Search code examples
c#sip

Multiple connection on one TCPTLS listener SIPSorcery

How is it possible to use one single SIPTLSChannel in SIPSorcery, to connect with different remote servers using different certificates, but the same local port?

As far as I see, the SIPTLSChannel takes the X509Certificate2 as parameter in the constructor, and there is no way to load more certificates in this channel, nor to add multiple instances of SIPTLSChannel using the same LocalEndPoint but different certificates, as the SIPTransport will report that this EndPoint does already exist.

Following example will throw the "Already exist exception":

SIPTransport transport = new SIPTransport(SIPDNSManager.ResolveSIPService, new SIPTransactionEngine(), true);
var localEndPoint = new IPEndPoint(IPAddress.Loopback, 8443);

var cert1 = new X509Certificate2 ("c:\\mycerts\\*****.cer");
var channel1 = new SIPTLSChannel(cert1, localEndPoint);
transport.AddSIPChannel(channel1);

var cert2 = new X509Certificate2 ("c:\\mycerts\\*****.cer");
var channel2 = new SIPTLSChannel(cert2, localEndPoint);
transport.AddSIPChannel(channel2);
Solution

  • Hopefully better late than never for this answer.

    In the code sample from the OP the certificate provided is the one that will be used when clients connect to the listening port. In other words it's a server certificate that will get served up to connecting clients. Depending on the client the common name of the certificate will need to match the hostname the TLS channel is created on or the client will reject the SSL negotiation with an error like RemoteCertificateNameMismatch.

    To establish an outgoing SSL connection no certificate needs to be specified (the sipsorcery library currently doesn't support client certificate authentication). What does need to be specified is the expected certificate name. The SendRequest overload that needs to be used is:

    void Send(IPEndPoint dstEndPoint, byte[] buffer, string serverCertificateName)

    In practice it's not normally necessary to have to worry about which Send overload to use. Instead the steps are:

    • Create a SIPTLSChannel, as shown in the question's example,
    • Create a SIP request with a URI that requires a TLS transport:
      • sips:100@sipsorcery.com
      • sip:100@sipsorcery.com;transport=tls
    • Call Send with the request and the SIP transport class takes care of creating the outgoing TCP connection and SSL negotiation.