[SR-Users] TLS certificates per domain

Daniel-Constantin Mierla miconda at gmail.com
Tue Feb 17 00:38:51 CET 2015


Hello,

the SNI (server name indication) support was available in kamailio v1.5
and then lost when the code was integrated with ser. It was on my to-do
to re-add it but no time for it in the past. I just pushed a partial
patch that allows to set a server_name for each TLS server domain
(context) configured in the tls.cfg, like:

[server:127.0.0.1:5061]
method = TLSv1
...
server_name = localhost.loc


[server:127.0.0.1:5061]
method = TLSv1
...
server_name = localhost1.loc

So far I had the time to add only for server side -- when Kamailio is
accepting a TLS connection, should be able to select the context with
server_name matching the one advertised by the client.

Soon I will add the option to set the server name for connections that
are opened by kamailio towards other tls nodes.

Because it is impossible to know if the client will present a SNI,
kamailio first selects the context based only on ip:port matching and
once the SNI callback is executed, will switch to the appropriate one.
Given that there can be more contexts for same ip:port, the last one
matching in tls.cfg is selected first time. If no server name is
matching after SNI callback, the the 'default' server context is selected.

I did just basic testing so far with SIP registration, therefore proper
testing would be required on your side and feedback will be very
appreciated.

Cheers,
Daniel


On 12/02/15 15:15, Muhammad Shahzad wrote:
> Hi,
>
> I want to deploy a kamailio v4.2.x setup with multiple domains, all
> resolve to same IPv4 address kamailio is listening on. I am bit
> confused about how to configure TLS certificates using tls config file
> as mentioned here,
>
> http://kamailio.org/docs/modules/4.2.x/modules/tls.html#tls.p.config
>
> The documentation states that,
>
> --
> If set the TLS module will load a special config file or config files
> from config directory, in which different TLS parameters can be
> specified on a per role (server or client) and domain basis (*for now
> only IPs*). The corresponding module parameters will be ignored.
> --
>
> since all domains resolve single IP, so i assume i can specify only
> one section in tls config file with pair of key/pem file path. How can
> i specify more server certificates for same ip but with different domains?
>
> Thank you.
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio World Conference, May 27-29, 2015
Berlin, Germany - http://www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150217/2af4ec85/attachment.html>


More information about the sr-users mailing list