sr-dev May 2025

sr-dev@lists.kamailio.org

15 participants
204 discussions

[kamailio/kamailio] stirshaken: removed repeated x509 certification path check (PR #4202)
by Felipe Cuadra Plaza 06 May '25

06 May '25

2 2

git:master:f007736b: stirshaken: removed repeated x509 certification path check
by Daniel-Constantin Mierla 06 May '25

06 May '25

Module: kamailio Branch: master Commit: f007736ba18f5cc2114ffdd1e6df2b9b03808fe7 URL: https://github.com/kamailio/kamailio/commit/f007736ba18f5cc2114ffdd1e6df2b9… Author: FelipeCuadra <f.cuadra(a)zaleos.net> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2025-05-06T13:34:41+02:00 stirshaken: removed repeated x509 certification path check - removed a second check of the x509 certificate path from the module, since it is already done earlier in the library and updated documentation --- Modified: src/modules/stirshaken/doc/stirshaken_admin.xml Modified: src/modules/stirshaken/stirshaken_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/f007736ba18f5cc2114ffdd1e6df2b9… Patch: https://github.com/kamailio/kamailio/commit/f007736ba18f5cc2114ffdd1e6df2b9… --- diff --git a/src/modules/stirshaken/doc/stirshaken_admin.xml b/src/modules/stirshaken/doc/stirshaken_admin.xml index ef07e6a7212..41f72e5c1b7 100644 --- a/src/modules/stirshaken/doc/stirshaken_admin.xml +++ b/src/modules/stirshaken/doc/stirshaken_admin.xml @@ -528,6 +528,10 @@ request_route { ... </programlisting> </example> + <para> + To ensure proper functionality, the Kamailio stirshaken module requires a minimum version of libstirshaken that includes the stir_shaken_verify_cert_path function for performing the x509 certificate path check. This functionality was added to libstirshaken around 2020 (<![CDATA[https://github.com/signalwire/libstirshaken/commit/58e740b897ae40e2bb02ada2231a051a7eb55137]]>). + If you're using an older version of libstirshaken that predates this commit, the stirshaken module may not function correctly. + </para> </section> </chapter> diff --git a/src/modules/stirshaken/stirshaken_mod.c b/src/modules/stirshaken/stirshaken_mod.c index 95bbdeb5736..5d0bc744885 100644 --- a/src/modules/stirshaken/stirshaken_mod.c +++ b/src/modules/stirshaken/stirshaken_mod.c @@ -613,23 +613,6 @@ static int ki_stirshaken_check_identity(sip_msg_t *msg) goto fail; } - if(stirshaken_vs_verify_x509_cert_path) { - - LM_DBG("Running X509 certificate path verification\n"); - - if(!vs) { - LM_ERR("Verification Service not started\n"); - goto fail; - } - - if(STIR_SHAKEN_STATUS_OK - != stir_shaken_verify_cert_path(&ss, cert_out, vs->store)) { - LM_ERR("Cert did not pass X509 path validation\n"); - stirshaken_print_error_details(&ss); - goto fail; - } - } - if(stirshaken_vs_pptg_pvname.s != 0) { memset(&val, 0, sizeof(pv_value_t)); val.flags = PV_VAL_STR;

1 0

[kamailio/kamailio] app_jstd: Added dynamic buffer sizing to load bigger .js files and Added ability to load all JavaScript files from a specified directory (PR #4221)
by nickgashcc 06 May '25

06 May '25

2 9

git:master:4ed24494: app_jsdt: Added dynamic buffer sizing to load bigger .js files and Added ability to load all JavaScript files from a specified directory
by Daniel-Constantin Mierla 06 May '25

