3 Jan
2020
3 Jan
'20
5:24 a.m.
Hi All,
Am using Kamailio 5.1.9 version.
*Below is my tls.cfg*
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = server.key
certificate = server.crt
ca_list = bundle.crt
cipher_list = RSA
verify_depth = 9
[client:default]
verify_certificate = no
require_certificate = no
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com
My Kamailio server ip is 10.211.160.172
i)When i initiate a tls connection from remote server(which is also a
kamailio server) say 10.211.160.176 to 10.211.160.172
In the client hello am setting sni name as btip.172.com => so on
10.211.160.172 side it is picking up the server profile with serve_name
btip.172.com for the tls handshake.*// Working as expected*
ii)When i initiate a tls connection from another remote server(Which is
also a kamailio server) say 10.211.160.163 to 10.211.160.172
In the client hello am setting sni name as ctip.172.com => so on
10.211.160.172 side it is picking up the server profile with serve_name
ctip.172.com for the tls handshake.*// Working as expected*
iii)When i initiate a tls connection from another remote server(Which is
also a kamailio server) say 10.211.160.175 to 10.211.160.172
In the client hello am NOT setting sni name => so on 10.211.160.172 side
should it pick up the server default profile or the first profile to which
IP and port matches ?
what i observe from logs is that it is picking up the server profile with
server_name ctip.172.com for the tls handshake.
I had a look at the code in function tls_lookup_cfg, from the debug
prints i understand it is trying to match profile for IP and port
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))* //
IP and
port matched*
{
if(sname && sname->len>0) *//Incoming Client hello dint have
sname, so it will hit the else part*
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
return p; *// so it is returning the first profile to which IP and
port matched.*
}
}
Am i missing anything or is this a bug ? if in the clienthello there is no
sni , what needs to be done to make use of the default profile for the tls
handshake ? Or is this something fixed in latest.
I just Tried and Modified the code as below, after which it is giving the
server default profile when no sni in Incoming Client Hello.
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))
{
if(sname && sname->len>0)
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return cfg->srv_default;
}
else
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return p;
}
}
}
Regards,
Mahesh.B
6 Jan
6 Jan
4:51 a.m.
Hello,
trying to understand properly what you want to do and doesn't work as
expected ...
Is it that kamailio connects via tls to another server and it does not
present SNI?
Cheers,
Daniel
On 03.01.20 11:24, mahesh b wrote:
Hi All,
Am using Kamailio 5.1.9 version.
_Below is my tls.cfg_
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = server.key
certificate = server.crt
ca_list = bundle.crt
cipher_list = RSA
verify_depth = 9
[client:default]
verify_certificate = no
require_certificate = no
[server:10.211.160.172:5061 <http://10.211.160.172:5061>]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com <http://btip.172.com>
[server:10.211.160.172:5061 <http://10.211.160.172:5061>]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com <http://ctip.172.com>
My Kamailio server ip is 10.211.160.172
i)When i initiate a tls connection from remote server(which is also a
kamailio server) say 10.211.160.176 to 10.211.160.172
In the client hello am setting sni name as btip.172.com
<http://btip.172.com> => so on 10.211.160.172 side it is picking up
the server profile with serve_name btip.172.com <http://btip.172.com>
for the tls handshake.*// Working as expected*
ii)When i initiate a tls connection from another remote server(Which
is also a kamailio server) say 10.211.160.163 to 10.211.160.172
In the client hello am setting sni name as ctip.172.com
<http://ctip.172.com> => so on 10.211.160.172 side it is picking up
the server profile with serve_name ctip.172.com <http://ctip.172.com>
for the tls handshake.*// Working as expected*
iii)When i initiate a tls connection from another remote server(Which
is also a kamailio server) say 10.211.160.175 to 10.211.160.172
In the client hello am NOT setting sni name => so on 10.211.160.172
side should it pick up the server default profile or the first profile
to which IP and port matches ?
what i observe from logs is that it is picking up the server profile
with server_name ctip.172.com <http://ctip.172.com> for the tls handshake.
I had a look at the code in function tls_lookup_cfg, from the debug
prints i understand it is trying to match profile for IP and port
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))*//
IP
and port matched*
{
if(sname && sname->len>0) *//Incoming Client hello dint have
sname, so it will hit the else part*
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
return p; *// so it is returning the first profile to which IP
and port matched.*
}
}
Am i missing anything or is this a bug ? if in the clienthello there
is no sni , what needs to be done to make use of the default profile
for the tls handshake ? Or is this something fixed in latest.
I just Tried and Modified the code as below, after which it is giving
the server default profile when no sni in Incoming Client Hello.
