Multi Tenant SIP TLS

Status
Not open for further replies.
J

JHTH

New Member
Nov 3, 2017
3
0
1
54
In my SIP profile I have:

tls - true
tls-cert-dir - $${conf_dir}/ssl/$${domain}

I want the tls-cert-dir to reference the domain that the SSL certificate is for

If I enable the tls-cert-dir then I get the following error

2017-11-03 17:19:20.612793 [ERR] sofia.c:3146 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp) ATTEMPT 1 (RETRY IN 5 SEC)
2017-11-03 17:19:25.612810 [ERR] sofia.c:3146 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp) ATTEMPT 2 (RETRY IN 5 SEC)
2017-11-03 17:19:30.633250 [ERR] sofia.c:3146 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp) ATTEMPT 3 (RETRY IN 5 SEC)
2017-11-03 17:19:30.633250 [ERR] sofia.c:3156 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp)
The likely causes for this are:
1) Another application is already listening on the specified address.
2) The IP the profile is attempting to bind to is not local to this system.

If I disable the tls-cert-dir then everything works!

I can't think of another way of referencing the correct Certs but I'm sure there must be!
 
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
I'm not sure that you can have multi domain tls like that with different certs.
 
J

JHTH

New Member
Nov 3, 2017
3
0
1
54
Maybe I'm overthinking it then!

How do you have multi domain tls with the same certificate?

For example my Fusion/Freepbx is set up with multiple domains:
pbx.domain1.com DNS A record pointing to xxx.xxx.xxx.xxx
pbx.domain2.com DNS A record also pointing to xxx.xxx.xxx.xxx
pbx.domain3.com DNS A record again also pointing to xxx.xxx.xxx.xxx

Users in pbx.domain1.com access the system on pbx.domain1.com:5060 or TLS on pbx.domain1.com:5061
Users in pbx.domain2.com access the system on pbx.domain2.com:5060 or TLS on pbx.domain2.com:5061
Users in pbx.domain3.com access the system on pbx.domain3.com:5060 or TLS on pbx.domain3.com:5061

All the domains are served on a single SIP Profile which is listening on the xxx.xxx.xxx.xxx address

I thought each domain would need it's own SSL cert to secure the SIP TLS/SSL conversation on it's own domain port 5061 or there would be an error in the ssl handshake between the client phone/softphone and the server?

Do I need a separate SIP profile for each domain maybe? How would you restrict a profile to a single domain so that you could serve each domain on port 5060?
 
Last edited:
DigitalDaz

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,070
577
113
I think if you are doing multidomain you probably would have to use multiple profiles.

I always just use on domain with a subdomain for the client so one wildcard certificate covers all.
 
J

JHTH

New Member
Nov 3, 2017
3
0
1
54
DigitalDaz said:
I think if you are doing multidomain you probably would have to use multiple profiles.

I always just use on domain with a subdomain for the client so one wildcard certificate covers all.
Click to expand...


Is there any way to restrict a SIP profile to a single domain so that you could serve each domain on port 5060?
 
M

MammerJammer

Member
Oct 23, 2018
60
5
8
48
DigitalDaz said:
I think if you are doing multidomain you probably would have to use multiple profiles.

I always just use on domain with a subdomain for the client so one wildcard certificate covers all.
Click to expand...

We are looking at a similar subdomain and wildcard setup. Do you have any documentation on generating the CSR and importing a CA wildcard SSL certificate?
 
felipe.pasa

felipe.pasa

New Member
Jan 9, 2019
9
2
3
44
Brazil
gnovit.com
datatracker.ietf.org

RFC 5922: Domain Certificates in the Session Initiation Protocol (SIP)

This document describes how to construct and interpret certain information in a PKIX-compliant (Public Key Infrastructure using X.509) certificate for use in a Session Initiation Protocol (SIP) over Transport Layer Security (TLS) connection. More specifically, this document describes how to...
datatracker.ietf.org datatracker.ietf.org

====
Implementations MUST match the values in their entirety:

Implementations MUST NOT match suffixes. For example,
"foo.example.com" does not match "example.com".

Implementations MUST NOT match any form of wildcard, such as a
leading "." or "*." with any other DNS label or sequence of
labels. For example, "*.example.com" matches only
"*.example.com" but not "foo.example.com". Similarly,
".example.com" matches only ".example.com", and does not match
"foo.example.com".
=====
 
Status
Not open for further replies.
Top Bottom