We've been using the siptrace module with Homer to do SIP-only captures, but decided to use a different approach for VoIPmonitor as it affects more than just Kamilio. We're also capturing dozens of FreeSWITCH and rtpengine hosts, which are all using LD_PRELOAD to log their SIP TLS and SRTP DH session keys. We wanted Kamailio and the other components to focus on their real jobs (calling) and let a separate process handle the capturing. This gives us insight/control over any load added by the capturing, and allows us to see things closer to the network perspective rather than the application. It's easy to add the VoIPmonitor sniffer to any host without needing each application to natively support capturing.

I'm sure the siptrace module would have similar results, it's just not part of the "homogenous deployment" approach we're taking with this project.

On Tue, Feb 27, 2024 at 1:29 AM Joel Serrano via sr-users <sr-users@lists.kamailio.org> wrote:
Calvin, 

Voipmonitor-sniffer has support for Kamailio’s ‘siptrace’ module, but this is useful if your goal is to capture SIP over TLS traffic, I’m not sure if that is the reason you have been asked to capture the DH session keys…

If that's the case, any reason you went with LD_PRELOAD method vs kamailio’s siptrace module? Using the later you still get the sip traffic without the need of messing with OpenSSL. 

Mind sharing your findings? 

Joel. 

 

On Tue, Feb 27, 2024 at 00:18 Bastian Triller via sr-users <sr-users@lists.kamailio.org> wrote:
Some weeks ago I learned about [1]. Didn't play with it yet though.



On Tue, Feb 27, 2024, 02:08 Calvin E. via sr-users <sr-users@lists.kamailio.org> wrote:
This was done using the system-provided OpenSSL (Debian 12). It might work for tlsa, but I don't know how Kamilio would respond to LD_PRELOAD affecting one of its own modules.


On Fri, Feb 2, 2024 at 1:23 AM Ihor Olkhovskyi via sr-users <sr-users@lists.kamailio.org> wrote:
Calvin,

Thanks for sharing this, just a question, do you use system-provided OpenSSL or tlsa ?

Le mar. 30 janv. 2024 à 03:00, Calvin E. via sr-users <sr-users@lists.kamailio.org> a écrit :
It turns out the system I was on really uses /lib/systemd/system/kamailio.service, despite /etc/init.d/kamailio also existing.

I was able to make it work by following the Systemd process:

mkdir /etc/default/kamailio.d/
edit /etc/default/kamailio.d/voipmonitor
add lines:
SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/lib/x86_64-linux-gnu/libssl.so.3"

The keys are captured by the VoIPmonitor sniffer and everything works as expected from there. I'd be happy to explain further to anyone interested in this setup.

On Sun, Jan 28, 2024 at 3:20 AM Sergey Safarov <s.safarov@gmail.com> wrote:

On Fri, Jan 26, 2024 at 8:58 PM Calvin E. via sr-users <sr-users@lists.kamailio.org> wrote:
I've been tasked to use LD_PRELOAD to log SSL keys for TLS connections using a Diffie-Hellman cipher. The first attempt did not work, so I wanted to sanity check whether Kamailio's TLS support is built in such a way that would defeat LD_PRELOAD.

The instructions from the vendor are to update /etc/init.d/kamailio like this:

env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD="/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so /usr/lib/x86_64-linux-gnu/libssl.so.3" \
    start-stop-daemon --start --quiet --pidfile $PIDFILE \
                --exec $DAEMON -- $OPTIONS || log_failure_msg " already running"

Is there anything special in Kamailio (5.7.3 on Debian 12) that would prevent this from working? Not necessarily something to defeat a keylogger, but maybe the way tls.so gets loaded?

The only discrepancy I've noticed is the vendor docs refer to libssl.so.3 not libssl.so.1, but the vendor said that should be OK.

I'd love to hear from someone already using VoIPmonitor with Diffie-Hellman ciphers and Kamailio.

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:


--
Best regards,
Ihor (Igor)
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
To unsubscribe send an email to sr-users-leave@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe: