[SR-Users] sip over tls is not working

Aft nix aftnix at gmail.com
Thu Jul 12 11:17:51 CEST 2012 

On Thu, Jul 12, 2012 at 1:33 AM, Peter Dunkley
<peter.dunkley at crocodile-rcs.com> wrote:
> Hi,
>
> I have just built Kamailio from Git master, configured TCP and TLS, and an
> HTTP event route.  I was able to connect to Kamailio over TLS using Google
> Chrome (and saw the "SSL Error: The site's security certificate is not
> trusted!" page).  After I clicked on "Proceed anyway" I saw the log
> message I put in the HTTP event route come out.
>
> I also logged in with Jitsi using TLS and that worked fine too.
>
> I tried this with both the WebSocket module loaded and without it, and it
> worked in both cases.
>
> I also tried the above with TCP and that worked fine as well.
>
> As far as I can tell TLS is working in Kamailio Git master.
>
> Regards,
>
> Peter
>

Thanks for the update. I've came to the same conclusion. I was going
to post my results
and saw your mail. Things are working for me right now. But i'm still
kind of puzzled why it didn't work earlier. Apart from a new "tcp"
listen directive i've not changed anything. i did a git pull though,
which showed some update in tcp_main. look at the diff of most recent
changes of tcp_main.c :(git diff $start $end -- tcp_main.c)

diff --git a/tcp_main.c b/tcp_main.c
index a6e3019..c5a2547 100644
--- a/tcp_main.c
+++ b/tcp_main.c
@@ -1427,7 +1427,7 @@ static inline void _tcpconn_free(struct tcp_connection* c)
 #endif
 	lock_destroy(&c->write_lock);
 #ifdef USE_TLS
-	if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) tls_tcpconn_clean(c);
+	if (unlikely(c->type==PROTO_TLS)) tls_tcpconn_clean(c);
 #endif
 	shm_free(c);
 }
@@ -1456,7 +1456,7 @@ void tcpconn_rm(struct tcp_connection* c)
 	TCPCONN_UNLOCK;
 	lock_destroy(&c->write_lock);
 #ifdef USE_TLS
-	if ((c->type==PROTO_TLS || c->type==PROTO_WSS)&&(c->extra_data))
tls_tcpconn_clean(c);
+	if ((c->type==PROTO_TLS)&&(c->extra_data)) tls_tcpconn_clean(c);
 #endif
 	shm_free(c);
 }
@@ -2270,7 +2270,7 @@ static int tcpconn_send_put(struct
tcp_connection* c, const char* buf,
 				{
 					do_close_fd=0;
 #ifdef USE_TLS
-					if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) {
+					if (unlikely(c->type==PROTO_TLS)) {
 						t_buf = buf;
 						t_len = len;
 						do {
@@ -2372,7 +2372,7 @@ static int tcpconn_send_put(struct
tcp_connection* c, const char* buf,
 		}
 	
 #ifdef USE_TLS
-		if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) {
+		if (unlikely(c->type==PROTO_TLS)) {
 			/* for TLS the TLS processing and the send must happen
 			   atomically w/ respect to other sends on the same connection
 			   (otherwise reordering might occur which would break TLS) =>
@@ -2958,7 +2958,7 @@ inline static void tcpconn_close_main_fd(struct
tcp_connection* tcpconn)
 	
