[kamailio/kamailio] TLS module: access UID attribute (#1843)

List overview All Threads
Download

newer

older

Re: [sr-dev] [kamailio/kamailio]...

Kamailio v5.5.3 Released

Sebastian Denz

8 Feb 2019 8 Feb '19

7:06 a.m.

<!-- Kamailio Project uses GitHub Issues only for bugs in the code or feature requests. Please use this template only for feature requests.

If you have questions about using Kamailio or related to its configuration file, ask on sr-users mailing list:

* http://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

If you have questions about developing extensions to Kamailio or its existing C code, ask on sr-dev mailing list:

* http://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev

Please try to fill this template as much as possible for any issue. It helps the developers to troubleshoot the issue.

If you submit a feature request (or enhancement) add the description of what you would like to be added.

If there is no content to be filled in a section, the entire section can be removed.

You can delete the comments from the template sections when filling.

You can delete next line and everything above before submitting (it is a comment). -->

### Description

While implementing an edgeproxy based on kamailio i have to add a custom SIPHeader which contains the uid from the useragents client certificate.

The UID is part of the subject like: O = Company CN = Sebastian Denz UID = denz

But i cant access that attribute. All i can do is reading the CN and O.

### Expected behavior

There should be a select to access the uid Attribute from the subject, or at least a select which returns the whole subject, so it can be parsed manually in kamailio.cfg.

#### Actual observed behavior

It is only possible to access the O and CN field from the subject.

### Additional Information

* **Kamailio Version** - output of `kamailio -v`

``` kamailio -v version: kamailio 5.2.0 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144 MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 5.3.1 ```

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843

Attachments:

attachment.html (text/html — 3.0 KB)

Show replies by date

Olle E. Johansson

8 Feb 8 Feb

7:16 a.m.

Doesn't $tls_peer_subject contain the full subject?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461785002

Sebastian Denz

7:28 a.m.

Hi Olle! Thanks for replying!

Sadly it doesnt...

``` xlog("L_INFO", "MY_LOG HANDLE_TLS tls_peer_subject: $tls_peer_subject\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject): $sel(tls.peer.subject)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject.name): $sel(tls.peer.subject.name)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject.common_name): $sel(tls.peer.subject.common_name)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.name): $sel(tls.peer.subject.name)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.c): $sel(tls.peer.subject.c)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.o): $sel(tls.peer.subject.o)\n"); ```

Output: ``` Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: tls [tls_select.c:778]: pv_comp(): ind_local = 611(7226) DEBUG: tls [tls_select.c:717]: get_comp(): Element Unknown not found in certificate subject/issuer Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS tls_peer_subject: <null> Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e885d3e0 Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject): Sebastian Denz Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e88a8fa8 Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.name): Sebastian Denz Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e88a96a8 Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.common_name): Sebastian Denz Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e88a8fa8 Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.name): Sebastian Denz Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e88a9ff0 Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: tls [tls_select.c:717]: get_comp(): Element CountryName not found in certificate subject/issuer Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.c): <null> Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e88aa6e8 Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.o): Company Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7fc9e88a96a8 ```

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461787750

Olle E. Johansson

7:43 a.m.

Can you dump that part of the x509 cert so I clearly see the syntax?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461791350

