11-07-2022 06:09 AM
I'm working on configuring SRV failover with TLS.
I have several proxies with proper DNS configurations, failover works fine when I configure the primary server to send a 503, but only if I disable TLS_Name_Validate.
Logs indicate that it's not liking the hostname in the alternate proxy when it goes to validate
(3010: 3157) voice-SIP-TCP.SIP_TCP_stream_connect [Ext:1] TLS:Connecting...
(3010: 3157) voice-SIP-TCP.SIP_TCP_stream_connect [Ext:1] TLS:Hostname validation:server1.mydomain.test
(3010: 3157) voice-sal_cert_is_host hostname 'server1.mydomain.test' not matched with commonName[0] 'server2.mydomain.test'
My DNS is right,
;; ANSWER SECTION:
_sips._tcp.server1.mydomain.test. 86400 IN SRV 10 10 5061 server1.mydomain.test.
_sips._tcp.server1.mydomain.test. 86400 IN SRV 20 10 5061 server2.mydomain.test.
My certificates names are the FQDN of the computer
For the phones configuration,
<Use_DNS_SRV_1_ ua="na">Yes</Use_DNS_SRV_1_>
<DNS_SRV_Auto_prefix_1_ ua="na">Yes</DNS_SRV_Auto_prefix_1_>
<TLS_Name_Validate_1_ ua="na">No</TLS_Name_Validate_1_>
<Proxy_Redundancy_Method_1_ ua="na">Based on SRV Port</Proxy_Redundancy_Method_1_>
<Outbound_Proxy_1_ ua="na">server1.mydomain.test</Outbound_Proxy_1_>
<Auto_Register_When_Failover_1_ ua="na">Yes</Auto_Register_When_Failover_1_>
and I tried this also.
<Alternate_Outbound_Proxy_1_ ua="na">server2.mydomain.test</Alternate_Outbound_Proxy_1_>
I’d like the phones to validate my certificates, but how can I tell the phones of my alternate proxies?
Or better, is there a setting to make the phone check the hostname that it’s actually registering to when SRV failover is active?
Solved! Go to Solution.