06 May '25

Module: kamailio Branch: master Commit: 4ed2449454d07594f9bc30622b7fada9d719c5a3 URL: https://github.com/kamailio/kamailio/commit/4ed2449454d07594f9bc30622b7fada… Author: ngash <nick.gash(a)ccprosolutions.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2025-05-06T13:33:50+02:00 app_jsdt: Added dynamic buffer sizing to load bigger .js files and Added ability to load all JavaScript files from a specified directory - The code that loaded a JavaScript file used a fix buffer length of 128K on the stack. This has been changed so that the file size is determined and an attempt to allocate an appropriate buffer size temporarily is made. The file contents are then loaded into that buffer before being passed to the duktape engine. - In addition a new module param 'loaddir' has been added that allows you to specify a directory containing .js files rather than specifying a single .js file to load with the existing 'load' param. If loaddir is set it will take a higher priority than load. All .js files in the directory are loaded into a temporary buffer and combined before passing to the duktape engine. This allows you to split logic/routes into seperate .js files but load them all inbto the JavaScript engine. - Updated documentation accordinglyapp_jsdt: Added dynamic buffer sizing to load bigger .js files and Added ability to load all JavaScript files from a specified directory - The code that loaded a JavaScript file used a fix buffer length of 128K on the stack. This has been changed so that the file size is determined and an attempt to allocate an appropriate buffer size temporarily is made. The file contents are then loaded into that buffer before being passed to the duktape engine. - In addition a new module param 'loaddir' has been added that allows you to specify a directory containing .js files rather than specifying a single .js file to load with the existing 'load' param. If loaddir is set it will take a higher priority than load. All .js files in the directory are loaded into a temporary buffer and combined before passing to the duktape engine. This allows you to split logic/routes into seperate .js files but load them all inbto the JavaScript engine. - Updated documentation accordingly --- Modified: src/modules/app_jsdt/app_jsdt_api.c Modified: src/modules/app_jsdt/app_jsdt_mod.c Modified: src/modules/app_jsdt/doc/app_jsdt_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/4ed2449454d07594f9bc30622b7fada… Patch: https://github.com/kamailio/kamailio/commit/4ed2449454d07594f9bc30622b7fada…

1 0

[kamailio/kamailio] Feature/tcp/tls domain matching (PR #4222)
by Michael Furmur 06 May '25

06 May '25

#### Pre-Submission Checklist    - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated) #### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality) #### Checklist:  - [ ] PR should be backported to stable branches - [x] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number) #### Description PR adds new core option `tls_connection_match_domain` with the default value 0 (old behavior) to solve the problem when we need to have multiple TLS connections with different SNI to the same host:port endpoint. for example: multiple customers (authorized by cert) for MS Teams on the single kamailio instance. originally, functions `_tcpconn_find` and `_tcpconn_add_alias_unsafe` use only endpoint and protocol to match connections. setting `tls_connection_match_domain` to `1` will match additionaly with `tls_domain_str()` output for matched TLS domain. as a result, we will be able to establish new TLS connections if TLS domain is changed instead of reusing of the existent one with the wrong SNI. i'm not considering this PR as the final version but we need something to start with. looking forward for any input. FIXME: not found the right place where new core option should be documented. #### Behavior difference example * /etc/kamailio/kamailio.cfg (relays all requests to 127.0.0.1:5081 using TLS domain matched by server_id retreived from RURI-User): ``` #!KAMAILIO listen=udp:127.0.0.1:5060 listen=tls:127.0.0.1:5061 enable_tls = yes tls_connection_match_domain = 1 debug = 3 loadmodule "tls.so" modparam("tls", "config", "/etc/kamailio/tls.cfg") modparam("tls", "xavp_cfg", "tls") loadmodule "ctl.so" loadmodule "pv.so" loadmodule "tm.so" route { $xavp(tls=>server_id) = $rU; t_relay_to_tls("127.0.0.1", 5081); } ``` * /etc/kamailio/tls.cfg: ``` [server:default] certificate = /etc/ssl/certs/ssl-cert-snakeoil.pem private_key = /etc/ssl/private/ssl-cert-snakeoil.key [client:any] server_name = server_name_1.invalid server_id = 1 [client:any] server_name = server_name_2.invalid server_id = 2 ``` * run tls server: ```bash $ openssl s_server -port 5081 -cert /etc/ssl/certs/ssl-cert-snakeoil.pem -key /etc/ssl/private/ssl-cert-snakeoil.key ``` * send `INVITE sip:1@127.0.0.1:5060` and `INVITE sip:2@127.0.0.1:5060` using sipp: ```bash $ for u in 1 2; do sipp -sn uac -m 1 -nd -recv_timeout 1 -bg -s $u 127.0.0.1:5060; done ``` * resulting `tls.list` for kamailio instance WITHOUT `tls_connection_match_domain = 1` (old behavior): ```bash # kamcmd tls.list { id: 1 dom: TLSc<any:server_name_1.invalid> sni: N/A timestamp: 2025-04-24 14:07:20 timeout: 118 src_ip: 127.0.0.1 src_port: 5081 dst_ip: 127.0.0.1 dst_port: 58808 cipher: unknown ct_wq_size: 1162 enc_rd_buf: 0 flags: 1 state: tls_connect } ``` * `tls.list` for kamailio instance WITH `tls_connection_match_domain = 1` (new behavior): ```bash # kamcmd tls.list { id: 1 dom: TLSc<any:server_name_1.invalid> sni: N/A timestamp: 2025-04-24 14:09:10 timeout: 117 src_ip: 127.0.0.1 src_port: 5081 dst_ip: 127.0.0.1 dst_port: 55480 cipher: unknown ct_wq_size: 581 enc_rd_buf: 0 flags: 1 state: tls_connect } { id: 2 dom: TLSc<any:server_name_2.invalid> sni: N/A timestamp: 2025-04-24 14:09:10 timeout: 117 src_ip: 127.0.0.1 src_port: 5081 dst_ip: 127.0.0.1 dst_port: 55488 cipher: unknown ct_wq_size: 581 enc_rd_buf: 0 flags: 1 state: tls_connect } ``` You can view, comment on, or merge this pull request online at: https://github.com/kamailio/kamailio/pull/4222 -- Commit Summary -- * core: support tls connection domain matching * tls: implement match_domain,match_connections_domain hooks * tls_wolfssl: implement match_domain,match_connections_domain hooks -- File Changes -- M src/core/cfg.lex (3) M src/core/cfg.y (9) M src/core/globals.h (1) M src/core/tcp_main.c (14) M src/core/tls_hooks.h (9) M src/main.c (4) M src/modules/tls/tls_mod.c (2) M src/modules/tls/tls_rpc.c (12) M src/modules/tls/tls_server.c (97) M src/modules/tls/tls_server.h (8) M src/modules/tls_wolfssl/tls_rpc.c (12) M src/modules/tls_wolfssl/tls_server.c (94) M src/modules/tls_wolfssl/tls_server.h (7) M src/modules/tls_wolfssl/tls_wolfssl_mod.c (2) -- Patch Links -- https://github.com/kamailio/kamailio/pull/4222.patch https://github.com/kamailio/kamailio/pull/4222.diff -- Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/pull/4222 You are receiving this because you are subscribed to this thread. Message ID: <kamailio/kamailio/pull/4222(a)github.com>

