[sr-dev] [kamailio/kamailio] Kamailio not using SNI in for incoming requests (#1938)

Laszlo notifications at github.com
Thu Apr 25 12:02:06 CEST 2019 

I'm using Kamailio 5.2.2+xenial.

Set up a basic tls.cfg like this:

```
[server:default]
verify_certificate = no
require_certificate = no
private_key = /tmp/default.key
certificate = /tmp/default.pem

[server:any]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /tmp/domain.key
certificate = /tmp/domain.pem
server_name = sip.domain.com
server_name_mode = 1
```

Connect with openssl like this `openssl s_client -connect server:5061` and Kamailio will - obviously - offer the default.pem certificate.

However, use `openssl s_client -connect server:5061 -servername sip.domain.com` and Kamailio will still offer the default.pem certificate, where I'd expect it to offer domain.pem. I tested these `openssl` commandline invocations against an nginx server that's working with these same certificates, and SNI is working properly there.

>From the Kamailio logs on starting up, it does seem to detect that a SNI callback should be registered with OpenSSL.

 ```
Apr 25 11:43:37 kamailio[7447]: NOTICE: tls [tls_domain.c:1083]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='sip.domain.com' ...
```

However, it's not triggering:

```
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 4.1.3.1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port 55428, type 3
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:1305]: tcpconn_add(): hashes: 3726:2401:2691, 1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xa86c60, 60, -1, 0x0) fd_no=52 called
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev(): sending to child, events 1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3875]: send2child(): selected tcp worker idx:0 proc:44 pid:7342 for activity on [tls:1.6.1.6:5061], 0x7f00ad8279b0
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8 con=0x7f00ad8279b0, fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f00ad1b02e8 ctx 0x7f00ad406408 sn [])
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil)
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:737]: sr_ssl_ctx_info_callback(): SSL handshake started
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): sending...
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=2817 fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=#012#026#003#001
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xae0200, 10, 2, 0x7f00ad8279b0), fd_no=1
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]: tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil)
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:749]: sr_ssl_ctx_info_callback(): SSL handshake done
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:753]: sr_ssl_ctx_info_callback(): SSL disable renegotiation
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:424]: tls_accept(): TLS accept successful
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 4.1.3.1:55428 using TLSv1/SSLv3 AES256-SHA 256
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 1.6.1.6:5061
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): sending...
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=266 fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=#012#026#003#001
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xae0200, 10, -1, 0x10) fd_no=2 called
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1680]: release_tcpconn(): releasing con 0x7f00ad8279b0, state 1, fd=10, id=1 ([4.1.3.1]:55428 -> [4.1.3.1]:5061)
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn(): extra_data 0x7f00ad7c4ab8
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3307]: handle_tcp_child(): reader response= 7f00ad8279b0, 1 from 0
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3434]: handle_tcp_child(): CONN_RELEASE  0x7f00ad8279b0 refcnt= 1
```

Looking at other issues like #1574, I think I'm supposed to see a `tls_server_name_cb` log line upon connecting, but there is none.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1938
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20190425/a3404a6f/attachment.html>

More information about the sr-dev mailing list