Thank's for reply klaus<br><br>you are correct when said "Unless you have s strange setup with strange requirements", but I was reading RFC 5923 to try solve my strange requirements and found some benefits to forcing all messages into a single TLS connection.<br>
<br>I have included the flag <b>"tcp_accept_aliases = yes"</b> on kamailio.cfg and now if kamailio received a message with the parameter "aliases" at header Via, all messages will be forced into a single TLS connection with SIP server. I'm testing this config yet.<br>
<br>Best Regards<br><br><br><div class="gmail_quote">2012/2/13 Klaus Darilion <span dir="ltr"><<a href="mailto:klaus.mailinglists@pernau.at">klaus.mailinglists@pernau.at</a>></span><br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
<br>
On 13.02.2012 18:07, Bruno Bresciani wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi all,<br>
<br>
There is the possibility to kamailio reuse the TLS connection created by<br>
other SIP server? When kamailio use t_relay function to send a SIP<br>
request message to other server, kamailio verify if already exist some<br>
connection established with the destiny and use it even if this<br>
connection was created by the other SIP server.<br>
<br>
In short, I want to keep only one connection between kamailio and SIP<br>
server. Sometimes kamailio will be a client and others a server.<br>
</blockquote>
<br></div></div>
This is quite difficult. For example, on a server with a single IP address may run several SIP proxy instances with different purposes. Each of these proxies uses another listening port, e.g: <a href="http://1.1.1.1:5061" target="_blank">1.1.1.1:5061</a>, <a href="http://1.1.1.1:6061" target="_blank">1.1.1.1:6061</a>, <a href="http://1.1.1.1:7061" target="_blank">1.1.1.1:7061</a>.<br>
<br>
If on of these proxies establish a TCP connection to another proxy, e.g. <a href="http://2.2.2.2:5061" target="_blank">2.2.2.2:5061</a>, it uses an ephemeral source-port. Thus, for the TLS-server (the receiver of the TLS connection) there is no way to know which of these SIP proxies on 1.1.1.1 established the connection. There are lots more issues e.g. with certificate validation - a proxy may use various certificates for several domains. Maybe you can overcome these problems if all the proxies are controlled by you, but in an open environment this kind of connection reuse does not work.<br>
<br>
Thus: connection reuse can only be used for transactions in the same direction with the same target domain. For example if you have a proxy at <a href="http://1.1.1.1:5061" target="_blank">1.1.1.1:5061</a> authoritative for <a href="http://a.example.com" target="_blank">a.example.com</a> and <a href="http://b.example.com" target="_blank">b.example.com</a> and you have a proxy at <a href="http://2.2.2.2:5061" target="_blank">2.2.2.2:5061</a> authoritative for <a href="http://y.example.com" target="_blank">y.example.com</a> and <a href="http://z.example.com" target="_blank">z.example.com</a> then you will end up with 4 TLS connections:<br>
<br>
1. 1.1.1.1 as TLS client to <a href="http://a.example.com" target="_blank">a.example.com</a><br>
2. 1.1.1.1 as TLS client to <a href="http://b.example.com" target="_blank">b.example.com</a><br>
3. 2.2.2.2 as TLS client to <a href="http://y.example.com" target="_blank">y.example.com</a><br>
4. 2.2.2.2 as TLS client to <a href="http://z.example.com" target="_blank">z.example.com</a><br>
<br>
Unless you have s strange setup with strange requirements I do not see any benefit in forcing all messages into a single TLS connection.<br>
<br>
regards<span class="HOEnZb"><font color="#888888"><br>
Klaus<br>
</font></span></blockquote></div><br>