@miconda I saw you have some idea to get this in the post `Kamailio not using SNI in incoming requests #1938`

can i get any help in fixing this issue, I am just ran out of solutions, don't know how to fix this now. I am using Kamailio on AWS.

``` [client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no ```

try again

these are now my new configs to address the sni issue what do you think issue might be.

``` [server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem

[server:172.31.19.8:5061] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem server_name = localhost #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem

[client:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem

```

``` Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9381]: INFO: <script>: Sent out tm request: OPTIONS sip:sip.pstnhub.microsoft.com:5061;transport=tls SIP/2.0 Via: SIP/2.0/TLS abcsbc.com:5061;branch=z9hG4bK9503.01286945000000000000000000000000.0 To: sip:sip.pstnhub.microsoft.com:5061;transport=tls From: sip:abcsbc.com;tag=64ff6b492a7d9ab14de1f0b7c15c9c17-751e2d5e CSeq: 10 OPTIONS Call-ID: 1d9992923957b68d-9381@0.0.0.0 Max-Forwards: 70 Content-Length: 0 User-Agent: kamailio (5.6.5 (x86_64/linux)) Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9381]: INFO: <script>: Sent out tm request: OPTIONS sip:sip2.pstnhub.microsoft.com:5061;transport=tls SIP/2.0 Via: SIP/2.0/TLS abcsbc.com:5061;branch=z9hG4bKa503.87bed643000000000000000000000000.0 To: sip:sip2.pstnhub.microsoft.com:5061;transport=tls From: sip:abcsbc.com;tag=64ff6b492a7d9ab14de1f0b7c15c9c17-dbf96c3a CSeq: 10 OPTIONS Call-ID: 1d9992923957b68e-9381@0.0.0.0 Max-Forwards: 70 Content-Length: 0 User-Agent: kamailio (5.6.5 (x86_64/linux)) Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9395]: ERROR: tls [tls_server.c:1319]: tls_h_read_f(): protocol level error Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9395]: ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (sni: unknown) Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9395]: ERROR: tls [tls_server.c:1323]: tls_h_read_f(): src addr: 52.114.148.0:5061 Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9395]: ERROR: tls [tls_server.c:1326]: tls_h_read_f(): dst addr: 172.31.19.8:0 Dec 14 17:55:30 abcsbc.com /usr/sbin/kamailio[9395]: ERROR: <core> [core/tcp_read.c:1499]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f3d122d4058 r: 0x7f3d122d4180 (-1)

```

This tracker is for reporting issues in the C code, if you want to discuss about configuring Kamailio and its use cases, you have to email to sr-users@lists.kamailio.org mailing list.

I am able to resolve the tls sni issue with this setting finally.

``` [server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem

[server:172.31.19.8:5061] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem server_name = localhost

[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no server_name = abcsbc.com

[client:172.31.19.8:5061] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem server_name = localhost server_id = localhost

#private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem #certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem #ca_list = /etc/kamailio/ca_list.pem #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem ```

But now the thing to worry is my dispatcher flag goes from AX to IP. :(

kamcmd dispatcher.list | egrep "URI|FLAGS" URI: sip:sip.pstnhub.microsoft.com:5061;transport=tls FLAGS: IP URI: sip:sip2.pstnhub.microsoft.com:5061;transport=tls FLAGS: IP URI: sip:sip3.pstnhub.microsoft.com:5061;transport=tls FLAGS: IP

why ?

testing with this version:

``` [server:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem

[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no private_key = /etc/letsencrypt/live/abcsbc.com/privkey.pem certificate = /etc/letsencrypt/live/abcsbc.com/fullchain.pem ca_list = /etc/kamailio/ca_list.pem #ca_list = /etc/letsencrypt/live/abcsbc.com/cert.pem

```

in addition

``` event_route[tm:local-request] { # xinfo("Routing locally generated $rm to $ru\n"); if (is_method("OPTIONS") && $ru =~ "sip.pstnhub.microsoft.com") { append_hf("Contact: sip:DOMAIN:5061;transport=tls\r\n"); } } ```

OK?