[SR-Users] Kamailio TLS client config selection

Daniel-Constantin Mierla miconda at gmail.com
Tue Nov 1 11:09:56 CET 2016 

Hello,

can you open a pull request on github with the patch you propose for the
fix?

  - https://github.com/kamailio/kamailio

It is easier to review and travis-ci will take care to compile the patch
and be sure it doesn't break latest master version.

Cheers,
Daniel


On 26/10/16 08:59, Sergey Basov wrote:
> Hi Daniel.
>
> After some try to configure kamailio 4.4.3 to act as SPI TLS client
> for Cisco SIP TLS gateways I have found one issue.
>
> If I do client configuration for tls
>
> [client:10.1.23.19:5061]
> verify_certificate = yes
> ca_list = /etc/kamailio/CAs/ca1.pem
>
> [client:10.1.23.29:5061]
> verify_certificate = yes
> ca_list = /etc/kamailio/CAs/ca2.pem
>
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> Kamailo always do default profile selection (I do configuration
> without server_name or server_id, with it kamailio works fine but
> there are some troubles to make selection of this parameters from
> config script, I need additional checks and queries)
>
> after some research in tls module source code I have added some debug
> information in file tls_server.c:
>
>         if (c->flags & F_CONN_PASSIVE) {
>                 state=S_TLS_ACCEPTING;
>                 dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
>
> &c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
>         } else {
>                 state=S_TLS_CONNECTING;
>                 sname = tls_get_connect_server_name();
>                 srvid = tls_get_connect_server_id();
> // -------------------------------------------------------------
>                 DBG("Entered client config loockup (c->rcv.dst_port
> %d)\n", c->rcv.dst_port);
>                 DBG("Entered client config loockup (&c->rcv.dst_ip
> %s)\n", ip_addr2a(&c->rcv.dst_ip));
>                 DBG("Entered client config loockup (c->rcv.src_port
> %d)\n", c->rcv.src_port);
>                 DBG("Entered client config loockup (&c->rcv.src_ip
> %s)\n", ip_addr2a(&c->rcv.src_ip));
> // -------------------------------------------------------------
>                 dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
>                                                 &c->rcv.dst_ip,
> c->rcv.dst_port, sname, srvid);
>
>         }
>
> After making
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
> [parser/msg_parser.c:597]: parse_msg():  method:  <INVITE>
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
> [parser/msg_parser.c:599]: parse_msg():  uri:
> <sip:9098 at 10.1.23.19:5061;transport=TLS>
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
> [parser/msg_parser.c:601]: parse_msg():  version: <SIP/2.0>
>
> I see
>
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection:
> 10.1.23.19
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:197]: tls_complete_init(): completing tls connection
> initialization
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound
> server name not found
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound
> server id not found
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:219]: tls_complete_init(): Entered client config loockup
> (c->rcv.dst_port 40123)
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:220]: tls_complete_init(): Entered client config loockup
> (&c->rcv.dst_ip 10.1.23.23)
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:221]: tls_complete_init(): Entered client config loockup
> (c->rcv.src_port 5061)
> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:222]: tls_complete_init(): Entered client config loockup
> (&c->rcv.src_ip 10.1.23.19)
>
> Where:
> &c->rcv.dst_ip 10.1.23.23 - it is my local kamailio tls socket ip
> address to make tls connect from
> c->rcv.dst_port 40123 - it is my local kamailio tls socket port
> &c->rcv.src_ip 10.1.23.19 - ip of my TLS device to make tls connection to
> c->rcv.src_port 5061 - port of my TLS device to make tls connection to
>
> so if I change line
>                 dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
>                                                 &c->rcv.dst_ip,
> c->rcv.dst_port, sname, srvid);
> to
>                 dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
>                                                 &c->rcv.src_ip,
> c->rcv.src_port, sname, srvid);
>
>
> I got correct client domain selection
>
> Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_server.c:233]: tls_complete_init(): Using initial TLS domain
> TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn [])
> Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
> [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started
>
> Can you look at this code?
>
> Thank you in advance.
>
> --
> Best regards,
> Sergey Basov                     e-mail: sergey.v.basov at gmail.com
>
> tel: (+38067) 403-62-54

-- 
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 28-30, 2016 - http://www.asipto.com

More information about the sr-users mailing list