Hi Daniel, Thanks for the Explanation ! the first reply gave an impression, that i dint give the required info. Hence Re-clarified, Point Noted ! Regards, Mahesh.B
On Mon, Jan 6, 2020 at 4:48 PM Daniel-Constantin Mierla <mico...@gmail.com> wrote: > Hello, > > do not put a lot of extra information which is irrelevant for the issue > that you try to solve. It is waste of time for someone to read it, > understand and discover is not related to what has to be solved. I asked a > question to clarify something and you replied to it with a lot of > irrelevant details (I + II). > > If you want to post informative details for particular working scenarios > to let other know the technical details in case someone wants something > similar, that's good and useful, but make them separate emails. > > The server profile is matched by IP if you define a section with > [server:IP...] and there is no SNI. If you want SNI only in some cases, you > can define [server:any] with server_name attribute. The server:default is > selected only when there is no IP/port or SNI match. > > Cheers, > Daniel > On 06.01.20 12:07, mahesh b wrote: > > Hi Daniel, > > i) Kamailio acting as client ( IP 10.211.160.176) -> Kamailio acting as > server ( IP 10.211.160.172) *[ Scenario 1 : Working as Expected ]* > > sni presented by 10.211.160.176 is btip.172.com in client hello, > 10.211.160.172 picks below profile with server_name = btip.172.com for > tls handshake *// working as expected* > > [server:10.211.160.172:5061] > method = TLSv1+ > verify_certificate = yes > require_certificate = yes > private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key > certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt > ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt > cipher_list = RSA > verify_depth = 9 > server_name = btip.172.com > > ii) Kamailio acting as client ( IP 10.211.160.163) -> Kamailio acting as > server ( IP 10.211.160.172) * [ Scenario 2 : Working as Expected ] * > > sni presented by 10.211.160.163 is ctip.172.com in client hello, > 10.211.160.172 picks below profile with server_name = ctip.172.com for > tls handshake *// working as expected* > > [server:10.211.160.172:5061] > method = TLSv1+ > verify_certificate = yes > require_certificate = yes > private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key > certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt > ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt > cipher_list = RSA > verify_depth = 9 > server_name = ctip.172.com > > iii) Kamailio acting as client ( IP 10.211.160.175) -> Kamailio acting as > server ( IP 10.211.160.172) * [ Scenario 3 : Not Working as Expected ] > * > > 10.211.160.175 is *intentionally* *configured* in such a way, it does not > send sni in client hello to 10.211.160.172 > Now 10.211.160.172 should pick server default profile for tls handshake [ > Right ?? ] > Instead it is picking server profile with server_name = ctip.172.com // *isnt > this in correct ?? [ I have explained in previous email , why it is picking > this profile in tls_lookup_cfg() ]* > > Regards, > Mahesh.B > > On Mon, Jan 6, 2020 at 3:21 PM Daniel-Constantin Mierla <mico...@gmail.com> > wrote: > >> Hello, >> >> trying to understand properly what you want to do and doesn't work as >> expected ... >> >> Is it that kamailio connects via tls to another server and it does not >> present SNI? >> >> Cheers, >> Daniel >> On 03.01.20 11:24, mahesh b wrote: >> >> Hi All, >> >> Am using Kamailio 5.1.9 version. >> >> *Below is my tls.cfg* >> >> [server:default] >> method = TLSv1+ >> verify_certificate = no >> require_certificate = no >> private_key = server.key >> certificate = server.crt >> ca_list = bundle.crt >> cipher_list = RSA >> verify_depth = 9 >> >> [client:default] >> verify_certificate = no >> require_certificate = no >> >> >> [server:10.211.160.172:5061] >> method = TLSv1+ >> verify_certificate = yes >> require_certificate = yes >> private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key >> certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt >> ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt >> cipher_list = RSA >> verify_depth = 9 >> server_name = btip.172.com >> >> >> [server:10.211.160.172:5061] >> method = TLSv1+ >> verify_certificate = yes >> require_certificate = yes >> private_key = /root/mahesh_openssl/profile1/ctip_172_server_private.key >> certificate = /root/mahesh_openssl/profile1/ctip_172_server_public.crt >> ca_list = /root/mahesh_openssl/profile1/ctip_ca_public.crt >> cipher_list = RSA >> verify_depth = 9 >> server_name = ctip.172.com >> >> My Kamailio server ip is 10.211.160.172 >> >> i)When i initiate a tls connection from remote server(which is also a >> kamailio server) say 10.211.160.176 to 10.211.160.172 >> In the client hello am setting sni name as btip.172.com => so on >> 10.211.160.172 side it is picking up the server profile with serve_name >> btip.172.com for the tls handshake.*// Working as expected* >> >> ii)When i initiate a tls connection from another remote server(Which is >> also a kamailio server) say 10.211.160.163 to 10.211.160.172 >> In the client hello am setting sni name as ctip.172.com => so on >> 10.211.160.172 side it is picking up the server profile with serve_name >> ctip.172.com for the tls handshake.*// Working as expected* >> >> iii)When i initiate a tls connection from another remote server(Which is >> also a kamailio server) say 10.211.160.175 to 10.211.160.172 >> In the client hello am NOT setting sni name => so on 10.211.160.172 >> side should it pick up the server default profile or the first profile to >> which IP and port matches ? >> what i observe from logs is that it is picking up the server profile >> with server_name ctip.172.com for the tls handshake. >> >> >> I had a look at the code in function tls_lookup_cfg, from the debug >> prints i understand it is trying to match profile for IP and port >> >> if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip))* // IP >> and port matched* >> { >> if(sname && sname->len>0) *//Incoming Client hello dint have >> sname, so it will hit the else part* >> { >> if(p->server_name.s && p->server_name.len==sname->len >> && strncasecmp(p->server_name.s, sname->s, >> sname->len)==0) >> { >> LM_DBG("socket+server_name based TLS server domain >> found\n"); >> return p; >> } >> } >> else >> { >> return p; *// so it is returning the first profile to which IP and >> port matched.* >> } >> } >> >> >> Am i missing anything or is this a bug ? if in the clienthello there is >> no sni , what needs to be done to make use of the default profile for the >> tls handshake ? Or is this something fixed in latest. >> I just Tried and Modified the code as below, after which it is giving the >> server default profile when no sni in Incoming Client Hello. >> >> if ((p->port==0 || p->port == port) && ip_addr_cmp(&p->ip, ip)) >> { >> if(sname && sname->len>0) >> { >> if(p->server_name.s && p->server_name.len==sname->len >> && strncasecmp(p->server_name.s, sname->s, >> sname->len)==0) >> { >> LM_DBG("socket+server_name based TLS server domain >> found\n"); >> return p; >> } >> } >> else >> { >> if( (type & TLS_DOMAIN_SRV) && (p->server_name.s) ) >> { >> LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__); >> return cfg->srv_default; >> } >> else >> { >> LM_DBG("Inside %s at %d\n",__FUNCTION__,__LINE__); >> return p; >> } >> } >> } >> >> Regards, >> Mahesh.B >> >> _______________________________________________ >> Kamailio (SER) - Users Mailing >> Listsr-users@lists.kamailio.orghttps://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users >> >> -- >> Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- >> www.linkedin.com/in/miconda >> Kamailio World Conference - April 27-29, 2020, in Berlin -- >> www.kamailioworld.com >> >> -- > Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- > www.linkedin.com/in/miconda > Kamailio World Conference - April 27-29, 2020, in Berlin -- > www.kamailioworld.com > >
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users