I'm using Kamailio 5.2.2+xenial.
Set up a basic tls.cfg like this:
``` [server:default] verify_certificate = no require_certificate = no private_key = /tmp/default.key certificate = /tmp/default.pem
[server:any] method = TLSv1 verify_certificate = no require_certificate = no private_key = /tmp/domain.key certificate = /tmp/domain.pem server_name = sip.domain.com server_name_mode = 1 ```
Connect with openssl like this `openssl s_client -connect server:5061` and Kamailio will - obviously - offer the default.pem certificate.
However, use `openssl s_client -connect server:5061 -servername sip.domain.com` and Kamailio will still offer the default.pem certificate, where I'd expect it to offer domain.pem. I tested these `openssl` commandline invocations against an nginx server that's working with these same certificates, and SNI is working properly there.
From the Kamailio logs on starting up, it does seem to detect that a SNI callback should be registered with OpenSSL.
``` Apr 25 11:43:37 kamailio[7447]: NOTICE: tls [tls_domain.c:1083]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='sip.domain.com' ... ```
However, it's not triggering:
``` Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 4.1.3.1 Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port 55428, type 3 Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:1305]: tcpconn_add(): hashes: 3726:2401:2691, 1 Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51 Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xa86c60, 60, -1, 0x0) fd_no=52 called Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev(): sending to child, events 1 Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3875]: send2child(): selected tcp worker idx:0 proc:44 pid:7342 for activity on [tls:1.6.1.6:5061], 0x7f00ad8279b0 Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8 con=0x7f00ad8279b0, fd=10 Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f00ad1b02e8 ctx 0x7f00ad406408 sn []) Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil) Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:737]: sr_ssl_ctx_info_callback(): SSL handshake started Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): sending... Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=2817 fd=10 Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=#012#026#003#001 Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xae0200, 10, 2, 0x7f00ad8279b0), fd_no=1 Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil) Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:749]: sr_ssl_ctx_info_callback(): SSL handshake done Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:753]: sr_ssl_ctx_info_callback(): SSL disable renegotiation Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:424]: tls_accept(): TLS accept successful Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 4.1.3.1:55428 using TLSv1/SSLv3 AES256-SHA 256 Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 1.6.1.6:5061 Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): sending... Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=266 fd=10 Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=#012#026#003#001 Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xae0200, 10, -1, 0x10) fd_no=2 called Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1680]: release_tcpconn(): releasing con 0x7f00ad8279b0, state 1, fd=10, id=1 ([4.1.3.1]:55428 -> [4.1.3.1]:5061) Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn(): extra_data 0x7f00ad7c4ab8 Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3307]: handle_tcp_child(): reader response= 7f00ad8279b0, 1 from 0 Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51 Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3434]: handle_tcp_child(): CONN_RELEASE 0x7f00ad8279b0 refcnt= 1 ```
Looking at other issues like #1574, I think I'm supposed to see a `tls_server_name_cb` log line upon connecting, but there is none.
Indeed, there has to be a log message from `tls_server_name_cb()`.
Can you get the debug output from openssl s_client:
``` openssl s_client -servername myservername.com -tlsextdebug -connect kamailio.ip:5061 ```
Debug output below:
``` ~$ openssl s_client -servername sni.example.com -tlsextdebug -connect kamailio.ip:5061 CONNECTED(00000005) TLS server extension "renegotiation info" (id=65281), len=1 0000 - 00 . TLS server extension "session ticket" (id=35), len=0 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = sip.domain.com verify return:1 --- Certificate chain 0 s:CN = sip.domain.com i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- <SNIP> -----END CERTIFICATE----- subject=CN = sip.domain.com
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
--- No client certificate CA names sent --- SSL handshake has read 3084 bytes and written 643 bytes Verification: OK --- New, SSLv3, Cipher is AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: E3A3D9D68F13161B4FFA1DCA287A79A4DC168F52A52545EF609059990B10CE47 Session-ID-ctx: Master-Key: B49446FC32E2CD4FE6D0AFCF27A936AB2A3AE1BE277E3F84F21EB6592AE13B7D4E3D629A957ACB64C1C6A0A0D5EB437B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 60 4c 56 29 08 8f 27 53-cd 5f e9 4f 2e e9 1a 66 `LV)..'S._.O...f 0010 - 3a 3d e2 e5 54 8b 28 6c-73 f0 cd 54 d4 f9 00 92 :=..T.(ls..T.... 0020 - 42 94 26 05 f6 f2 d7 45-c1 31 d8 c3 5d 1b 59 6d B.&....E.1..].Ym 0030 - f9 6e 56 e8 03 1c 27 89-40 3e 04 e7 a5 1e c5 18 .nV...'.@>...... 0040 - 50 26 12 b8 a8 42 cc 77-41 ef fd 03 12 ff c9 d9 P&...B.wA....... 0050 - f0 93 cc 82 61 29 e4 99-33 f1 56 eb 82 82 58 ac ....a)..3.V...X. 0060 - 80 84 d1 9e 85 bb 45 c0-50 50 25 5d 4d e7 c0 b6 ......E.PP%]M... 0070 - 34 22 94 a9 93 35 2c 5d-78 22 14 b1 bb 90 f3 02 4"...5,]x"...... 0080 - fb 9d f9 f0 e0 1b 67 a9-98 a9 88 94 4e d4 70 0c ......g.....N.p. 0090 - 91 38 fb 79 bb 94 3b e2-8e 8b ea ee a0 0d 26 d7 .8.y..;.......&. 00a0 - 19 84 9b cb f0 70 c1 b7-2a b9 09 b3 7a 4a 4f 7a .....p..*...zJOz 00b0 - da 99 49 c0 2d b3 2e 00-d3 37 e1 7e 16 fa 17 8d ..I.-....7.~....
