New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Problem with IPv6, TLS and advertise param #1581
Comments
Hi, I was testing using Linphone SIP library and this is what their logs say:
Hope it helps. |
miconda
added a commit
that referenced
this issue
Jul 4, 2018
Try with master or using the patch referenced above, if still an issue, reopen. |
Cherry-piked this commit into v5.1.4 and so far I can confirm it's working. I have deployed the fix to prod, I'll report back in a new ticket if something fails. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
We want to be able to handle reINVITEs over TLS so calls can reconnect when they switch networks (for example from wifi to mobile data).
We have the following config in kamailio.cfg:
In order to not break TLS validation (certs) we set the advertise to the FQDN so all headers are set with the FQDN and not the IP address, also notice no
[]
in the FQDN part of advertise IPv6 line. We do this, because we found that without the advertise, all headers have the IP address, which is also OK, but if the TCP connection breaks and the client reconnects, it will send the connection to the top request-route header, if it's an IP, the TLS validation will beak because the cn= doesn't match, having the FQDN there, the cn= will match and the request will continue.Example scenario:
Our public domain is
sip.domain.com
that has SRV records pointing tosbc01.domain.com
andsbc02.domain.com
. For this example let's stick tosbc01.domain.com
.Kamailio: 1.1.1.1 / sbc01.domain.com
Media server: 2.2.2.2
Client <---TLS 443---> Kamailio <---UDP 5060---> Media server
Example call:
Let's focus on the INVITE that Kamailio sends to the media server (the blue INVITE in the screenshot)
The headers look like this:
Which is correct, if the client has to send a reINVITE, it will do a DNS request to sbc01.domain.com and depending if it has AAAA and A records, and what the client's current transport is (ipv6/ipv4) it will select and use what it needs.
..Now let's say the same scenario, but origin transport is IPv6 this time..
Same scenario as above, same invite, this time the headers look like this:
(notice the FQDN surrounded by
[]
)Reproduction
Add the
advertise
option on alisten=
param with transport tls and using an IPv6.Observe the format of the headers the
record_route()
function adds to the request.Possible Solutions
When setting a FQDN instead of an IP address (v4/v6) in the
advertise
option; never enclose it with[]
? It's a suggestion, maybe what I'm saying is completely nuts.Additional Information
kamailio -v
The text was updated successfully, but these errors were encountered: