[SR-Users] TLS certificates per domain

Muhammad Shahzad shaheryarkh at gmail.com
Tue Feb 17 10:05:38 CET 2015


This is excellent news. The support for service side connections is good
enough for me. I will test and let you know if i face any problems.

Thank you very much for your help and cooperation.


On Tue, Feb 17, 2015 at 12:38 AM, Daniel-Constantin Mierla <
miconda at gmail.com> wrote:

>  Hello,
>
> the SNI (server name indication) support was available in kamailio v1.5
> and then lost when the code was integrated with ser. It was on my to-do to
> re-add it but no time for it in the past. I just pushed a partial patch
> that allows to set a server_name for each TLS server domain (context)
> configured in the tls.cfg, like:
>
> [server:127.0.0.1:5061]
> method = TLSv1
> ...
> server_name = localhost.loc
>
>
> [server:127.0.0.1:5061]
> method = TLSv1
> ...
> server_name = localhost1.loc
>
> So far I had the time to add only for server side -- when Kamailio is
> accepting a TLS connection, should be able to select the context with
> server_name matching the one advertised by the client.
>
> Soon I will add the option to set the server name for connections that are
> opened by kamailio towards other tls nodes.
>
> Because it is impossible to know if the client will present a SNI,
> kamailio first selects the context based only on ip:port matching and once
> the SNI callback is executed, will switch to the appropriate one. Given
> that there can be more contexts for same ip:port, the last one matching in
> tls.cfg is selected first time. If no server name is matching after SNI
> callback, the the 'default' server context is selected.
>
> I did just basic testing so far with SIP registration, therefore proper
> testing would be required on your side and feedback will be very
> appreciated.
>
> Cheers,
> Daniel
>
>
>
> On 12/02/15 15:15, Muhammad Shahzad wrote:
>
>   Hi,
>
>  I want to deploy a kamailio v4.2.x setup with multiple domains, all
> resolve to same IPv4 address kamailio is listening on. I am bit confused
> about how to configure TLS certificates using tls config file as mentioned
> here,
>
> http://kamailio.org/docs/modules/4.2.x/modules/tls.html#tls.p.config
>
>  The documentation states that,
>
> --
> If set the TLS module will load a special config file or config files from
> config directory, in which different TLS parameters can be specified on a
> per role (server or client) and domain basis (*for now only IPs*). The
> corresponding module parameters will be ignored.
> --
>
>  since all domains resolve single IP, so i assume i can specify only one
> section in tls config file with pair of key/pem file path. How can i
> specify more server certificates for same ip but with different domains?
>
>  Thank you.
>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing listsr-users at lists.sip-router.orghttp://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
>
> --
> Daniel-Constantin Mierlahttp://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
> Kamailio World Conference, May 27-29, 2015
> Berlin, Germany - http://www.kamailioworld.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20150217/4177825f/attachment.html>


More information about the sr-users mailing list