Module: kamailio
Branch: master
Commit: 7d24a7afe02bf1f7c8ddddfcfc9f1c287296c996
URL: https://github.com/kamailio/kamailio/commit/7d24a7afe02bf1f7c8ddddfcfc9f1c2…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2021-05-03T08:00:32+02:00
jwt: more details about claims parameter format
---
Modified: src/modules/jwt/doc/jwt_admin.xml
---
Diff: https://github.com/kamailio/kamailio/commit/7d24a7afe02bf1f7c8ddddfcfc9f1c2…
Patch: https://github.com/kamailio/kamailio/commit/7d24a7afe02bf1f7c8ddddfcfc9f1c2…
---
diff --git a/src/modules/jwt/doc/jwt_admin.xml b/src/modules/jwt/doc/jwt_admin.xml
index dba928b523..36d3d0d0f7 100644
--- a/src/modules/jwt/doc/jwt_admin.xml
+++ b/src/modules/jwt/doc/jwt_admin.xml
@@ -109,6 +109,10 @@ modparam("jwt", "key_mode", 1)
<para>
claims - the list of claims to be added to JWT, in the format
"name1=value1;name2=value2;..." (same as the SIP parameters format).
+ The string values can be enclosed in single or double quotes. If a
+ value is not eclosed in between quotes, it is added as numeric
+ value if it is successfully converted to a long value, otherwise is
+ added as string value.
</para>
</listitem>
</itemizedlist>
@@ -120,7 +124,7 @@ modparam("jwt", "key_mode", 1)
<programlisting format="linespecific">
...
jwt_generate("/path/to/prvkey.pem", "RS256",
- "caller=$fU;callee=$tU;callid=$ci");
+ "caller='$fU';callee='$tU';callid='$ci';index=100");
...
</programlisting>
</example>
@@ -151,7 +155,8 @@ modparam("jwt", "key_mode", 1)
<listitem>
<para>
claims - the list of claims to be checked they are in the JWT, in the format
- "name1=value1;name2=value2;..." (same as the SIP parameters format).
+ "name1=value1;name2=value2;..." (same as the SIP parameters format,
+ see also the description of claims parameter for jwt_generate()).
</para>
</listitem>
<listitem>
@@ -168,7 +173,7 @@ modparam("jwt", "key_mode", 1)
<programlisting format="linespecific">
...
if(!jwt_verify("/path/to/pubkey.pem", "RS256",
- "caller=$fU;callee=$tU;callid=$ci",
+ "caller='$fU';callee='$tU';callid='$ci';index=100",
"$var(jwt)") {
xwarn("failed to verify jwt\n");
}
@@ -206,7 +211,7 @@ modparam("jwt", "key_mode", 1)
<programlisting format="linespecific">
...
jwt_generate("/path/to/prvkey.pem", "RS256",
- "caller=$fU;callee=$tU;callid=$ci");
+ "caller='$fU';callee='$tU';callid='$ci';index=100");
xinfo("jwt is: $jwt(val)");
...
</programlisting>
Daniel,
I studied a bit topos_redis source and noticed that it lacks x_context
td and tt keys.
Is there something else missing in order to make spirals work also when
redis backend is in use?
-- Juha
Hello,
the formal notification that the development for the next major version
5.5.0 is now frozen. The focus has to be on testing the master branch.
Also, the master branch should not get commits with new features till
the branch 5.5 is created, expected to happen in 2-4 weeks, a matter of
how testing goes on. Meanwhile, the commits with new features in the C
code can be pushed to personal branches, new pull requests can still be
done, but they will be merged after branching 5.5.
Can still be done commits with documentation improvements, enhancements
to related tools (e.g., kamctl, kamcmd), merging exiting pull requests
at this
moment, exporting missing KEMI functions and completing the functionality
of the new modules added in 5.5.
Once the branch 5.5 is created, new features can be pushed again to
master branch as usual. From that moment, the v5.5.0 should be out very
soon, time used for further testing but also preparing the release of
packages.
If someone is not sure if a commit brings a new feature, just make a
pull request and it can be discussed there on github portal or via
sr-dev mailing list.