2 4

git:master:fabf509a: tls_wolfssl: implement match_domain,match_connections_domain hooks
by Daniel-Constantin Mierla 06 May '25

06 May '25

Module: kamailio Branch: master Commit: fabf509a7e2ce550f71554517346f873b8426ff6 URL: https://github.com/kamailio/kamailio/commit/fabf509a7e2ce550f71554517346f87… Author: Michael Furmur <furmur(a)pm.me> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2025-05-06T13:32:35+02:00 tls_wolfssl: implement match_domain,match_connections_domain hooks * save tls_domain_str() to the tls_extra_data and use it for connections matching * rpc tls.list: add 'dom' attribute --- Modified: src/modules/tls_wolfssl/tls_rpc.c Modified: src/modules/tls_wolfssl/tls_server.c Modified: src/modules/tls_wolfssl/tls_server.h Modified: src/modules/tls_wolfssl/tls_wolfssl_mod.c --- Diff: https://github.com/kamailio/kamailio/commit/fabf509a7e2ce550f71554517346f87… Patch: https://github.com/kamailio/kamailio/commit/fabf509a7e2ce550f71554517346f87…

1 0

git:master:98feec09: tls: implement match_domain,match_connections_domain hooks
by Daniel-Constantin Mierla 06 May '25

06 May '25

Module: kamailio Branch: master Commit: 98feec09b3cc0fe67d1a2f8484b5c9583a4beb21 URL: https://github.com/kamailio/kamailio/commit/98feec09b3cc0fe67d1a2f8484b5c95… Author: Michael Furmur <furmur(a)pm.me> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2025-05-06T13:32:35+02:00 tls: implement match_domain,match_connections_domain hooks * save tls_domain_str() to the tls_extra_data and use it for connections matching * rpc tls.list: add 'dom' attribute --- Modified: src/modules/tls/tls_mod.c Modified: src/modules/tls/tls_rpc.c Modified: src/modules/tls/tls_server.c Modified: src/modules/tls/tls_server.h --- Diff: https://github.com/kamailio/kamailio/commit/98feec09b3cc0fe67d1a2f8484b5c95… Patch: https://github.com/kamailio/kamailio/commit/98feec09b3cc0fe67d1a2f8484b5c95…

1 0

git:master:69f22ad4: core: support tls connection domain matching
by Daniel-Constantin Mierla 06 May '25