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))
{
if(sname && sname->len>0)
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return cfg->srv_default;
}
else
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return p;
}
}
}
Regards,
Mahesh.B
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
6:07 a.m.
Hi Daniel,
i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting as
server ( IP 10.211.160.172) *[ Scenario 1 : Working as Expected ]*
sni presented by 10.211.160.176 is btip.172.com in client hello,
10.211.160.172 picks below profile with server_name = btip.172.com for tls
handshake *// working as expected*
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com
ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting as
server ( IP 10.211.160.172) * [ Scenario 2 : Working as Expected ] *
sni presented by 10.211.160.163 is ctip.172.com in client hello,
10.211.160.172 picks below profile with server_name = ctip.172.com for tls
handshake *// working as expected*
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com
iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting as
server ( IP 10.211.160.172) * [ Scenario 3 : Not Working as Expected ] *
10.211.160.175 is *intentionally* *configured* in such a way, it does not
send sni in client hello to 10.211.160.172
Now 10.211.160.172 should pick server default profile for tls handshake [
Right ?? ]
Instead it is picking server profile with server_name = ctip.172.com // *isnt
this in correct ?? [ I have explained in previous email , why it is picking
this profile in tls_lookup_cfg() ]*
Regards,
Mahesh.B
On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:
Hello,
trying to understand properly what you want to do and doesn't work as
expected ...
Is it that kamailio connects via tls to another server and it does not
present SNI?
Cheers,
Daniel
On 03.01.20 11:24, mahesh b wrote:
Hi All,
Am using Kamailio 5.1.9 version.
*Below is my tls.cfg*
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = server.key
certificate = server.crt
ca_list = bundle.crt
cipher_list = RSA
verify_depth = 9
[client:default]
verify_certificate = no
require_certificate = no
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com
My Kamailio server ip is 10.211.160.172
i)When i initiate a tls connection from remote server(which is also a
kamailio server) say 10.211.160.176 to 10.211.160.172
In the client hello am setting sni name as btip.172.com => so on
10.211.160.172 side it is picking up the server profile with serve_name
btip.172.com for the tls handshake.*// Working as expected*
ii)When i initiate a tls connection from another remote server(Which is
also a kamailio server) say 10.211.160.163 to 10.211.160.172
In the client hello am setting sni name as ctip.172.com => so on
10.211.160.172 side it is picking up the server profile with serve_name
ctip.172.com for the tls handshake.*// Working as expected*
iii)When i initiate a tls connection from another remote server(Which is
also a kamailio server) say 10.211.160.175 to 10.211.160.172
In the client hello am NOT setting sni name => so on 10.211.160.172
side should it pick up the server default profile or the first profile to
which IP and port matches ?
what i observe from logs is that it is picking up the server profile
with server_name ctip.172.com for the tls handshake.
I had a look at the code in function tls_lookup_cfg, from the debug
prints i understand it is trying to match profile for IP and port
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))* //
IP
and port matched*
{
if(sname && sname->len>0) *//Incoming Client hello dint have
sname, so it will hit the else part*
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
return p; *// so it is returning the first profile to which IP and
port matched.*
}
}
Am i missing anything or is this a bug ? if in the clienthello there is no
sni , what needs to be done to make use of the default profile for the tls
handshake ? Or is this something fixed in latest.
I just Tried and Modified the code as below, after which it is giving the
server default profile when no sni in Incoming Client Hello.
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))
{
if(sname && sname->len>0)
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return cfg->srv_default;
}
else
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return p;
}
}
}
Regards,
Mahesh.B
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda --
www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
6:18 a.m.
Hello,
do not put a lot of extra information which is irrelevant for the issue
that you try to solve. It is waste of time for someone to read it,
understand and discover is not related to what has to be solved. I asked
a question to clarify something and you replied to it with a lot of
irrelevant details (I + II).
If you want to post informative details for particular working scenarios
to let other know the technical details in case someone wants something
similar, that's good and useful, but make them separate emails.
The server profile is matched by IP if you define a section with
[server:IP...] and there is no SNI. If you want SNI only in some cases,
you can define [server:any] with server_name attribute. The
server:default is selected only when there is no IP/port or SNI match.
