cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
842
Views
0
Helpful
5
Replies

DNS SRV failover and TLS_Name_Validate

mwiater
Level 1
Level 1

I'm working on configuring SRV failover with TLS.

I have several proxies with proper DNS configurations, failover works fine when I configure the primary server to send a 503, but only if I disable TLS_Name_Validate.

Logs indicate that it's not liking the hostname in the alternate proxy when it goes to validate
(3010: 3157) voice-SIP-TCP.SIP_TCP_stream_connect [Ext:1] TLS:Connecting...
(3010: 3157) voice-SIP-TCP.SIP_TCP_stream_connect [Ext:1] TLS:Hostname validation:server1.mydomain.test
(3010: 3157) voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'

My DNS is right,

;; ANSWER SECTION:
_sips._tcp.server1.mydomain.test. 86400 IN SRV 10 10 5061 server1.mydomain.test.
_sips._tcp.server1.mydomain.test. 86400 IN SRV 20 10 5061 server2.mydomain.test.

My certificates names are the FQDN of the computer

For the phones configuration, 

<Use_DNS_SRV_1_ ua="na">Yes</Use_DNS_SRV_1_>
<DNS_SRV_Auto_prefix_1_ ua="na">Yes</DNS_SRV_Auto_prefix_1_>
<TLS_Name_Validate_1_ ua="na">No</TLS_Name_Validate_1_>
<Proxy_Redundancy_Method_1_ ua="na">Based on SRV Port</Proxy_Redundancy_Method_1_>
<Outbound_Proxy_1_ ua="na">server1.mydomain.test</Outbound_Proxy_1_>
<Auto_Register_When_Failover_1_ ua="na">Yes</Auto_Register_When_Failover_1_>

and I tried this also.
<Alternate_Outbound_Proxy_1_ ua="na">server2.mydomain.test</Alternate_Outbound_Proxy_1_>

I’d like the phones to validate my certificates, but how can I tell the phones of my alternate proxies? 


Or better, is there a setting to make the phone check the hostname that it’s actually registering to when SRV failover is active?

1 Accepted Solution

Accepted Solutions

 voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'

There. server certificate doesn't contain all hostnames. 



Response Signature


View solution in original post

5 Replies 5

Rajan
VIP Alumni
VIP Alumni

The certificates which the phones will get need to have those servers added as common names in order to trust.

HTH
Rajan
Please mark all useful posts as helpful and solutions as accepted wherever applicable

 

You don't mean that I have to provide the certificate to the phone, right?    In what configuration item would I enter the list of common names?

 voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'

There. server certificate doesn't contain all hostnames. 



Response Signature


Thank you Nithin.  It looks like we need SANs in our certs.

mwiater
Level 1
Level 1

I'm having a hard time understanding why the phone would not be able to validate the certificate against the second priority proxy. The phone knows it's talking with server2, the certificate says it's server2, that should match.