[SR-Users] SNI Query
mahesh b
mahesh.b.2487 at gmail.com
Mon Jan 6 13:00:59 CET 2020
Hi Daniel,
Thanks for the Explanation ! the first reply gave an
impression, that i dint give the required info. Hence Re-clarified, Point
Noted !
Regards,
Mahesh.B
On Mon, Jan 6, 2020 at 4:48 PM Daniel-Constantin Mierla <miconda at gmail.com>
wrote:
> Hello,
>
> do not put a lot of extra information which is irrelevant for the issue
> that you try to solve. It is waste of time for someone to read it,
> understand and discover is not related to what has to be solved. I asked a
> question to clarify something and you replied to it with a lot of
> irrelevant details (I + II).
>
> If you want to post informative details for particular working scenarios
> to let other know the technical details in case someone wants something
> similar, that's good and useful, but make them separate emails.
>
> The server profile is matched by IP if you define a section with
> [server:IP...] and there is no SNI. If you want SNI only in some cases, you
> can define [server:any] with server_name attribute. The server:default is
> selected only when there is no IP/port or SNI match.
>
> Cheers,
> Daniel
> On 06.01.20 12:07, mahesh b wrote:
>
> Hi Daniel,
>
> i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting as
> server ( IP 10.211.160.172) *[ Scenario 1 : Working as Expected ]*
>
> sni presented by 10.211.160.176 is btip.172.com in client hello,
> 10.211.160.172 picks below profile with server_name = btip.172.com for
> tls handshake *// working as expected*
>
> [server:10.211.160.172:5061]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
> certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
> cipher_list = RSA
> verify_depth = 9
> server_name = btip.172.com
>
> ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting as
> server ( IP 10.211.160.172) * [ Scenario 2 : Working as Expected ] *
>
> sni presented by 10.211.160.163 is ctip.172.com in client hello,
> 10.211.160.172 picks below profile with server_name = ctip.172.com for
> tls handshake *// working as expected*
>
> [server:10.211.160.172:5061]
> method = TLSv1+
> verify_certificate = yes
> require_certificate = yes
> private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
> certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
> ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
> cipher_list = RSA
> verify_depth = 9
> server_name = ctip.172.com
>
> iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting as
> server ( IP 10.211.160.172) * [ Scenario 3 : Not Working as Expected ]
> *
>
> 10.211.160.175 is *intentionally* *configured* in such a way, it does not
> send sni in client hello to 10.211.160.172
> Now 10.211.160.172 should pick server default profile for tls handshake [
> Right ?? ]
> Instead it is picking server profile with server_name = ctip.172.com // *isnt
> this in correct ?? [ I have explained in previous email , why it is picking
> this profile in tls_lookup_cfg() ]*
>
> Regards,
> Mahesh.B
>
> On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla <miconda at gmail.com>
> wrote:
>
>> Hello,
>>
>> trying to understand properly what you want to do and doesn't work as
>> expected ...
>>
>> Is it that kamailio connects via tls to another server and it does not
>> present SNI?
>>
>> Cheers,
>> Daniel
>> On 03.01.20 11:24, mahesh b wrote:
>>
>> Hi All,
>>
>> Am using Kamailio 5.1.9 version.
>>
>> *Below is my tls.cfg*
>>
>> [server:default]
>> method = TLSv1+
>> verify_certificate = no
>> require_certificate = no
>> private_key = server.key
>> certificate = server.crt
>> ca_list = bundle.crt
>> cipher_list = RSA
>> verify_depth = 9
>>
>> [client:default]
>> verify_certificate = no
>> require_certificate = no
>>
>>
>> [server:10.211.160.172:5061]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key
>> certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt
>> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt
>> cipher_list = RSA
>> verify_depth = 9
>> server_name = btip.172.com
>>
>>
>> [server:10.211.160.172:5061]
>> method = TLSv1+
>> verify_certificate = yes
>> require_certificate = yes
>> private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key
>> certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt
>> ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt
>> cipher_list = RSA
>> verify_depth = 9
>> server_name = ctip.172.com
>>
>> My Kamailio server ip is 10.211.160.172
>>
>> i)When i initiate a tls connection from remote server(which is also a
>> kamailio server) say 10.211.160.176 to 10.211.160.172
>> In the client hello am setting sni name as btip.172.com => so on
>> 10.211.160.172 side it is picking up the server profile with serve_name
>> btip.172.com for the tls handshake.*// Working as expected*
>>
>> ii)When i initiate a tls connection from another remote server(Which is
>> also a kamailio server) say 10.211.160.163 to 10.211.160.172
>> In the client hello am setting sni name as ctip.172.com => so on
>> 10.211.160.172 side it is picking up the server profile with serve_name
>> ctip.172.com for the tls handshake.*// Working as expected*
>>
>> iii)When i initiate a tls connection from another remote server(Which is
>> also a kamailio server) say 10.211.160.175 to 10.211.160.172
>> In the client hello am NOT setting sni name => so on 10.211.160.172
>> side should it pick up the server default profile or the first profile to
>> which IP and port matches ?
>> what i observe from logs is that it is picking up the server profile
>> with server_name ctip.172.com for the tls handshake.
>>
>>
>> I had a look at the code in function tls_lookup_cfg, from the debug
>> prints i understand it is trying to match profile for IP and port
>>
>> if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))* // IP
>> and port matched*
>> {
>> if(sname && sname->len>0) *//Incoming Client hello dint have
>> sname, so it will hit the else part*
>> {
>> if(p->server_name.s && p->server_name.len==sname->len
>> && strncasecmp(p->server_name.s, sname->s,
>> sname->len)==0)
>> {
>> LM_DBG("socket+server_name based TLS server domain
>> found\n");
>> return p;
>> }
>> }
>> else
>> {
>> return p; *// so it is returning the first profile to which IP and
>> port matched.*
>> }
>> }
>>
>>
>> Am i missing anything or is this a bug ? if in the clienthello there is
>> no sni , what needs to be done to make use of the default profile for the
>> tls handshake ? Or is this something fixed in latest.
>> I just Tried and Modified the code as below, after which it is giving the
>> server default profile when no sni in Incoming Client Hello.
>>
>> if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))
>> {
>> if(sname && sname->len>0)
>> {
>> if(p->server_name.s && p->server_name.len==sname->len
>> && strncasecmp(p->server_name.s, sname->s,
>> sname->len)==0)
>> {
>> LM_DBG("socket+server_name based TLS server domain
>> found\n");
>> return p;
>> }
>> }
>> else
>> {
>> if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) )
>> {
>> LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
>> return cfg->srv_default;
>> }
>> else
>> {
>> LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__);
>> return p;
>> }
>> }
>> }
>>
>> Regards,
>> Mahesh.B
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing Listsr-users at lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> --
>> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
>> Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
>>
>> --
> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
> Kamailio World Conference - April 27-29, 2020, in Berlin -- www.kamailioworld.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20200106/c2be3523/attachment.html>
More information about the sr-users
mailing list