[SR-Users] SNI Query
Daniel-Constantin Mierla
miconda at gmail.com
Mon Jan 6 12:18:21 CET 2020
Hello,
do not put a lot of extra information which is irrelevant for the issue
that you try to solve. It is waste of time for someone to read it,
understand and discover is not related to what has to be solved. I asked
a question to clarify something and you replied to it with a lot of
irrelevant details (I + II).
If you want to post informative details for particular working scenarios
to let other know the technical details in case someone wants something
similar, that's good and useful, but make them separate emails.
The server profile is matched by IP if you define a section with
[server:IP...] and there is no SNI. If you want SNI only in some cases,
you can define [server:any] with server_name attribute. The
server:default is selected only when there is no IP/port or SNI match.
Cheers,
Daniel
On 06.01.20 12:07, mahesh b wrote:
> Hi Daniel,
>
> i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting
> as server ( IP 10.211.160.172) *_[ Scenario 1 : Working as Expected ]_*
>
> sni presented by 10.211.160.176 is btip.172.com
> <http://btip.172.com> in client hello, 10.211.160.172 picks below
> profile with server_name = btip.172.com <http://btip.172.com/> for tls
> handshake *_// working as expected_*
>
> [server:10.211.160.172:5061 <http://10.211.160.172:5061/>]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
> certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
> cipher_list = RSA
> verify_depth = 9
> server_name = btip.172.com <http://btip.172.com/>
>
> ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting
> as server ( IP 10.211.160.172) *_[ Scenario 2 : Working as Expected ] _*
>
> sni presented by 10.211.160.163 is ctip.172.com
> <http://ctip.172.com> in client hello, 10.211.160.172 picks below
> profile with server_name = ctip.172.com <http://ctip.172.com/> for tls
> handshake *_// working as expected_*
>
> [server:10.211.160.172:5061 <http://10.211.160.172:5061/>]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
> certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
> ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
> cipher_list = RSA
> verify_depth = 9
> server_name = ctip.172.com <http://ctip.172.com/>
>
> iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting
> as server ( IP 10.211.160.172) *_[ Scenario 3 : Not Working as
> Expected ] _*
>
> 10.211.160.175 is *intentionally* *configured* in such a way, it does
> not send sni in client hello to 10.211.160.172
> Now 10.211.160.172 should pick server default profile for tls
> handshake [ Right ?? ]
> Instead it is picking server profile with server_name = ctip.172.com
> <http://ctip.172.com/> // *_isnt this in correct ?? [ I have
> explained in previous email , why it is picking this profile in
> tls_lookup_cfg() ]_*
> *_
> _*
> Regards,
> Mahesh.B
>
> On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla
> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
> Hello,
>
> trying to understand properly what you want to do and doesn't work
> as expected ...
>
> Is it that kamailio connects via tls to another server and it does
> not present SNI?
>
> Cheers,
> Daniel
>
> On 03.01.20 11:24, mahesh b wrote:
>> Hi All,
>>
>> Am using Kamailio 5.1.9 version.
>>
>> _Below is my tls.cfg_
>>
>> [server:default]
>> method = TLSv1+
>> verify_certificate = no
>> require_certificate = no
>> private_key = server.key
>> certificate = server.crt
>> ca_list = bundle.crt
>> cipher_list = RSA
>> verify_depth = 9
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>>
>> [server:10.211.160.172:5061 <http://10.211.160.172:5061>]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key =
>> /root/mahesh_openssl/profile2/btip_172_server_private.key
>> certificate =
>> /root/mahesh_openssl/profile2/btip_172_server_public.crt
>> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
>> cipher_list = RSA
>> verify_depth = 9
>> server_name = btip.172.com <http://btip.172.com>
>>
>>
>> [server:10.211.160.172:5061 <http://10.211.160.172:5061>]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key =
>> /root/mahesh_openssl/profile1/ctip_172_server_private.key
>> certificate =
>> /root/mahesh_openssl/profile1/ctip_172_server_public.crt
>> ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
>> cipher_list = RSA
>> verify_depth = 9
>> server_name = ctip.172.com <http://ctip.172.com>
>>
>> My Kamailio server ip is 10.211.160.172
>>
>> i)When i initiate a tls connection from remote server(which is
>> also a kamailio server) say 10.211.160.176 to 10.211.160.172
>> In the client hello am setting sni name as btip.172.com
>> <http://btip.172.com> => so on 10.211.160.172 side it is picking
>> up the server profile with serve_name btip.172.com
>> <http://btip.172.com> for the tls handshake.*// Working as expected*
>>
>> ii)When i initiate a tls connection from another remote
>> server(Which is also a kamailio server) say 10.211.160.163 to
>> 10.211.160.172
>> In the client hello am setting sni name as ctip.172.com
>> <http://ctip.172.com> => so on 10.211.160.172 side it is picking
>> up the server profile with serve_name ctip.172.com
>> <http://ctip.172.com> for the tls handshake.*// Working as expected*
>>
>> iii)When i initiate a tls connection from another remote
>> server(Which is also a kamailio server) say 10.211.160.175 to
>> 10.211.160.172
>> In the client hello am NOT setting sni name => so on
>> 10.211.160.172 side should it pick up the server default profile
>> or the first profile to which IP and port matches ?
>> what i observe from logs is that it is picking up the server
>> profile with server_name ctip.172.com <http://ctip.172.com> for
>> the tls handshake.
>>
>>
>> I had a look at the code in function tls_lookup_cfg, from the
>> debug prints i understand it is trying to match profile for IP
>> and port
>>
>> if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip,
>> ip))*// IP and port matched*
>> {
>> if(sname && sname->len>0) *//Incoming Client hello dint
>> have sname, so it will hit the else part*
>> {
>> if(p->server_name.s &&
>> p->server_name.len==sname->len
>> && strncasecmp(p->server_name.s, sname->s,
>> sname->len)==0)
>> {
>> LM_DBG("socket+server_name based TLS server
>> domain found\n");
>> return p;
>> }
>> }
>> else
>> {
>> return p; *// so it is returning the first profile to which
>> IP and port matched.*
>> }
>> }
>>
>>
>> Am i missing anything or is this a bug ? if in the clienthello
>> there is no sni , what needs to be done to make use of the
>> default profile for the tls handshake ? Or is this something
>> fixed in latest.
>> I just Tried and Modified the code as below, after which it is
>> giving the server default profile when no sni in Incoming Client
>> Hello.
>>
>> if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))
>> {
>> if(sname && sname->len>0)
>> {
>> if(p->server_name.s &&
>> p->server_name.len==sname->len
>> && strncasecmp(p->server_name.s, sname->s,
>> sname->len)==0)
>> {
>> LM_DBG("socket+server_name based TLS server
>> domain found\n");
>> return p;
>> }
>> }
>> else
>> {
>> if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
>> {
>> LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
>> return cfg->srv_default;
>> }
>> else
>> {
>> LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
>> return p;
>> }
>> }
>> }
>>
>> Regards,
>> Mahesh.B
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> --
> Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
> Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com <http://www.kamailioworld.com>
>
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200106/105f946f/attachment.html>
More information about the sr-users
mailing list