<div dir="ltr"><div>Hi ,</div><div> I further went thru the logs of kamailio, and i see the below happening.</div><div><br></div><div>tls [tls_server.c:169]: tls_get_connect_server_name[]: xavp with outbound server name not found<br></div><div>tls [tls_server.c:152]: tls_get_connect_server_id[]: found xavp with outbound server id: <a href="http://btip.176.com">btip.176.com</a><br></div><div><br></div><div> Its strange its able to find the client profile based on server_id , but not able to find using the server_name</div><div><br></div><div>In tls_complete_init( )</div><div><br></div><div>if (c->flags & F_CONN_PASSIVE) {<br> state=S_TLS_ACCEPTING;<br> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,<br> &c->rcv.dst_ip, c->rcv.dst_port, 0, 0);<br> } else {<br> state=S_TLS_CONNECTING;<br> sname = tls_get_connect_server_name();<br> srvid = tls_get_connect_server_id();<br> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,<br> &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);<br> }<br></div><div><br></div><div>Am acting as client, so it will hit the else part</div><div><br></div><div>the call to
sname = tls_get_connect_server_name(); //failed with below logs </div><div> tls [tls_server.c:169]: tls_get_connect_server_name[]: xavp with outbound server name not found </div><div><br></div><div>the call to
srvid = tls_get_connect_server_id(); // success with below logs<br></div><div><div>tls [tls_server.c:152]: tls_get_connect_server_id[]: found xavp with outbound server id: <a href="http://btip.176.com">btip.176.com</a><br></div><div></div></div><div><br></div>And futher down in the function : as sname is NULL, it is not setting the server name extension in client hello message.<div><br></div><div>#ifndef OPENSSL_NO_TLSEXT<br> if (sname!=NULL) {<br> if(!SSL_set_tlsext_host_name(data->ssl, sname->s)) {<br> if (data->ssl)<br> SSL_free(data->ssl);<br> if (data->rwbio)<br> BIO_free(data->rwbio);<br> goto error;<br> }<br> LM_DBG("outbound TLS server name set to: %s\n", sname->s);<br> }<br>#endif</div><div><br></div><div>Am i missing anything here w.r.t configuration ? or is it a bug ? which has been fixed in later versions ? Please help !!</div><div><br></div><div>Regards,</div><div>Mahesh.B<br><div><br></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 19, 2019 at 5:53 PM mahesh b <<a href="mailto:mahesh.b.2487@gmail.com">mahesh.b.2487@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><p style="box-sizing:border-box;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px;margin-top:0px">Hi,</p><p style="box-sizing:border-box;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px;margin-top:0px">Am using Kamailio 5.1.9 version</p><p style="box-sizing:border-box;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px;margin-top:0px"><br style="box-sizing:border-box">My Setup : client1 -> kamailio server 1 ( IP : 10.211.160.172) ----> kamailio server 2( IP : 10.211.160.176) -> client2</p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">I have a scenario where kamailio server 1 has to initiate an outgoing tls connection to kamailio server 2, i have set the server_name and server_id in the client profile in tls.cfg like below on kamailio server 1</p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">[client:default]<br style="box-sizing:border-box">verify_certificate = no<br style="box-sizing:border-box">require_certificate = no<br style="box-sizing:border-box">server_name = <a href="http://mahesh.client.com" target="_blank">mahesh.client.com</a></p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">[client:<a href="http://10.211.160.172:5061" target="_blank">10.211.160.172:5061</a>]<br style="box-sizing:border-box">method = TLSv1+<br style="box-sizing:border-box">verify_certificate = yes<br style="box-sizing:border-box">require_certificate = yes<br style="box-sizing:border-box">private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key<br style="box-sizing:border-box">certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt<br style="box-sizing:border-box">ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt<br style="box-sizing:border-box">cipher_list = RSA<br style="box-sizing:border-box">verify_depth = 9<br style="box-sizing:border-box">server_name = <a href="http://btip.176.com" target="_blank">btip.176.com</a><br style="box-sizing:border-box">server_id = <a href="http://btip.176.com" target="_blank">btip.176.com</a></p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">And in sar.cfg</p><p style="box-sizing:border-box;margin-top:0px;margin-bottom:16px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px">$xavp(tls=>server_name)="<a href="http://btip.176.com" target="_blank">btip.176.com</a>";<br style="box-sizing:border-box">$xavp(tls=>server_id)="<a href="http://btip.176.com" target="_blank">btip.176.com</a>";<br style="box-sizing:border-box">$du = "sip:10.211.160.176:5061;transport=tls";<br style="box-sizing:border-box">....<br style="box-sizing:border-box">t_relay();</p><p style="box-sizing:border-box;margin-top:0px;color:rgb(36,41,46);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:14px;margin-bottom:0px">What i observe is that , when client hello is sent by 10.211.160.172 to 10.211.160.176, i dont see Extension server_name being sent. Am i missing anything. Please help !</p></div>
</blockquote></div></div></div></div>