[sr-dev] [kamailio/kamailio] tls: configuration override with multiple server roles on same socket (#1574)
Daniel-Constantin Mierla
notifications at github.com
Mon Jun 25 20:50:26 CEST 2018
The issue seems to be the client implementation not providing server name indication.
The way it works is finding first a server profile by matching the ip and port (which is not actually used at that moment) and registering a callback for SNI, which is executed and searches for a profile matching the server_name. However, there is no SNI from the client based on the last log message next:
```
Jun 25 15:43:51 kamailio-dev /usr/sbin/kamailio[9344]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Jun 25 15:43:51 kamailio-dev /usr/sbin/kamailio[9344]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<172.16.30.205:5061> (dom 0x7fc8bcce7fd8 ctx 0x7fc8bcf945b0 sn [first.my-domain.com])
Jun 25 15:43:51 kamailio-dev /usr/sbin/kamailio[9344]: DEBUG: tls [tls_domain.c:724]: sr_ssl_ctx_info_callback(): SSL handshake started
Jun 25 15:43:51 kamailio-dev /usr/sbin/kamailio[9344]: DEBUG: tls [tls_domain.c:927]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK
```
So, SSL_get_servername() didn't returned a server name from the SSL context, meaning that the client didn't provide any.
Can you try with s_client from openssl, something like:
```
openssl s_client -servername myservername.com -tlsextdebug -connect mykamailio.ip:5061
```
and watch the logs to see what is printed there?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1574#issuecomment-400056680
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20180625/df393ebf/attachment-0001.html>
More information about the sr-dev
mailing list