 	fd=tcpconn->s;
 #ifdef USE_TLS
-	if (tcpconn->type==PROTO_TLS || tcpconn->type==PROTO_WSS)
+	if (tcpconn->type==PROTO_TLS)
 		tls_close(tcpconn, fd);
 #endif
 #ifdef TCP_FD_CACHE
@@ -3025,7 +3025,7 @@ inline static void tcpconn_destroy(struct
tcp_connection* tcpconn)
 			tcpconn_close_main_fd(tcpconn);
 			tcpconn->flags|=F_CONN_FD_CLOSED;
 			(*tcp_connections_no)--;
-			if (unlikely(tcpconn->type==PROTO_TLS || tcpconn->type==PROTO_WSS))
+			if (unlikely(tcpconn->type==PROTO_TLS))
 				(*tls_connections_no)--;
 		}
 		_tcpconn_free(tcpconn); /* destroys also the wbuf_q if still present*/
@@ -3073,7 +3073,7 @@ inline static int tcpconn_put_destroy(struct
tcp_connection* tcpconn)
 		tcpconn_close_main_fd(tcpconn);
 		tcpconn->flags|=F_CONN_FD_CLOSED;
 		(*tcp_connections_no)--;
-		if (unlikely(tcpconn->type==PROTO_TLS || tcpconn->type==PROTO_WSS))
+		if (unlikely(tcpconn->type==PROTO_TLS))
 				(*tls_connections_no)--;
 	}
 	/* all the flags / ops on the tcpconn must be done prior to decrementing
@@ -4509,7 +4509,7 @@ static inline void tcpconn_destroy_all(void)
 					fd=-1;
 				}
 #ifdef USE_TLS
-				if (fd>0 && (c->type==PROTO_TLS || c->type==PROTO_WSS))
+				if (fd>0 && c->type==PROTO_TLS)
 					tls_close(c, fd);
 #endif
 				_tcpconn_rm(c);
@@ -4522,7 +4522,7 @@ static inline void tcpconn_destroy_all(void)
 					tcp_safe_close(fd);
 				}
 				(*tcp_connections_no)--;
-				if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS))
+				if (unlikely(c->type==PROTO_TLS))
 					(*tls_connections_no)--;
 			c=next;
 		}

I don't know if that changed anything.

Most likely i have done something silly which i am not finding at this moment.

Whatever, as things work so the thread should be marked SOLVED. Though
it irks me that i still dont know, what went wrong.

Cheers.

>
>> On Wed, Jul 11, 2012 at 9:37 PM, Peter Dunkley
>> <peter.dunkley at crocodile-rcs.com> wrote:
>>>
>>> Hi,
>>>
>>> WebSockets over TLS works which requires establishing a TLS connection
>>> and
>>> exchanging an HTTP request and response.  It doesn't sound like this
>>> connection is even getting passed the TLS handshake part?
>>>
>>> Peter
>>>
>>
>> Hi,
>> That was my first guess. I will run some tests with plain tcp socket
>> and post update.
>>
>> cheers.
>>
>>>
>>> On Wed, 2012-07-11 at 17:14 +0200, Klaus Darilion wrote:
>>>
>>> Maybe there were some changes fore websocket support which cause
>>> problems. Do plain TCP connections work?
>>>
>>> klaus
>>>
>>> On 11.07.2012 16:20, Aft nix wrote:
>>> > On Wed, Jul 11, 2012 at 6:56 PM, Klaus Darilion
>>> > <klaus.mailinglists at pernau.at> wrote:
>>> >> I just tested TLS with Kamailio 3.3.0 and Eyebeam and it works. Make
>>> >> sure to
>>> >> specify "ca_list" if intermediate certificates are used.
>>> >>
>>> >
>>> > I was working with master branch, not 3.3 branch.
>>> >
>>> >>
>>> >> regards
>>> >> Klaus
>>> >>
>>> >> On 09.07.2012 13:27, Aft nix wrote:
>>> >>>
>>> >>> Hi,
>>> >>>
>>> >>> I have enabled tls parameters as follows:
>>> >>>
>>> >>> in kamailio.cfg
>>> >>>
>>> >>> listen = tls:<IP>:<PORT>
>>> >>>
>>> >>> in tls.cfg
>>> >>>
>>> >>> [server:<IP>:<PORT>]
>>> >>> method = TLSv1
>>> >>> verify_certificate = no
>>> >>> require_certificate = no
>>> >>> private_key = /usr/local/etc/kamailio/kamailio-selfsigned.key
>>> >>> certificate = /usr/local/etc/kamailio/
>>> kamailio-selfsigned.pem
>>> >>>
>>> >>> Now if i try to connect to this interface using openssl s_client, it
>>> >>> does connects,
>>> >>> but now server certificate is sent from kamailio.
>>> >>>
>>> >>> kamailio log shows this :
>>> >>>
>>> >>>     <core> [ip_addr.c:247]: tcpconn_new: new tcp connection: <CLIENT
>>> >>> IP>
>>> >>>     <core> [tcp_main.c:10
>



-- 
-aft

More information about the sr-users mailing list