Multi Tenant SIP TLS

[JHTH]

In my SIP profile I have:

tls - true
tls-cert-dir - $${conf_dir}/ssl/$${domain}

I want the tls-cert-dir to reference the domain that the SSL certificate is for

If I enable the tls-cert-dir then I get the following error

2017-11-03 17:19:20.612793 [ERR] sofia.c:3146 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp) ATTEMPT 1 (RETRY IN 5 SEC)
2017-11-03 17:19:25.612810 [ERR] sofia.c:3146 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp) ATTEMPT 2 (RETRY IN 5 SEC)
2017-11-03 17:19:30.633250 [ERR] sofia.c:3146 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp) ATTEMPT 3 (RETRY IN 5 SEC)
2017-11-03 17:19:30.633250 [ERR] sofia.c:3156 Error Creating SIP UA for profile: Phones (sip:mod_sofia@13.93.90.84:5060;maddr=10.2.1.4;transport=udp,tcp)
The likely causes for this are:
1) Another application is already listening on the specified address.
2) The IP the profile is attempting to bind to is not local to this system.

If I disable the tls-cert-dir then everything works!

I can't think of another way of referencing the correct Certs but I'm sure there must be!

 

[DigitalDaz]

I'm not sure that you can have multi domain tls like that with different certs.

 

[JHTH]

Maybe I'm overthinking it then!

How do you have multi domain tls with the same certificate?

For example my Fusion/Freepbx is set up with multiple domains:
pbx.domain1.com DNS A record pointing to xxx.xxx.xxx.xxx
pbx.domain2.com DNS A record also pointing to xxx.xxx.xxx.xxx
pbx.domain3.com DNS A record again also pointing to xxx.xxx.xxx.xxx

Users in pbx.domain1.com access the system on pbx.domain1.com:5060 or TLS on pbx.domain1.com:5061
Users in pbx.domain2.com access the system on pbx.domain2.com:5060 or TLS on pbx.domain2.com:5061
Users in pbx.domain3.com access the system on pbx.domain3.com:5060 or TLS on pbx.domain3.com:5061

All the domains are served on a single SIP Profile which is listening on the xxx.xxx.xxx.xxx address

I thought each domain would need it's own SSL cert to secure the SIP TLS/SSL conversation on it's own domain port 5061 or there would be an error in the ssl handshake between the client phone/softphone and the server?

Do I need a separate SIP profile for each domain maybe? How would you restrict a profile to a single domain so that you could serve each domain on port 5060?

 

[DigitalDaz]

I think if you are doing multidomain you probably would have to use multiple profiles.

I always just use on domain with a subdomain for the client so one wildcard certificate covers all.

 

[JHTH]

I think if you are doing multidomain you probably would have to use multiple profiles.

I always just use on domain with a subdomain for the client so one wildcard certificate covers all.

Is there any way to restrict a SIP profile to a single domain so that you could serve each domain on port 5060?

 

[DigitalDaz]

You cannot have multiple profiles on same port like that

 

[MammerJammer]

I think if you are doing multidomain you probably would have to use multiple profiles.

I always just use on domain with a subdomain for the client so one wildcard certificate covers all.

We are looking at a similar subdomain and wildcard setup. Do you have any documentation on generating the CSR and importing a CA wildcard SSL certificate?

 

[ad5ou]

SIP protocol does not support wildcard certificates.

Many of us have hundreds of registrations that would say otherwise

 

[felipe.pasa]

RFC 5922: Domain Certificates in the Session Initiation Protocol (SIP)

This document describes how to construct and interpret certain information in a PKIX-compliant (Public Key Infrastructure using X.509) certificate for use in a Session Initiation Protocol (SIP) over Transport Layer Security (TLS) connection. More specifically, this document describes how to...

datatracker.ietf.org

====
Implementations MUST match the values in their entirety:

Implementations MUST NOT match suffixes. For example,
"foo.example.com" does not match "example.com".

Implementations MUST NOT match any form of wildcard, such as a
leading "." or "*." with any other DNS label or sequence of
labels. For example, "*.example.com" matches only
"*.example.com" but not "foo.example.com". Similarly,
".example.com" matches only ".example.com", and does not match
"foo.example.com".
=====