Cheers,
Daniel
On 06.01.20 12:07, mahesh b wrote:
Hi Daniel,
i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting
as server ( IP 10.211.160.172) *_[ Scenario 1 : Working as Expected ]_*
sni presented by 10.211.160.176 is btip.172.com
<http://btip.172.com> in client hello, 10.211.160.172 picks below
profile with server_name = btip.172.com <http://btip.172.com/> for tls
handshake *_// working as expected_*
[server:10.211.160.172:5061 <http://10.211.160.172:5061/>]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com <http://btip.172.com/>
ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting
as server ( IP 10.211.160.172) *_[ Scenario 2 : Working as Expected ] _*
sni presented by 10.211.160.163 is ctip.172.com
<http://ctip.172.com> in client hello, 10.211.160.172 picks below
profile with server_name = ctip.172.com <http://ctip.172.com/> for tls
handshake *_// working as expected_*
[server:10.211.160.172:5061 <http://10.211.160.172:5061/>]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com <http://ctip.172.com/>
iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting
as server ( IP 10.211.160.172) *_[ Scenario 3 : Not Working as
Expected ] _*
10.211.160.175 is *intentionally* *configured* in such a way, it does
not send sni in client hello to 10.211.160.172
Now 10.211.160.172 should pick server default profile for tls
handshake [ Right ?? ]
Instead it is picking server profile with server_name = ctip.172.com
<http://ctip.172.com/> // *_isnt this in correct ?? [ I have
explained in previous email , why it is picking this profile in
tls_lookup_cfg() ]_*
*_
_*
Regards,
Mahesh.B
On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
Hello,
trying to understand properly what you want to do and doesn't work
as expected ...
Is it that kamailio connects via tls to another server and it does
not present SNI?
Cheers,
Daniel
On 03.01.20 11:24, mahesh b wrote:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
Hi All,
Am using Kamailio 5.1.9 version.
_Below is my tls.cfg_
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = server.key
certificate = server.crt
ca_list = bundle.crt
cipher_list = RSA
verify_depth = 9
[client:default]
verify_certificate = no
require_certificate = no
[server:10.211.160.172:5061 <http://10.211.160.172:5061>]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key =
/root/mahesh_openssl/profile2/btip_172_server_private.key
certificate =
/root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com <http://btip.172.com>
[server:10.211.160.172:5061 <http://10.211.160.172:5061>]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key =
/root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate =
/root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com <http://ctip.172.com>
My Kamailio server ip is 10.211.160.172
i)When i initiate a tls connection from remote server(which is
also a kamailio server) say 10.211.160.176 to 10.211.160.172
In the client hello am setting sni name as btip.172.com
<http://btip.172.com> => so on 10.211.160.172 side it is picking
up the server profile with serve_name btip.172.com
<http://btip.172.com> for the tls handshake.*// Working as expected*
ii)When i initiate a tls connection from another remote
server(Which is also a kamailio server) say 10.211.160.163 to
10.211.160.172
In the client hello am setting sni name as ctip.172.com
<http://ctip.172.com> => so on 10.211.160.172 side it is picking
up the server profile with serve_name ctip.172.com
<http://ctip.172.com> for the tls handshake.*// Working as expected*
iii)When i initiate a tls connection from another remote
server(Which is also a kamailio server) say 10.211.160.175 to
10.211.160.172
In the client hello am NOT setting sni name => so on
10.211.160.172 side should it pick up the server default profile
or the first profile to which IP and port matches ?
what i observe from logs is that it is picking up the server
profile with server_name ctip.172.com <http://ctip.172.com> for
the tls handshake.
I had a look at the code in function tls_lookup_cfg, from the
debug prints i understand it is trying to match profile for IP
and port
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip,
ip))*// IP and port matched*
{
if(sname && sname->len>0) *//Incoming Client hello dint
have sname, so it will hit the else part*
{
if(p->server_name.s &&
p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server
domain found\n");
return p;
}
}
else
{
return p; *// so it is returning the first profile to which
IP and port matched.*
}
}
Am i missing anything or is this a bug ? if in the clienthello
there is no sni , what needs to be done to make use of the
default profile for the tls handshake ? Or is this something
fixed in latest.
I just Tried and Modified the code as below, after which it is
giving the server default profile when no sni in Incoming Client
Hello.
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip,
ip))
{
if(sname && sname->len>0)
{
if(p->server_name.s &&
p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server
domain found\n");
return p;
}
}
else
{
if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return cfg->srv_default;
}
else
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return p;
}
}
}
Regards,
Mahesh.B
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
<http://www.kamailioworld.com>
7 a.m.
Hi Daniel,
Thanks for the Explanation ! the first reply gave an
impression, that i dint give the required info. Hence Re-clarified, Point
Noted !
