[SR-Users] Kamailio when acting as client doesnt send SNI in client hello handshake message

Daniel-Constantin Mierla miconda at gmail.com
Fri Dec 20 15:21:55 CET 2019 

Hello,

you add two $xavp(tls=>...) with the operations you do, change to:

$xavp(tls=>server_name)="btip.176.com";
$xavp(tls[0]=>server_id)="btip.176.com";

so the server_id is added to the existing $xavp(tls->...) instead of
creating a new one that doesn have server_name.

Cheers,
Daniel

On 20.12.19 07:39, mahesh b wrote:
> Hi ,
>      I further went thru the logs of kamailio, and i see the below
> happening.
>
> tls [tls_server.c:169]:  tls_get_connect_server_name[]: xavp with
> outbound server name not found
> tls [tls_server.c:152]:  tls_get_connect_server_id[]: found xavp with
> outbound server id: btip.176.com <http://btip.176.com>
>
>    Its strange its able to find the client profile based on server_id
> , but not able to find using the server_name
>
> In tls_complete_init( )
>
> if (c->flags & F_CONN_PASSIVE) {
> state=S_TLS_ACCEPTING;
> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
> &c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
> } else {
> state=S_TLS_CONNECTING;
> sname = tls_get_connect_server_name();
> srvid = tls_get_connect_server_id();
> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
> &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
> }
>
> Am acting as client, so it will hit the else part
>
> the call to  sname = tls_get_connect_server_name(); //failed with
> below logs 
>   tls [tls_server.c:169]:  tls_get_connect_server_name[]: xavp with
> outbound server name not found 
>
> the call to   srvid = tls_get_connect_server_id();  // success with
> below logs
> tls [tls_server.c:152]:  tls_get_connect_server_id[]: found xavp with
> outbound server id: btip.176.com <http://btip.176.com>
>
> And futher down in the function : as sname is NULL, it is not setting
> the server name extension in client hello message.
>
> #ifndef OPENSSL_NO_TLSEXT
> if (sname!=NULL) {
> if(!SSL_set_tlsext_host_name(data->ssl, sname->s)) {
> if (data->ssl)
> SSL_free(data->ssl);
> if (data->rwbio)
> BIO_free(data->rwbio);
> goto error;
> }
> LM_DBG("outbound TLS server name set to: %s\n", sname->s);
> }
> #endif
>
> Am i missing anything here w.r.t configuration ? or is it a bug ?
> which has been fixed in later versions ? Please help !!
>
> Regards,
> Mahesh.B
>
>
> On Thu, Dec 19, 2019 at 5:53 PM mahesh b <mahesh.b.2487 at gmail.com
> <mailto:mahesh.b.2487 at gmail.com>> wrote:
>
>     Hi,
>
>     Am using Kamailio 5.1.9 version
>
>
>     My Setup : client1 -> kamailio server 1 ( IP : 10.211.160.172)
>     ----> kamailio server 2( IP : 10.211.160.176) -> client2
>
>     I have a scenario where kamailio server 1 has to initiate an
>     outgoing tls connection to kamailio server 2, i have set the
>     server_name and server_id in the client profile in tls.cfg like
>     below on kamailio server 1
>
>     [client:default]
>     verify_certificate = no
>     require_certificate = no
>     server_name = mahesh.client.com <http://mahesh.client.com>
>
>     [client:10.211.160.172:5061 <http://10.211.160.172:5061>]
>     method = TLSv1+
>     verify_certificate = yes
>     require_certificate = yes
>     private_key =
>     /root/mahesh_openssl/profile2/btip_172_server_private.key
>     certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
>     ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
>     cipher_list = RSA
>     verify_depth = 9
>     server_name = btip.176.com <http://btip.176.com>
>     server_id = btip.176.com <http://btip.176.com>
>
>     And in sar.cfg
>
>     $xavp(tls=>server_name)="btip.176.com <http://btip.176.com>";
>     $xavp(tls=>server_id)="btip.176.com <http://btip.176.com>";
>     $du = "sip:10.211.160.176:5061;transport=tls";
>     ....
>     t_relay();
>
>     What i observe is that , when client hello is sent by
>     10.211.160.172 to 10.211.160.176, i dont see Extension server_name
>     being sent. Am i missing anything. Please help !
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191220/ee394b93/attachment.html>

More information about the sr-users mailing list