Hi, I am running kamailio 5.2.6 on centos 8 and openssl 1.1.1c and connecting and using it as a proxy sip endpoints to a legacy PBX over TLS. The connection to the backend PBX is over TLS 1.2 . Whenever kamailio initiates a TLS connection to the PBX, it uses session ID and a random session id . The server side has a bug and cannot handle the TLS session resuse apparently because of some bug/issue in caching the TLS sessions. The renegotiation and session_cache is by default turned off and I also explicitly set to 0 via modparam but kamailio would always send the session ID in the initial client hello and this is causing us trouble. Any help would be greatly appreciated. https://kamailio.org/docs/modules/5.2.x/modules/tls.html#tls.p.renegotiation
Regards, RK
Also , forgot to mention that on the same centos 8 host, I sent openssl s_client to port 5061 using TLS 1.2 and it does not send session ID information in the clientHello TLS handshake message. On Sunday, March 7, 2021, 04:01:02 PM PST, Rupesh Kumar rupesh_kumar@sbcglobal.net wrote:
Hi, I am running kamailio 5.2.6 on centos 8 and openssl 1.1.1c and connecting and using it as a proxy sip endpoints to a legacy PBX over TLS. The connection to the backend PBX is over TLS 1.2 . Whenever kamailio initiates a TLS connection to the PBX, it uses session ID and a random session id . The server side has a bug and cannot handle the TLS session resuse apparently because of some bug/issue in caching the TLS sessions. The renegotiation and session_cache is by default turned off and I also explicitly set to 0 via modparam but kamailio would always send the session ID in the initial client hello and this is causing us trouble. Any help would be greatly appreciated. https://kamailio.org/docs/modules/5.2.x/modules/tls.html#tls.p.renegotiation
Regards, RK_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hello,
the renegotiation parameter is for cyphers, not for reusing the session.
Kamailio relies on libssl and does not do anything specific for reusing the session.
On the other hand, maybe you refer to reusing the same connections between kamailio and the next sip node, for the traffic that is going to be sent there, no matter if it is the same SIP call/registration/... This is from the SIP specs, the tls connection is to associated with the SIP session, so SIP messages from many calls are sent over the same tls connection.
Cheers, Daniel
On 08.03.21 01:33, Rupesh Kumar wrote:
Also , forgot to mention that on the same centos 8 host, I sent openssl s_client to port 5061 using TLS 1.2 and it does not send session ID information in the clientHello TLS handshake message.
On Sunday, March 7, 2021, 04:01:02 PM PST, Rupesh Kumar rupesh_kumar@sbcglobal.net wrote:
Hi,
I am running kamailio 5.2.6 on centos 8 and openssl 1.1.1c and connecting and using it as a proxy sip endpoints to a legacy PBX over TLS.
The connection to the backend PBX is over TLS 1.2 . Whenever kamailio initiates a TLS connection to the PBX, it uses session ID and a random session id . The server side has a bug and cannot handle the TLS session resuse apparently because of some bug/issue in caching the TLS sessions.
The renegotiation and session_cache is by default turned off and I also explicitly set to 0 via modparam but kamailio would always send the session ID in the initial client hello and this is causing us trouble. Any help would be greatly appreciated.
https://kamailio.org/docs/modules/5.2.x/modules/tls.html#tls.p.renegotiation https://kamailio.org/docs/modules/5.2.x/modules/tls.html#tls.p.renegotiation
Regards,
RK _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org mailto:sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-
Daniel-Constantin Mierla -
Rupesh Kumar