06 May '25

Module: kamailio Branch: master Commit: 69f22ad49be1302c884f47903d0e32d8491912fd URL: https://github.com/kamailio/kamailio/commit/69f22ad49be1302c884f47903d0e32d… Author: Michael Furmur <furmur(a)pm.me> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2025-05-06T13:32:35+02:00 core: support tls connection domain matching * add tls_connection_match_domain core option (default: 0) * add match_domain, match_connections_domain tls hooks * modify _tcpconn_find, _tcpconn_add_alias_unsafe to use newly added tls hooks --- Modified: src/core/cfg.lex Modified: src/core/cfg.y Modified: src/core/globals.h Modified: src/core/tcp_main.c Modified: src/core/tls_hooks.h Modified: src/main.c --- Diff: https://github.com/kamailio/kamailio/commit/69f22ad49be1302c884f47903d0e32d… Patch: https://github.com/kamailio/kamailio/commit/69f22ad49be1302c884f47903d0e32d…

1 0

[kamailio/kamailio] cdp: Cast time for printing and Improve cdp docs (PR #4227)
by Xenofon Karamanos 06 May '25

06 May '25

2 2

git:master:11275ccb: cdp: docs: Add missing list_peers function
by Daniel-Constantin Mierla 06 May '25

06 May '25

Module: kamailio Branch: master Commit: 11275ccb94cdddfec49191eaf80b2bc2f083c284 URL: https://github.com/kamailio/kamailio/commit/11275ccb94cdddfec49191eaf80b2bc… Author: Xenofon Karamanos <xk(a)gilawa.com> Committer: Daniel-Constantin Mierla <miconda(a)gmail.com> Date: 2025-05-06T13:31:54+02:00 cdp: docs: Add missing list_peers function - Fix some typos - Remove unused section 7.2 --- Modified: src/modules/cdp/doc/cdp_admin.xml --- Diff: https://github.com/kamailio/kamailio/commit/11275ccb94cdddfec49191eaf80b2bc… Patch: https://github.com/kamailio/kamailio/commit/11275ccb94cdddfec49191eaf80b2bc… --- diff --git a/src/modules/cdp/doc/cdp_admin.xml b/src/modules/cdp/doc/cdp_admin.xml index d1e313247e1..afc93be5066 100644 --- a/src/modules/cdp/doc/cdp_admin.xml +++ b/src/modules/cdp/doc/cdp_admin.xml @@ -365,7 +365,7 @@ if(!cdp_check_peer("hss.mnc001.mcc001.3gppnetwork.org")) { </listitem> </itemizedlist> <example> - <title><function>cdp_check_peer</function> usage</title> + <title><function>cdp_has_app</function> usage</title> <programlisting format="linespecific"> ... if(!cdp_has_app("10415", "4")) { @@ -376,7 +376,7 @@ if(!cdp_has_app("10415", "4")) { </programlisting> </example> <example> - <title><function>cdp_check_peer</function> usage</title> + <title><function>cdp_has_app</function> usage</title> <programlisting format="linespecific"> ... if(!cdp_has_app("16777216")) { @@ -392,7 +392,20 @@ if(!cdp_has_app("16777216")) { <section> <title>RPC Commands</title> - <para>exported RPC commands.</para> + <section id="cdp.states"> + <title>States</title> + <itemizedlist id="cdp.cdp_states" title="States"> + <listitem><para>Closed (0) - Not connected</para></listitem> + <listitem><para>Wait_Conn_Ack (1) - Connecting - waiting for Ack</para></listitem> + <listitem><para>Wait_I_CEA (2) - Connecting - waiting for Capabilities Exchange Answer</para></listitem> + <listitem><para>Wait_Conn_Ack_Elect (3) - Connecting - Acknowledged and going for Election</para></listitem> + <listitem><para>Wait_Returns (4) - Connecting - done</para></listitem> + <listitem><para>R_Open (5) - Connected as receiver</para></listitem> + <listitem><para>I_Open (6) - Connected as initiator</para></listitem> + <listitem><para>Closing (7) - Closing the connection</para></listitem> + </itemizedlist> + </section> + <para>Exported RPC commands.</para> <section> <title>cdp.disable_peer</title> @@ -405,6 +418,14 @@ if(!cdp_has_app("16777216")) { <para>enable/re-enable a diameter peer</para> </section> + + <section> + <title>cdp.list_peers</title> + <para>list all configured diameter peers</para> + <para> + State details can be found in the list above (<xref linkend="cdp.states" />) + </para> + </section> </section> <section> @@ -538,7 +559,5 @@ if(!cdp_has_app("16777216")) { </programlisting> </example> </section> - - <section/> </section> </chapter>

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

sr-dev May 2025