Sebastian Denz

8 a.m.

``` $ openssl x509 -in denzs.crt -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 7432924801283864513 (0x67270db9b6b737c1) Signature Algorithm: sha256WithRSAEncryption Issuer: CN = Company PERSON CA Validity Not Before: Apr 3 08:09:31 2018 GMT Not After : Apr 3 08:09:31 2019 GMT Subject: UID = denzs, CN = Sebastian Denz, O = Company GmbH Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) .... ```

If you expected another output format just let me know...

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461795414

Olle E. Johansson

8:18 a.m.

`Feb 08 13:27:28 edgar-dev kamailio[7213]: 11(7226) DEBUG: tls [tls_select.c:778]: pv_comp(): ind_local = 611(7226) DEBUG: tls [tls_select.c:717]: get_comp(): Element Unknown not found in certificate subject/issuer`

Seems like the code fails on UID and drops all parsing of the Subject line.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461799968

Olle E. Johansson

8:28 a.m.

I can't find "uid" as a part of any X500 syntax.

I looked primarily in https://tools.ietf.org/html/rfc2256

RFC 5280 says "Where it is non-empty, the subject field MUST contain an X.500 distinguished name (DN)."

I wonder if the UID breaks something. Just guessing wildly here, haven't checked any code yet. But it is interesting to me. Do you have any pointers to where UID is part of a DN?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461802399

Sebastian Denz

8:35 a.m.

I cant find a relevant rfc or something similiar, but it seems to be quite common to me...

see: * https://www.cryptosys.net/pki/manpki/pki_distnames.html * http://www.modssl.org/docs/2.4/ssl_reference.html (search SSL_CLIENT_S_DN_UID)

Or to ask from the other side... where would you put your username inside of the certificate? In our case the CN contains the full name of the user...

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461804645

Olle E. Johansson

8:39 a.m.

I've put all kinds of stuff into the subject line, but haven't used this parser. But if good old mod_ssl approves, we should. :-)

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461805510

Olle E. Johansson

8:49 a.m.

Seems like that part of the tls module code needs love. The fact that you can't get the full subject clearly seems like a bug to me.

To get an additional select for uid is a feature request.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461808609

Sebastian Denz

8:52 a.m.

Yep, full ack! That is exactly what i was thinking :+1:

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-461809477

Henning Westerholt

9 Feb 9 Feb

12:59 p.m.

I will look into it. Would be great if you could test one or two commits in git master later on.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462065437

Henning Westerholt

10 Feb 10 Feb

8:38 a.m.

Can you please give the referenced commit a try.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462133617

Olle E. Johansson

9:18 a.m.

Henning - I see that you've added UID. Did you also fix the bug with $tls_peer_subject ?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462136616

Henning Westerholt

10:47 a.m.

@oej The It should be now detected in the relevant code, but we will be 100% sure after the test of @denz.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462143442

Sebastian Denz

11 Feb 11 Feb

3:40 a.m.

@henningw and @oej

Thank you so much for your awesome support!

unfortunately the patch doesnt help yet..

``` xlog("L_INFO", "MY_LOG HANDLE_TLS tls_peer_subject: $tls_peer_subject\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS tls_peer_subject_uid: $tls_peer_subject_uid\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject.uid): $sel(tls.peer.subject.uid)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject): $sel(tls.peer.subject)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject.name): $sel(tls.peer.subject.name)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject.common_name): $sel(tls.peer.subject.common_name)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.name): $sel(tls.peer.subject.name)\n"); ```

logs:

``` 12(24697) INFO: <script>: MY_LOG HANDLE_TLS tls_peer_subject: <null> 12(24697) INFO: <script>: MY_LOG HANDLE_TLS tls_peer_subject_uid: <null> 12(24697) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.uid): <null> 12(24697) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject): Sebastian Denz 12(24697) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.name): Sebastian Denz 12(24697) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.common_name): Sebastian Denz 12(24697) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.name): Sebastian Denz ```

Regarding to wireshark the uid is send like this: RelativeDistinguishedName item (itu-t.9.2342.19200300.100.1.1=denzs)

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462251509

Sebastian Denz

4:31 a.m.

Using NID_userId instead of NID_x500UniqueIdentifier leads to:

``` 14(3220) INFO: <script>: MY_LOG HANDLE_TLS tls_peer_subject: <null> 14(3220) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.uid): denzs 14(3220) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject): Sebastian Denz 14(3220) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.name): Sebastian Denz 14(3220) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.common_name): Sebastian Denz 14(3220) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.name): Sebastian Denz ```

This at least fixes accessing the uid attribute for me! :)

But it is still not possible to access the whole subject...

See https://github.com/denzs/kamailio/commit/66aacee31e487473f00d2b614bc09db678b... for my changes..

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462263758

Henning Westerholt

3:37 p.m.

