[SR-Users] Kamailio when acting as client doesnt send SNI in client hello handshake message

mahesh b mahesh.b.2487 at gmail.com
Tue Dec 24 07:11:39 CET 2019 

Thank you Daniel, That Resolved my problem.

It would be helpful if in this link
http://www.kamailio.org/docs/modules/5.1.x/modules/tls.html

In section 9.32. xavp_cfg (string)

  the example can be updated from :
...
  modparam("tls", "xavp_cfg", "tls")
 ...
  $xavp(tls=>server_name) = "kamailio.org";
  $xavp(tls=>server_id) = "kamailio.org";
  $du = "sip:kamailio.org:5061;transport=tls";
  route(RELAY);
...

to :
...
  modparam("tls", "xavp_cfg", "tls")
 ...
  $xavp(tls=>server_name) = "kamailio.org";
  $xavp(tls[0]=>server_id) = "kamailio.org";
  $du = "sip:kamailio.org:5061;transport=tls";
  route(RELAY);
...

Regards,
Mahesh.B


On Fri, Dec 20, 2019 at 7:51 PM Daniel-Constantin Mierla <miconda at gmail.com>
wrote:

> Hello,
>
> you add two $xavp(tls=>...) with the operations you do, change to:
>
> $xavp(tls=>server_name)="btip.176.com";
> $xavp(tls[0]=>server_id)="btip.176.com";
>
> so the server_id is added to the existing $xavp(tls->...) instead of
> creating a new one that doesn have server_name.
>
> Cheers,
> Daniel
> On 20.12.19 07:39, mahesh b wrote:
>
> Hi ,
>      I further went thru the logs of kamailio, and i see the below
> happening.
>
> tls [tls_server.c:169]:  tls_get_connect_server_name[]: xavp with outbound
> server name not found
> tls [tls_server.c:152]:  tls_get_connect_server_id[]: found xavp with
> outbound server id: btip.176.com
>
>    Its strange its able to find the client profile based on server_id ,
> but not able to find using the server_name
>
> In tls_complete_init( )
>
> if (c->flags & F_CONN_PASSIVE) {
> state=S_TLS_ACCEPTING;
> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
> &c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
> } else {
> state=S_TLS_CONNECTING;
> sname = tls_get_connect_server_name();
> srvid = tls_get_connect_server_id();
> dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
> &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
> }
>
> Am acting as client, so it will hit the else part
>
> the call to  sname = tls_get_connect_server_name(); //failed with below
> logs
>   tls [tls_server.c:169]:  tls_get_connect_server_name[]: xavp with
> outbound server name not found
>
> the call to   srvid = tls_get_connect_server_id();  // success with below
> logs
> tls [tls_server.c:152]:  tls_get_connect_server_id[]: found xavp with
> outbound server id: btip.176.com
>
> And futher down in the function : as sname is NULL, it is not setting the
> server name extension in client hello message.
>
> #ifndef OPENSSL_NO_TLSEXT
> if (sname!=NULL) {
> if(!SSL_set_tlsext_host_name(data->ssl, sname->s)) {
> if (data->ssl)
> SSL_free(data->ssl);
> if (data->rwbio)
> BIO_free(data->rwbio);
> goto error;
> }
> LM_DBG("outbound TLS server name set to: %s\n", sname->s);
> }
> #endif
>
> Am i missing anything here w.r.t configuration ? or is it a bug ? which
> has been fixed in later versions ? Please help !!
>
> Regards,
> Mahesh.B
>
>
> On Thu, Dec 19, 2019 at 5:53 PM mahesh b <mahesh.b.2487 at gmail.com> wrote:
>
>> Hi,
>>
>> Am using Kamailio 5.1.9 version
>>
>>
>> My Setup : client1 -> kamailio server 1 ( IP : 10.211.160.172) ---->
>> kamailio server 2( IP : 10.211.160.176) -> client2
>>
>> I have a scenario where kamailio server 1 has to initiate an outgoing tls
>> connection to kamailio server 2, i have set the server_name and server_id
>> in the client profile in tls.cfg like below on kamailio server 1
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>> server_name = mahesh.client.com
>>
>> [client:10.211.160.172:5061]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
>> certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
>> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
>> cipher_list = RSA
>> verify_depth = 9
>> server_name = btip.176.com
>> server_id = btip.176.com
>>
>> And in sar.cfg
>>
>> $xavp(tls=>server_name)="btip.176.com";
>> $xavp(tls=>server_id)="btip.176.com";
>> $du = "sip:10.211.160.176:5061;transport=tls";
>> ....
>> t_relay();
>>
>> What i observe is that , when client hello is sent by 10.211.160.172 to
>> 10.211.160.176, i dont see Extension server_name being sent. Am i missing
>> anything. Please help !
>>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20191224/7214d14b/attachment.html>

More information about the sr-users mailing list