<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>trying to understand properly what you want to do and doesn't
work as expected ...</p>
<p>Is it that kamailio connects via tls to another server and it
does not present SNI?</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 03.01.20 11:24, mahesh b wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CACYt9ViyS9ZNSsde6R8hd-QgqLDscGFzBjzfyc2CZDCOAp+u8w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Am using Kamailio 5.1.9 version.</div>
<div><br>
</div>
<div><u>Below is my tls.cfg</u></div>
<div><br>
</div>
<div>[server:default]<br>
method = TLSv1+<br>
verify_certificate = no<br>
require_certificate = no<br>
private_key = server.key<br>
certificate = server.crt<br>
ca_list = bundle.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
<br>
[client:default]<br>
verify_certificate = no<br>
require_certificate = no<br>
<br>
<br>
[server:<a href="http://10.211.160.172:5061"
moz-do-not-send="true">10.211.160.172:5061</a>]<br>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile2/btip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile2/btip_172_server_public.crt<br>
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://btip.172.com"
moz-do-not-send="true">btip.172.com</a><br>
<br>
<br>
[server:<a href="http://10.211.160.172:5061"
moz-do-not-send="true">10.211.160.172:5061</a>]<br>
method = TLSv1+<br>
verify_certificate = yes<br>
require_certificate = yes<br>
private_key =
/root/mahesh_openssl/profile1/ctip_172_server_private.key<br>
certificate =
/root/mahesh_openssl/profile1/ctip_172_server_public.crt<br>
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt<br>
cipher_list = RSA<br>
verify_depth = 9<br>
server_name = <a href="http://ctip.172.com"
moz-do-not-send="true">ctip.172.com</a><br>
</div>
<div><br>
</div>
<div>My Kamailio server ip is 10.211.160.172</div>
<div><br>
</div>
<div>i)When i initiate a tls connection from remote server(which
is also a kamailio server) say 10.211.160.176 to
10.211.160.172 </div>
<div> In the client hello am setting sni name as <a
href="http://btip.172.com" moz-do-not-send="true">btip.172.com</a>
=> so on 10.211.160.172 side it is picking up the server
profile with serve_name <a href="http://btip.172.com"
moz-do-not-send="true">btip.172.com</a> for the tls
handshake.<b>// Working as expected</b></div>
<div><br>
</div>
<div>ii)When i initiate a tls connection from another remote
server(Which is also a kamailio server) say 10.211.160.163 to
10.211.160.172</div>
<div> In the client hello am setting sni name as <a
href="http://ctip.172.com" moz-do-not-send="true">ctip.172.com</a>
=> so on 10.211.160.172 side it is picking up the server
profile with serve_name <a href="http://ctip.172.com"
moz-do-not-send="true">ctip.172.com</a> for the tls
handshake.<b>// Working as expected</b></div>
<div><br>
</div>
<div>
<div>iii)When i initiate a tls connection from another remote
server(Which is also a kamailio server) say 10.211.160.175
to 10.211.160.172</div>
<div> In the client hello am NOT setting sni name => so
on 10.211.160.172 side should it pick up the server default
profile or the first profile to which IP and port matches ?</div>
</div>
<div> what i observe from logs is that it is picking up the
server profile with server_name <a href="http://ctip.172.com"
moz-do-not-send="true">ctip.172.com</a> for the tls
handshake.</div>
<div><br>
</div>
<div><br>
</div>
<div> I had a look at the code in function tls_lookup_cfg, from
the debug prints i understand it is trying to match profile
for IP and port</div>
<div><br>
</div>
<div>if ((p->port==0 || p->port == port) &&
ip_addr_cmp(&p->ip, ip))<b> // IP and port matched</b></div>
<div>{<br>
if(sname && sname->len>0)
<b>//Incoming Client hello dint have sname, so it will hit the
else part</b></div>
<div> {<br>
if(p->server_name.s &&
p->server_name.len==sname->len<br>
&& strncasecmp(p->server_name.s,
sname->s, sname->len)==0) </div>
<div> {<br>
LM_DBG("socket+server_name based TLS server
domain found\n");<br>
return p;<br>
}<br>
} </div>
<div> else</div>
<div> {<br>
return p; <b>// so it is returning the first profile to
which IP and port matched.</b><br>
}<br>
}<br>
<br>
</div>
<div><br>
</div>
<div>Am i missing anything or is this a bug ? if in the
clienthello there is no sni , what needs to be done to make
use of the default profile for the tls handshake ? Or is this
something fixed in latest.</div>
<div>I just Tried and Modified the code as below, after which it
is giving the server default profile when no sni in Incoming
Client Hello.</div>
<div><br>
</div>
<div>
<div>if ((p->port==0 || p->port == port) &&
ip_addr_cmp(&p->ip, ip)) </div>
<div>{<br>
if(sname && sname->len>0) </div>
<div> {<br>
if(p->server_name.s &&
p->server_name.len==sname->len<br>
&& strncasecmp(p->server_name.s,
sname->s, sname->len)==0) </div>
<div> {<br>
LM_DBG("socket+server_name based TLS
server domain found\n");<br>
return p;<br>
}<br>
} </div>
<div> else</div>
<div> {<br>
if( (type & TLS_DOMAIN_SRV) &&
(p->server_name.s) ) </div>
<div> {<br>
LM_DBG("Inside %s at
%d\n",__FUNCTION__,__LINE__);<br>
return cfg->srv_default;<br>
} </div>
<div> else </div>
<div> {<br>
LM_DBG("Inside %s at
%d\n",__FUNCTION__,__LINE__);<br>
return p;<br>
}<br>
}<br>
}</div>
</div>
<div><br>
</div>
<div>Regards,</div>
<div>Mahesh.B</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio World Conference - April 27-29, 2020, in Berlin -- <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>