[SR-Users] Re: sni:uknown error in logs

From Zoom side, they are sending the below cipher suite when they initiate connection request to my kamailio node in their Client Hello As for my kamailio node, i sat the tls.cfg cipher_list to cipher_list= ALL:eNULL. i think the ALL suit covers the cipher suite requested by zoom (which is part of TLS1.2), or am i missing something? (am not very aware of TLS 😅) [cid:1e2518b9-510f-44f1-81ea-ddc9ab8540e5] Mahmood Alkhalil. ________________________________ From: Henning Westerholt &lt;hw(a)gilawa.com&gt; Sent: Wednesday, September 18, 2024 4:44 PM To: Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt; Cc: Mahmood Alkhalil &lt;mahmood.alkhalil(a)outlook.com&gt; Subject: RE: sni:uknown error in logs Hello, the error message indicates that the problem is related to the cipher support. Did you already compared the list of supported ciphers from the Zoom side and your side, e.g. with the methods listed here: https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-sui… Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com<https://gilawa.com/> From: Mahmood Alkhalil via sr-users &lt;sr-users(a)lists.kamailio.org&gt; Sent: Mittwoch, 18. September 2024 13:33 To: Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt; Cc: Mahmood Alkhalil &lt;mahmood.alkhalil(a)outlook.com&gt; Subject: [SR-Users] sni:uknown error in logs Hello Kamailio! I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom. kamailio is closing TLS connections with error stating "SSL routines::no shared cipher (sni: unknown)" as below Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx 0x7fbcd2229258 sn []) Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2845]: tcpconn_do_send(): sending... Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8 Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2882]: tcpconn_do_send(): buf= Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data] Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown) did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in the client hello. is this related to kamailio refusing the connection because there is no server_name in the client hello or something else?, if yes can it be forced to accept TLS connection without server_name specified ? my tls.cfg file is below [server:default] method = TLSv1.2 verify_certificate = no require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/certificate.pem ca_list = /etc/ssl/certs/ca-certificates.crt ca_path = /etc/ssl/certs [client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no