[OpenSER-Devel] [ openser-Patches-2007478 ] TLS server_name extension

SourceForge.net noreply at sourceforge.net
Wed Jul 2 10:32:02 CEST 2008

Patches item #2007478, was opened at 2008-07-01 09:55
Message generated for change (Comment added) made by klaus_darilion
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: None
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Klaus Darilion (klaus_darilion)
Assigned to: Nobody/Anonymous (nobody)
Summary: TLS server_name extension

Initial Comment:

The attached patch adds the TLS server_name extension to Openser (something for 1.5). In short:

outgoing TLS requests: configure the tls_server_name_avp and set it in the script to the requested domain.

incoming TLS requests: configure like before multiple TLS client domains. But this time, use the same IP:port but specify the domain by using the new "tls_server_name" directive. Then, if the incoming TLS request has a server_name and a matching client domain is found, the SSL_CTX context for the incoming SSL connection will be switched.

Documentation and tlsops module was extended too.

It would be great if someone could review the patch. For configuration of the server_name AVP i still use the old syntax, e.g.:
Using the new syntax, e.g. tls_server_name_avp=avp{i:400}, would be better, but unfortunately I did not understand how to do this. Maybe someone with more PV experience could change this.



>Comment By: Klaus Darilion (klaus_darilion)
Date: 2008-07-02 10:32

Logged In: YES 
Originator: YES

Update: pjsip-trunk now also supports SNI. I tested pjsip against openser
and it worked fine. (pjsip also uses openssl)


Comment By: Nobody/Anonymous (nobody)
Date: 2008-07-01 10:01

Logged In: NO 

Some more comments: To use this feature, Openser needs an openSSL library
with TLS extensions enabled. Recent openSSL version 0.9.8h supports TLS
extensions, but they are not enabled by default. You have to configure
openSSL with "./configure --enable-tlsext" and build it yourself.

PS: If you are using debian, just use openssl package >= 0.9.8g-10.1. 


You can respond by visiting: 

More information about the Devel mailing list