[Kamailio-Devel] [ openser-Patches-2007478 ] TLS server_name extension

SourceForge.net noreply at sourceforge.net
Mon Aug 11 11:48:20 CEST 2008


Patches item #2007478, was opened at 2008-07-01 07:55
Message generated for change (Comment added) made by henningw
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=2007478&group_id=139143

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Klaus Darilion (klaus_darilion)
Assigned to: Nobody/Anonymous (nobody)
Summary: TLS server_name extension

Initial Comment:
Hi!

The attached patch adds the TLS server_name extension to Openser (something for 1.5). In short:

outgoing TLS requests: configure the tls_server_name_avp and set it in the script to the requested domain.

incoming TLS requests: configure like before multiple TLS client domains. But this time, use the same IP:port but specify the domain by using the new "tls_server_name" directive. Then, if the incoming TLS request has a server_name and a matching client domain is found, the SSL_CTX context for the incoming SSL connection will be switched.

Documentation and tlsops module was extended too.

It would be great if someone could review the patch. For configuration of the server_name AVP i still use the old syntax, e.g.:
  tls_server_name_avp=400
Using the new syntax, e.g. tls_server_name_avp=avp{i:400}, would be better, but unfortunately I did not understand how to do this. Maybe someone with more PV experience could change this.

regards
klaus

----------------------------------------------------------------------

>Comment By: Henning Westerholt (henningw)
Date: 2008-08-11 09:48

Message:
Logged In: YES 
user_id=337916
Originator: NO

Hi Klaus,

i ported the patch to the current trunk, there were some conflicts after
the rename and doxygen extensions. I spotted a few warnings in tlsops:
tls_select.c: In function tlsops_tlsext:
tls_select.c:613: warning: unused variable ssl
tls_select.c:612: warning: unused variable c
tls_select.c:611: warning: unused variable buf

I also removed the tls/README from the patch, because of some conflicts i
could not get rid of (something from the svn $DATE format). Perhaps you can
regenerate this on your machine? Otherwise i did not managed to review your
code that much yet.

Henning
File Added: kamailio-trunk-TLS-servername.patch

----------------------------------------------------------------------

Comment By: Klaus Darilion (klaus_darilion)
Date: 2008-07-02 08:32

Message:
Logged In: YES 
user_id=1318360
Originator: YES

Update: pjsip-trunk now also supports SNI. I tested pjsip against openser
and it worked fine. (pjsip also uses openssl)

----------------------------------------------------------------------

Comment By: Nobody/Anonymous (nobody)
Date: 2008-07-01 08:01

Message:
Logged In: NO 

Some more comments: To use this feature, Openser needs an openSSL library
with TLS extensions enabled. Recent openSSL version 0.9.8h supports TLS
extensions, but they are not enabled by default. You have to configure
openSSL with "./configure --enable-tlsext" and build it yourself.

PS: If you are using debian, just use openssl package >= 0.9.8g-10.1. 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=743022&aid=2007478&group_id=139143



More information about the Devel mailing list