I'm using Kamailio 5.2.2+xenial.
Set up a basic tls.cfg like this:
```
[server:default]
verify_certificate = no
require_certificate = no
private_key = /tmp/default.key
certificate = /tmp/default.pem
[server:any]
method = TLSv1
verify_certificate = no
require_certificate = no
private_key = /tmp/domain.key
certificate = /tmp/domain.pem
server_name = sip.domain.com
server_name_mode = 1
```
Connect with openssl like this `openssl s_client -connect server:5061` and
Kamailio will - obviously - offer the default.pem certificate.
However, use `openssl s_client -connect server:5061 -servername sip.domain.com`
and Kamailio will still offer the default.pem certificate, where I'd expect it
to offer domain.pem. I tested these `openssl` commandline invocations against
an nginx server that's working with these same certificates, and SNI is working
properly there.
>From the Kamailio logs on starting up, it does seem to detect that a SNI
>callback should be registered with OpenSSL.
```
Apr 25 11:43:37 kamailio[7447]: NOTICE: tls [tls_domain.c:1083]:
ksr_tls_fix_domain(): registered server_name callback handler for socket [:0],
server_name='sip.domain.com' ...
```
However, it's not triggering:
```
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/ip_addr.c:229]: print_ip():
tcpconn_new: new tcp connection: 4.1.3.1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:999]:
tcpconn_new(): on port 55428, type 3
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:1305]:
tcpconn_add(): hashes: 3726:2401:2691, 1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]:
io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/io_wait.h:602]:
io_watch_del(): DBG: io_watch_del (0xa86c60, 60, -1, 0x0) fd_no=52 called
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:4196]:
handle_tcpconn_ev(): sending to child, events 1
Apr 25 11:39:04 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3875]:
send2child(): selected tcp worker idx:0 proc:44 pid:7342 for activity on
[tls:1.6.1.6:5061], 0x7f00ad8279b0
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1759]:
handle_io(): received n=8 con=0x7f00ad8279b0, fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f00ad1b02e8
ctx 0x7f00ad406408 sn [])
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil)
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:737]:
sr_ssl_ctx_info_callback(): SSL handshake started
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]:
tcpconn_do_send(): sending...
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]:
tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=2817 fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]:
tcpconn_do_send(): buf=#012#026#003#001
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/io_wait.h:380]:
io_watch_add(): DBG: io_watch_add(0xae0200, 10, 2, 0x7f00ad8279b0), fd_no=1
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:1155]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f00ad406408: (nil)
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:749]:
sr_ssl_ctx_info_callback(): SSL handshake done
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_domain.c:753]:
sr_ssl_ctx_info_callback(): SSL disable renegotiation
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:424]: tls_accept():
TLS accept successful
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:431]: tls_accept():
tls_accept: new connection from 4.1.3.1:55428 using TLSv1/SSLv3 AES256-SHA 256
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:434]: tls_accept():
tls_accept: local socket: 1.6.1.6:5061
Apr 25 11:39:04 kamailio[7342]: DEBUG: tls [tls_server.c:445]: tls_accept():
tls_accept: client did not present a certificate
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2460]:
tcpconn_do_send(): sending...
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2494]:
tcpconn_do_send(): after real write: c= 0x7f00ad8279b0 n=266 fd=10
Apr 25 11:39:04 kamailio[7342]: DEBUG: <core> [core/tcp_main.c:2495]:
tcpconn_do_send(): buf=#012#026#003#001
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/io_wait.h:602]:
io_watch_del(): DBG: io_watch_del (0xae0200, 10, -1, 0x10) fd_no=2 called
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1680]:
release_tcpconn(): releasing con 0x7f00ad8279b0, state 1, fd=10, id=1
([4.1.3.1]:55428 -> [4.1.3.1]:5061)
Apr 25 11:39:10 kamailio[7342]: DEBUG: <core> [core/tcp_read.c:1684]:
release_tcpconn(): extra_data 0x7f00ad7c4ab8
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3307]:
handle_tcp_child(): reader response= 7f00ad8279b0, 1 from 0
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/io_wait.h:380]:
io_watch_add(): DBG: io_watch_add(0xa86c60, 60, 2, 0x7f00ad8279b0), fd_no=51
Apr 25 11:39:10 kamailio[7344]: DEBUG: <core> [core/tcp_main.c:3434]:
handle_tcp_child(): CONN_RELEASE 0x7f00ad8279b0 refcnt= 1
```
Looking at other issues like #1574, I think I'm supposed to see a
`tls_server_name_cb` log line upon connecting, but there is none.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/1938
_______________________________________________
Kamailio (SER) - Development Mailing List
sr-dev@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-dev