[SR-Users] Kamailio TLS client config selection
Daniel-Constantin Mierla
miconda at gmail.com
Wed Nov 2 10:10:13 CET 2016
Hello,
thanks, I will review it there.
Cheers,
Daniel
On 02/11/16 07:37, Sergey Basov wrote:
> Hi Daniel,
>
> I have just create pull request for this change.
>
> https://github.com/kamailio/kamailio/pull/842
> --
> Best regards,
> Sergey Basov e-mail: sergey.v.basov at gmail.com
>
> tel: (+38067) 403-62-54
>
>
> 2016-11-01 12:09 GMT+02:00 Daniel-Constantin Mierla <miconda at gmail.com>:
>> Hello,
>>
>> can you open a pull request on github with the patch you propose for the
>> fix?
>>
>> - https://github.com/kamailio/kamailio
>>
>> It is easier to review and travis-ci will take care to compile the patch
>> and be sure it doesn't break latest master version.
>>
>> Cheers,
>> Daniel
>>
>>
>> On 26/10/16 08:59, Sergey Basov wrote:
>>> Hi Daniel.
>>>
>>> After some try to configure kamailio 4.4.3 to act as SPI TLS client
>>> for Cisco SIP TLS gateways I have found one issue.
>>>
>>> If I do client configuration for tls
>>>
>>> [client:10.1.23.19:5061]
>>> verify_certificate = yes
>>> ca_list = /etc/kamailio/CAs/ca1.pem
>>>
>>> [client:10.1.23.29:5061]
>>> verify_certificate = yes
>>> ca_list = /etc/kamailio/CAs/ca2.pem
>>>
>>> [client:default]
>>> verify_certificate = no
>>> require_certificate = no
>>>
>>> Kamailo always do default profile selection (I do configuration
>>> without server_name or server_id, with it kamailio works fine but
>>> there are some troubles to make selection of this parameters from
>>> config script, I need additional checks and queries)
>>>
>>> after some research in tls module source code I have added some debug
>>> information in file tls_server.c:
>>>
>>> if (c->flags & F_CONN_PASSIVE) {
>>> state=S_TLS_ACCEPTING;
>>> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
>>>
>>> &c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
>>> } else {
>>> state=S_TLS_CONNECTING;
>>> sname = tls_get_connect_server_name();
>>> srvid = tls_get_connect_server_id();
>>> // -------------------------------------------------------------
>>> DBG("Entered client config loockup (c->rcv.dst_port
>>> %d)\n", c->rcv.dst_port);
>>> DBG("Entered client config loockup (&c->rcv.dst_ip
>>> %s)\n", ip_addr2a(&c->rcv.dst_ip));
>>> DBG("Entered client config loockup (c->rcv.src_port
>>> %d)\n", c->rcv.src_port);
>>> DBG("Entered client config loockup (&c->rcv.src_ip
>>> %s)\n", ip_addr2a(&c->rcv.src_ip));
>>> // -------------------------------------------------------------
>>> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
>>> &c->rcv.dst_ip,
>>> c->rcv.dst_port, sname, srvid);
>>>
>>> }
>>>
>>> After making
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
>>> [parser/msg_parser.c:597]: parse_msg(): method: <INVITE>
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
>>> [parser/msg_parser.c:599]: parse_msg(): uri:
>>> <sip:9098 at 10.1.23.19:5061;transport=TLS>
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
>>> [parser/msg_parser.c:601]: parse_msg(): version: <SIP/2.0>
>>>
>>> I see
>>>
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
>>> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection:
>>> 10.1.23.19
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
>>> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
>>> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:197]: tls_complete_init(): completing tls connection
>>> initialization
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound
>>> server name not found
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound
>>> server id not found
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:219]: tls_complete_init(): Entered client config loockup
>>> (c->rcv.dst_port 40123)
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:220]: tls_complete_init(): Entered client config loockup
>>> (&c->rcv.dst_ip 10.1.23.23)
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:221]: tls_complete_init(): Entered client config loockup
>>> (c->rcv.src_port 5061)
>>> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:222]: tls_complete_init(): Entered client config loockup
>>> (&c->rcv.src_ip 10.1.23.19)
>>>
>>> Where:
>>> &c->rcv.dst_ip 10.1.23.23 - it is my local kamailio tls socket ip
>>> address to make tls connect from
>>> c->rcv.dst_port 40123 - it is my local kamailio tls socket port
>>> &c->rcv.src_ip 10.1.23.19 - ip of my TLS device to make tls connection to
>>> c->rcv.src_port 5061 - port of my TLS device to make tls connection to
>>>
>>> so if I change line
>>> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
>>> &c->rcv.dst_ip,
>>> c->rcv.dst_port, sname, srvid);
>>> to
>>> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
>>> &c->rcv.src_ip,
>>> c->rcv.src_port, sname, srvid);
>>>
>>>
>>> I got correct client domain selection
>>>
>>> Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_server.c:233]: tls_complete_init(): Using initial TLS domain
>>> TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn [])
>>> Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls
>>> [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started
>>>
>>> Can you look at this code?
>>>
>>> Thank you in advance.
>>>
>>> --
>>> Best regards,
>>> Sergey Basov e-mail: sergey.v.basov at gmail.com
>>>
>>> tel: (+38067) 403-62-54
>> --
>> Daniel-Constantin Mierla
>> http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
>> Kamailio Advanced Training, Berlin, Nov 28-30, 2016 - http://www.asipto.com
>>
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Kamailio Advanced Training, Berlin, Nov 28-30, 2016 - http://www.asipto.com
More information about the sr-users
mailing list