[SR-Users] Kamailio when acting as client doesnt send SNI in client hello handshake message

Fri Dec 20 07:39:47 CET 2019

Hi ,
     I further went thru the logs of kamailio, and i see the below
happening.

tls [tls_server.c:169]:  tls_get_connect_server_name[]: xavp with outbound
server name not found
tls [tls_server.c:152]:  tls_get_connect_server_id[]: found xavp with
outbound server id: btip.176.com

   Its strange its able to find the client profile based on server_id , but
not able to find using the server_name

In tls_complete_init( )

if (c->flags & F_CONN_PASSIVE) {
state=S_TLS_ACCEPTING;
dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
&c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
} else {
state=S_TLS_CONNECTING;
sname = tls_get_connect_server_name();
srvid = tls_get_connect_server_id();
dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
&c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
}

Am acting as client, so it will hit the else part

the call to  sname = tls_get_connect_server_name(); //failed with below
logs
  tls [tls_server.c:169]:  tls_get_connect_server_name[]: xavp with
outbound server name not found

the call to   srvid = tls_get_connect_server_id();  // success with below
logs
tls [tls_server.c:152]:  tls_get_connect_server_id[]: found xavp with
outbound server id: btip.176.com

And futher down in the function : as sname is NULL, it is not setting the
server name extension in client hello message.

#ifndef OPENSSL_NO_TLSEXT
if (sname!=NULL) {
if(!SSL_set_tlsext_host_name(data->ssl, sname->s)) {
if (data->ssl)
SSL_free(data->ssl);
if (data->rwbio)
BIO_free(data->rwbio);
goto error;
}
LM_DBG("outbound TLS server name set to: %s\n", sname->s);
}
#endif

Am i missing anything here w.r.t configuration ? or is it a bug ? which has
been fixed in later versions ? Please help !!

Regards,
Mahesh.B

On Thu, Dec 19, 2019 at 5:53 PM mahesh b <mahesh.b.2487 at gmail.com> wrote:

> Hi,
>
> Am using Kamailio 5.1.9 version
>
>
> My Setup : client1 -> kamailio server 1 ( IP : 10.211.160.172) ---->
> kamailio server 2( IP : 10.211.160.176) -> client2
>
> I have a scenario where kamailio server 1 has to initiate an outgoing tls
> connection to kamailio server 2, i have set the server_name and server_id
> in the client profile in tls.cfg like below on kamailio server 1
>
> [client:default]
> verify_certificate = no
> require_certificate = no
> server_name = mahesh.client.com
>
> [client:10.211.160.172:5061]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
> certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
> cipher_list = RSA
> verify_depth = 9
> server_name = btip.176.com
> server_id = btip.176.com
>
> And in sar.cfg
>
> $xavp(tls=>server_name)="btip.176.com";
> $xavp(tls=>server_id)="btip.176.com";
> $du = "sip:10.211.160.176:5061;transport=tls";
> ....
> t_relay();
>
> What i observe is that , when client hello is sent by 10.211.160.172 to
> 10.211.160.176, i dont see Extension server_name being sent. Am i missing
> anything. Please help !
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191220/a10e2892/attachment.html>