Regards,
Mahesh.B
On Mon, Jan 6, 2020 at 4:48 PM Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:
Hello,
do not put a lot of extra information which is irrelevant for the issue
that you try to solve. It is waste of time for someone to read it,
understand and discover is not related to what has to be solved. I asked a
question to clarify something and you replied to it with a lot of
irrelevant details (I + II).
If you want to post informative details for particular working scenarios
to let other know the technical details in case someone wants something
similar, that's good and useful, but make them separate emails.
The server profile is matched by IP if you define a section with
[server:IP...] and there is no SNI. If you want SNI only in some cases, you
can define [server:any] with server_name attribute. The server:default is
selected only when there is no IP/port or SNI match.
Cheers,
Daniel
On 06.01.20 12:07, mahesh b wrote:
Hi Daniel,
i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting as
server ( IP 10.211.160.172) *[ Scenario 1 : Working as Expected ]*
sni presented by 10.211.160.176 is btip.172.com in client hello,
10.211.160.172 picks below profile with server_name = btip.172.com for
tls handshake *// working as expected*
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com
ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting as
server ( IP 10.211.160.172) * [ Scenario 2 : Working as Expected ] *
sni presented by 10.211.160.163 is ctip.172.com in client hello,
10.211.160.172 picks below profile with server_name = ctip.172.com for
tls handshake *// working as expected*
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com
iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting as
server ( IP 10.211.160.172) * [ Scenario 3 : Not Working as Expected ]
*
10.211.160.175 is *intentionally* *configured* in such a way, it does not
send sni in client hello to 10.211.160.172
Now 10.211.160.172 should pick server default profile for tls handshake [
Right ?? ]
Instead it is picking server profile with server_name = ctip.172.com // *isnt
this in correct ?? [ I have explained in previous email , why it is picking
this profile in tls_lookup_cfg() ]*
Regards,
Mahesh.B
On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla <miconda(a)gmail.com>
wrote:
Hello,
trying to understand properly what you want to do and doesn't work as
expected ...
Is it that kamailio connects via tls to another server and it does not
present SNI?
Cheers,
Daniel
On 03.01.20 11:24, mahesh b wrote:
Hi All,
Am using Kamailio 5.1.9 version.
*Below is my tls.cfg*
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = server.key
certificate = server.crt
ca_list = bundle.crt
cipher_list = RSA
verify_depth = 9
[client:default]
verify_certificate = no
require_certificate = no
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = btip.172.com
[server:10.211.160.172:5061]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
cipher_list = RSA
verify_depth = 9
server_name = ctip.172.com
My Kamailio server ip is 10.211.160.172
i)When i initiate a tls connection from remote server(which is also a
kamailio server) say 10.211.160.176 to 10.211.160.172
In the client hello am setting sni name as btip.172.com => so on
10.211.160.172 side it is picking up the server profile with serve_name
btip.172.com for the tls handshake.*// Working as expected*
ii)When i initiate a tls connection from another remote server(Which is
also a kamailio server) say 10.211.160.163 to 10.211.160.172
In the client hello am setting sni name as ctip.172.com => so on
10.211.160.172 side it is picking up the server profile with serve_name
ctip.172.com for the tls handshake.*// Working as expected*
iii)When i initiate a tls connection from another remote server(Which is
also a kamailio server) say 10.211.160.175 to 10.211.160.172
In the client hello am NOT setting sni name => so on 10.211.160.172
side should it pick up the server default profile or the first profile to
which IP and port matches ?
what i observe from logs is that it is picking up the server profile
with server_name ctip.172.com for the tls handshake.
I had a look at the code in function tls_lookup_cfg, from the debug
prints i understand it is trying to match profile for IP and port
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))* //
IP
and port matched*
{
if(sname && sname->len>0) *//Incoming Client hello dint have
sname, so it will hit the else part*
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
return p; *// so it is returning the first profile to which IP and
port matched.*
}
}
Am i missing anything or is this a bug ? if in the clienthello there is
no sni , what needs to be done to make use of the default profile for the
tls handshake ? Or is this something fixed in latest.
I just Tried and Modified the code as below, after which it is giving the
server default profile when no sni in Incoming Client Hello.
if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))
{
if(sname && sname->len>0)
{
if(p->server_name.s && p->server_name.len==sname->len
&& strncasecmp(p->server_name.s, sname->s,
sname->len)==0)
{
LM_DBG("socket+server_name based TLS server domain
found\n");
return p;
}
}
else
{
if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return cfg->srv_default;
}
else
{
LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
return p;
}
}
}
Regards,
Mahesh.B
_______________________________________________
Kamailio (SER) - Users Mailing
Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda --
www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda --
www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
1828
days inactive
1831
days old
4 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
mahesh b