[sr-dev] [kamailio/kamailio] Kamailio not using SNI in for incoming requests (#1938)

Laszlo Thu, 25 Apr 2019 03:02:41 -0700

I'm using Kamailio 5.2.2+xenial.

Set up a basic tls.cfg like this:


```
[server:default]
verify_certificate = no
require_certificate = no
private_key = /tmp/default.key
certificate = /tmp/default.pem

[server:any]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /tmp/domain.key
certificate = /tmp/domain.pem
server_name = sip.domain.com
server_name_mode = 1
```

Connect with openssl like this `openssl s_client -connect server:5061` and 
Kamailio will - obviously - offer the default.pem certificate.

However, use `openssl s_client -connect server:5061 -servername sip.domain.com` 
and Kamailio will still offer the default.pem certificate, where I'd expect it 
to offer domain.pem. I tested these `openssl` commandline invocations against 
an nginx server that's working with these same certificates, and SNI is working 
properly there.

>From the Kamailio logs on starting up, it does seem to detect that a SNI 
>callback should be registered with OpenSSL.

 ```
Apr 25 11:43:37 kamailio[7447]: NOTICE: tls [tls_domain.c:1083]: 
ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], 
server_name='sip.domain.com' ...
```

However, it's not triggering:

```
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/ip_addr.c:229]: print_ip(): 
tcpconn_new: new tcp connection: 4.1.3.1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:999]: 
tcpconn_new(): on port 55428, type 3
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:1305]: 
tcpconn_add(): hashes: 3726:2401:2691, 1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]: 
io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:602]: 
io_watch_del(): DBG: io_watch_del (0xa86c60, 60, -1, 0x0) fd_no=52 called
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:4196]: 
handle_tcpconn_ev(): sending to child, events 1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3875]: 
send2child(): selected tcp worker idx:0 proc:44 pid:7342 for activity on 
[tls:1.6.1.6:5061], 0x7f00ad8279b0
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1759]: 
handle_io(): received n=8 con=0x7f00ad8279b0, fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:199]: 
tls_complete_init(): completing tls connection initialization
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:228]: 
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f00ad1b02e8 
ctx 0x7f00ad406408 sn [])
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]: 
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil)
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:737]: 
sr_ssl_ctx_info_callback(): SSL handshake started
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]: 
tcpconn_do_send(): sending...
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]: 
tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=2817 fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]: 
tcpconn_do_send(): buf=#012#026#003#001
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/io_wait.h:380]: 
io_watch_add(): DBG: io_watch_add(0xae0200, 10, 2, 0x7f00ad8279b0), fd_no=1
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]: 
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil)
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:749]: 
sr_ssl_ctx_info_callback(): SSL handshake done
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:753]: 
sr_ssl_ctx_info_callback(): SSL disable renegotiation
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:424]: tls_accept(): 
TLS accept successful
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:431]: tls_accept(): 
tls_accept: new connection from 4.1.3.1:55428 using TLSv1/SSLv3 AES256-SHA 256
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:434]: tls_accept(): 
tls_accept: local socket: 1.6.1.6:5061
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:445]: tls_accept(): 
tls_accept: client did not present a certificate
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]: 
tcpconn_do_send(): sending...
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]: 
tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=266 fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]: 
tcpconn_do_send(): buf=#012#026#003#001
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/io_wait.h:602]: 
io_watch_del(): DBG: io_watch_del (0xae0200, 10, -1, 0x10) fd_no=2 called
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1680]: 
release_tcpconn(): releasing con 0x7f00ad8279b0, state 1, fd=10, id=1 
([4.1.3.1]:55428 -> [4.1.3.1]:5061)
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1684]: 
release_tcpconn(): extra_data 0x7f00ad7c4ab8
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3307]: 
handle_tcp_child(): reader response= 7f00ad8279b0, 1 from 0
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]: 
io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3434]: 
handle_tcp_child(): CONN_RELEASE  0x7f00ad8279b0 refcnt= 1
```

Looking at other issues like #1574, I think I'm supposed to see a 
`tls_server_name_cb` log line upon connecting, but there is none.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1938

_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev

[sr-dev] [kamailio/kamailio] Kamailio not using SNI in for incoming requests (#1938)

Reply via email to