Start Time: 1556628284 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ```
Closed #1938.
Got the time to look at it -- so the SNI required that the default server profile has server_name attribute set in order to register the SNI callback. I pushed a commit (see the link above) to register SNI callback for server default profile always. I will backport and it will be in 5.2.3 release.
For older versions, you can set `server_name=localhost` or another domain that you use with default certificate or if you don't have one, set it to something unlikely to be used.
I did the basic tests, but if still an issue, reopen.
I can confirm that adding a `server_name` to the default server fixes the problem in 5.2.2. Many thanks @miconda!
Hi, My Setup : client1 -> kamailio server 1 ( IP : 10.211.160.172) ----> kamailio server 2( IP : 10.211.160.176) -> client2
I have a scenario where kamailio server 1 has to initiate an outgoing tls connection to kamailio server 2, i have set the server_name and server_id in the client profile in tls.cfg like below on kamailio server 1
[client:default] verify_certificate = no require_certificate = no server_name = mahesh.client.com
[client:10.211.160.172:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt cipher_list = RSA verify_depth = 9 server_name = btip.176.com server_id = btip.176.com
And in sar.cfg
$xavp(tls=>server_name)="btip.176.com"; $xavp(tls=>server_id)="btip.176.com"; $du = "sip:10.211.160.176:5061;transport=tls"; .... t_relay();
What i observe is that , when client hello is sent by 10.211.160.172 to 10.211.160.176, i dont see Extension server_name being sent. Am i missing anything. Please help !
This issue was about the server mode and SNI, not client mode and SNI.
Hi Henningw, Thank you for the response. I understand the original issue was on server mode and SNI. For the client mode and SNI related configurations explanations that i have mentioned in my previous comment, i have mailed the same to sr-users@lists.kamailio.org and waiting for a response. Do you see any problem in my configurations ? Am using kamailio version 5.1.8.
As the problem was related to SNI , i put a comment here, to check if am missing any basic configurations for client mode and SNI.
Hi Henningw,, I further went thru the logs of kamailio, and i see the below happening.
tls [tls_server.c:169]: tls_get_connect_server_name[]: xavp with outbound server name not found tls [tls_server.c:152]: tls_get_connect_server_id[]: found xavp with outbound server id: btip.176.com
Its strange its able to find the client profile based on server_id , but not able to find using the server_name
In tls_complete_init( )
if (c->flags & F_CONN_PASSIVE) { state=S_TLS_ACCEPTING; dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV, &c->rcv.dst_ip, c->rcv.dst_port, 0, 0); } else { state=S_TLS_CONNECTING; sname = tls_get_connect_server_name(); srvid = tls_get_connect_server_id(); dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid); }
Am acting as client, so it will hit the else part
the call to sname = tls_get_connect_server_name(); //failed with below logs tls [tls_server.c:169]: tls_get_connect_server_name[]: xavp with outbound server name not found
the call to srvid = tls_get_connect_server_id(); // success with below logs tls [tls_server.c:152]: tls_get_connect_server_id[]: found xavp with outbound server id: btip.176.com
And futher down in the function : as sname is NULL, it is not setting the server name extension in client hello message.
#ifndef OPENSSL_NO_TLSEXT if (sname!=NULL) { if(!SSL_set_tlsext_host_name(data->ssl, sname->s)) { if (data->ssl) SSL_free(data->ssl); if (data->rwbio) BIO_free(data->rwbio); goto error; } LM_DBG("outbound TLS server name set to: %s\n", sname->s); } #endif
Am i missing anything here w.r.t configuration ? or is it a bug ? which has been fixed in later versions ? Please help !!
Regards, Mahesh.B
Do not continue to post here. This issue is closed (and unrelated).
-
Daniel-Constantin Mierla -
Henning Westerholt
-
Laszlo
-
maheshb2487