Load multiple certificates using one local endpoint for TCPTLS

Please post requests related to the sipsorcery library to the GitHub repo https://github.com/sipsorcery/sipsorcery/issues.
Locked
mhe
Posts: 2
Joined: Tue Nov 07, 2017 11:54 am

Load multiple certificates using one local endpoint for TCPTLS

Post by mhe » Tue Nov 07, 2017 12:03 pm

I want to open only one local port for TCPTLS (lets say port 8886), where different remotes will connect to. But each remote host will have their own certificate to use on this connection. How is this possible in SIPSorcery?

I'm have following

Code: Select all

var transport = new SIPTransport(SIPDNSManager.ResolveSIPService, new SIPTransactionEngine(), true);
X509Certificate2 certificate1 = new X509Certificate2("c:\\mycerts\\cert1.cer");
X509Certificate2 certificate2 = new X509Certificate2("c:\\mycerts\\cert2.cer");
X509Certificate2 certificate5 = new X509Certificate2("c:\\mycerts\\cert3.cer");
var localEndPoint = new IPEndPoint(IPAddress.Loopback, 4007);
var t = new SIPTLSChannel(certificate1, localEndPoint);
 _transport.AddSIPChannel(t);
t = new SIPTLSChannel(certificate2, localEndPoint);
_transport.AddSIPChannel(t);
t = new SIPTLSChannel(certificate5, localEndPoint);
_transport.AddSIPChannel(t);
The problem arrives second time I want to add a SIPChannel with the same localendpoint, which already exist in a underlaying map, and I cannot find any methods to load more certificates on same TCPTLSChannel?

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Re: Load multiple certificates using one local endpoint for TCPTLS

Post by Aaron » Thu Nov 09, 2017 7:54 am

It's not possible. Each socket can only use one certificate. If not how would it be possible to know what certificate to supply when the connection is being set up.

It's the same as web servers and all other TLS/SSL use cases.

mhe
Posts: 2
Joined: Tue Nov 07, 2017 11:54 am

Re: Load multiple certificates using one local endpoint for TCPTLS

Post by mhe » Mon Nov 13, 2017 8:18 am

I see the point.

But, from a sys admin perspective, there is a lot of administration (port-wise) if you need to configure a specific port per sip remote, if you have just a a couple of different remotes, which would lead to open multiple ports in your fw, if you do not NAT the traffic, since the SIPSorcery would then open a listener per connection, instead of one listener, which then would re-route incoming connections to another binding, if the certificate is valid (since a certificate just need to be attached to a binding).

An IMAP server for example, only listening on port 143, but yet different clients with different certificates are able to connect to it, which means that your IMAP service only needs to open one port in the fw. Since the SIPSorcery channels are a TCPListener under the hood, I expected something similar?

Aaron
Site Admin
Posts: 4652
Joined: Thu Jul 12, 2007 12:13 am

Re: Load multiple certificates using one local endpoint for TCPTLS

Post by Aaron » Mon Nov 13, 2017 9:17 pm

Your IMAP server is probably using something like Server Name Indication and Wikipedia which does allow multiple SSL certificates per socket. This works by requiring the client to specify which certificate they want to connect to before the SSL negotiation starts.

The problem for SIP is that I don't think there's going to be much support, if any, for SNI amongst SIP clients, particularly IP Phones.

Locked