Great that it works now for the individual access, but strange for the whole subject.

This needs more investigation, can you maybe add a bit more debug output in your test setup to the pv_comp() and get_comp() functions to get more information? Like the ind_local in pv_comp() and index in get_comp().

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462484734

Sebastian Denz

12 Feb 12 Feb

6:34 a.m.

Yeah, iam really impressed on how fast this was adressed, thank you so much! I'll be back in the office at thursday, then i will try to provide some more information!

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462725514

Olle E. Johansson

1:44 p.m.

A side note to myself and maybe Henning: We should have a test script that generates a client cert and tests this stuff. I have some scripts for server certs on tls-o-matic but no client certs.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-462883178

Sebastian Denz

14 Feb 14 Feb

3:03 a.m.

To be honest i dont understand the code in detail, but i hope this helps: ``` xlog("L_INFO", "MY_LOG HANDLE_TLS tls_peer_subject : $tls_peer_subject\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS tls_peer_subject_uid: : $tls_peer_subject_uid\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject) : $sel(tls.peer.subject)\n"); xlog("L_INFO", "MY_LOG HANDLE_TLS sel(tls.peer.subject.uid): $sel(tls.peer.subject.uid)\n"); xlog("L_INFO", "MY_LOG: HANDLE_TLS add Header X-TLS-User: $sel(tls.peer.subject.uid)\n"); ```

``` Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 1 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7f5b79367388 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 2 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:784]: pv_comp(): ind_local = 6 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:808]: pv_comp(): ind_local before switch = 0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = ffffffff Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:711]: get_comp(): nid = 0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:722]: get_comp(): Element Unknown not found in certificate subject/issuer Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) INFO: <script>: MY_LOG HANDLE_TLS tls_peer_subject : <null> Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:784]: pv_comp(): ind_local = 100006 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:808]: pv_comp(): ind_local before switch = 100000 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) INFO: <script>: MY_LOG HANDLE_TLS tls_peer_subject_uid: : denzs Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7f5b79351a38 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 1 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject) : Sebastian Denz Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7f5b7939bea0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) INFO: <script>: MY_LOG HANDLE_TLS sel(tls.peer.subject.uid): denzs Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7f5b7939bea0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) INFO: <script>: MY_LOG: HANDLE_TLS add Header X-TLS-User: denzs Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/parser/msg_parser.c:185]: get_hdr_field(): content_length=0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/parser/msg_parser.c:89]: get_hdr_field(): found end of header Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: <core> [core/select.c:412]: run_select(): Calling SELECT 0x7f5b7939bea0 Feb 14 08:59:44 edgar-dev kamailio[4078]: 11(4091) DEBUG: tls [tls_select.c:709]: get_comp(): after X509_NAME_get_index_by_NID index = 0 ```

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-463530344

Daniel-Constantin Mierla

19 Mar 19 Mar

11:27 p.m.

@denzs, @henningw - was this completed or there is still work that needs to be done?

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-474670369

Henning Westerholt

20 Mar 20 Mar

7:15 a.m.

The uid attribute issue is fixed, but the whole subject $tls_peer_subject still does not work.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-474787238

Daniel-Constantin Mierla

24 Nov 24 Nov

12:07 p.m.

New subject: [kamailio/kamailio] TLS module: access UID attribute (#1843)

Hopefully the full subject line can be retrieved now with the commit:

* https://github.com/kamailio/kamailio/commit/c2c3c8b5615294989ac81203e65df76b...

I haven't had the time to test, if not working, then open a new issue. This is aged and opened for another topic.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#issuecomment-978067297

Daniel-Constantin Mierla

12:07 p.m.

New subject: [kamailio/kamailio] TLS module: access UID attribute (#1843)

Closed #1843.

-- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/1843#event-5668358473

1204

Age (days ago)

2224

Last active (days ago)

sr-dev@lists.kamailio.org

24 comments

4 participants

tags (0)

participants (4)

Daniel-Constantin Mierla
Henning Westerholt
Olle E. Johansson
Sebastian Denz