport=tls | 0 |
3 | socket=tls:172.16.30.206:5063;ping_from=sip:kamailio.domain2.com |
MS Teams 2 |
+----+-------+----------------------------------------------+-------+----------+--------------------------------------------------------------------+-------------+
When Kamailio is started only connection with the first trunk is
established:
*# kamcmd tls.list*
*{*
* id: 1*
* timeout: 0*
* src_ip: 52.114.75.24*
* src_port: 5061*
* dst_ip: 172.16.30.206*
* dst_port: 0*
* cipher: ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA
Enc=AESGCM(256) Mac=AEAD*
* ct_wq_size: 0*
* enc_rd_buf: 0*
* flags: 2*
* state: established*
*}*
*{*
* id: 2*
* timeout: 0*
* src_ip: 52.114.75.24*
* src_port: 7810*
* dst_ip: 172.16.30.206*
* dst_port: 5062*
* cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA
Enc=AESGCM(256) Mac=AEAD*
* ct_wq_size: 0*
* enc_rd_buf: 0*
* flags: 2*
* state: established*
*}*
*{*
* id: 3*
* timeout: 596*
* src_ip: 52.114.75.24*
* src_port: 7811*
* dst_ip: 172.16.30.206*
* dst_port: 5062*
* cipher: AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA
Enc=AESGCM(256) Mac=AEAD*
* ct_wq_size: 0*
* enc_rd_buf: 0*
* flags: 2*
* state: established*
*}*
Here is what I can see in Kamailio log file when it sends an OPTIONS
request to the second trunk. Kamailio uses Default tls configuration and MS
Teams don't accept it:
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: ALERT: <script>: ==
TRACE. tm:local-request. fs is tls:172.16.30.206:5063
<http://172.16.30.206:5063>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:352]:
t_run_local_req(): apply new updates without Via to sip msg*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/msg_translator.c:1796]: check_boundaries(): no multi-part body*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:610]: parse_msg(): SIP Request:*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:612]: parse_msg(): method: <OPTIONS>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:614]: parse_msg(): uri:
<sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:616]: parse_msg(): version: <SIP/2.0>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232,
<branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:500]: parse_headers(): this is the first via*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header
reached, state=10*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47];
uri=[sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls]*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:174]: get_hdr_field(): to body
(47)[<sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls>^M*
*], to tag (0)[]*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10>
<OPTIONS>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:89]: get_hdr_field(): found end of header*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:610]: parse_msg(): SIP Request:*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:612]: parse_msg(): method: <OPTIONS>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:614]: parse_msg(): uri:
<sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:616]: parse_msg(): version: <SIP/2.0>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:1303]: parse_via_param(): Found param type 232,
<branch> = <z9hG4bK169b.6411b4c3000000000000000000000000.0>; state=16*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_via.c:2639]: parse_via(): end of header reached, state=5*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:498]: parse_headers(): Via found, flags=2*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:500]: parse_headers(): this is the first via*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/parse_addr_spec.c:864]: parse_addr_spec(): end of header
reached, state=10*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:171]: get_hdr_field(): <To> [47];
uri=[sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls]*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:174]: get_hdr_field(): to body
(47)[<sip:sip.pstnhub.microsoft.com
<http://sip.pstnhub.microsoft.com>;transport=tls>^M*
*], to tag (0)[]*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/parser/msg_parser.c:152]: get_hdr_field(): cseq <CSeq>: <10>
<OPTIONS>*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tm [uac.c:189]:
uac_refresh_hdr_shortcuts(): cseq: [CSeq: 10]*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/tcp_main.c:1993]: tcp_send(): no open tcp connection found, opening
new one*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection:
52.114.75.24*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/tcp_main.c:1175]: tcpconn_new(): on port 5061, type 3, socket -1*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: <core>
[core/tcp_main.c:1498]: tcpconn_add(): hashes: 2831:67:0, 1*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls
[tls_server.c:199]: tls_complete_init(): completing tls connection
initialization*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls
[tls_server.c:162]: tls_get_connect_server_name(): xavp with outbound
server name not found*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls
[tls_server.c:142]: tls_get_connect_server_id(): xavp with outbound server
id not found*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls
[tls_server.c:228]: tls_complete_init(): Using initial TLS domain
TLSc<default> (dom 0x7f35509da688 ctx 0x7f3550b7a568 sn [])*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls
[tls_domain.c:1177]: tls_lookup_private_key(): Private key lookup for
SSL_CTX-0x7f3550b7a568: (nil)*
*Jul 29 16:46:14 kamailio /usr/sbin/kamailio[11809]: DEBUG: tls
[tls_domain.c:747]: sr_ssl_ctx_info_callback(): SSL handshake started*
*...*
If I change the Default configuration to use kamailio.domain2.com
certificate, the second trunk will connect but the first one will fail.
I tried to set "$xavp(tls=>server_name)" and "$xavp(tls[0]=>server_id)"
variables to the event_route[tm:local-request] section but log still stated
that server Name and ID were not found.
Can someone please point me in the right direction, how can I make Kamailio
use the correct certificates when establishing multiple TLS connections?
Thanks a lot!
Regards, Volodymyr Ivanets
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210729/490a9bc7/attachment.htm>
More information about the sr-users
mailing list