A summary of what is new in upcoming 5.5 is going to be built at:
 * https://www.kamailio.org/wiki/features/new-in-5.5.x
Upgrade guidelines will be collected at:
 * https://www.kamailio.org/wiki/install/upgrade/5.4.x-to-5.5.0
Everyone is more than welcome to contribute to the above wiki pages,
especially to the upgrade guidelines, to help everyone else during the
migration process from v5.4.x to 5.4.x.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
### Description
I am connecting two kamailio (5.4.5) using TLS with client cert verification. When one side is OpenSSL 1.1.1 (CentOS 8) + P-256 cert and the other side is OpenSSL 1.0.2 (CentOS 7) + P-521 cert *and* `cipher_list` is set(e.g., `DEFAULT`), the ClientHello fails because the only supported curve sent is P-256 (server has P-521).
### Troubleshooting
1. If `cipher_list` is *not* set at all in `[client:defaut]`l, then the ClientHello sends 4 supported EC groups and the handshake succeeds.
2 . If `cipher_list` is set in `[client:defaut]` (e.g. `DEFAULT` or `ANY`) then the ClientHello sends only 1 supported EC group P-256 (I guess because the client is using a P-256 cert), then the handshake will fail.
#### Reproduction
1. Connect two kamailos one on CentOS 8 sending SIP to one on CentOS 7, enable TLS, with client cert verification. Put a P-256 cert on CentOS 8 and a P-521 cert on CentOS 7.
#### Debugging Data
1. `cipher_list` is not set: TLS ClientHello Supported Groups is 4 groups: secp256r1 secp521r1 secp384r1 secp256k1
2. `cipher_list` is set to `DEFAULT`: TLS ClientHello Supported Groups is 1 group: secp256r1.
#### Log Messages
```
ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
```
#### SIP Traffic
NA - couldn't complete TLS handshake so no SIP was transferred.
### Possible Solutions
1. Don't set cipher_list at all; the moment you set cipher_list to anything(`ANY`, `DEFAULT` etc), the ClientHello will narrow the supported groups to P-256 and the server will reject.
I have a thought: does `setup_ecdh()` in `tls_domain.c` behave differently on OpenSSL 1.1.1? Maybe it is forcing the handshake to send only the curve of the client.
### Additional Information
1. kamailio version is 5.4.5
2. Must be OpenSSL 1.1.1 to OpenSSL 1.0.2. BTW in the reverse direction P-521 CentOS 7 to P-256 CentOS 8 doesn't encounter this issue.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2716
Address GH #2716. Also see https://bugs.python.org/issue29697.
<!-- Kamailio Pull Request Template -->
<!--
IMPORTANT:
- for detailed contributing guidelines, read:
https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md
- pull requests must be done to master branch, unless they are backports
of fixes from master branch to a stable branch
- backports to stable branches must be done with 'git cherry-pick -x ...'
- code is contributed under BSD for core and main components (tm, sl, auth, tls)
- code is contributed GPLv2 or a compatible license for the other components
- GPL code is contributed with OpenSSL licensing exception
-->
#### Pre-Submission Checklist
<!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply -->
<!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above-->
<!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list -->
- [X ] Commit message has the format required by CONTRIBUTING guide
- [X] Commits are split per component (core, individual modules, libs, utils, ...)
- [X ] Each component has a single commit (if not, squash them into one commit)
- [ ] No commits to README files for modules (changes must be done to docbook files
in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change
- [X] Small bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds new functionality)
- [ ] Breaking change (fix or feature that would change existing functionality)
#### Checklist:
<!-- Go over all points below, and after creating the PR, tick the checkboxes that apply -->
- [X] PR should be backported to stable branches
- [X ] Tested changes locally
- [ ] Related to issue #2716
#### Description
For OpenSSL 1.1.x initialization of EC SSL contexts has changed — we should be using the < 1.0.2 technique on OpenSSL 1.1+. This addresses a corner case where TLS server with P-256 cert would not handshake with a TLS client presenting a P-521 cert.
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/2717
-- Commit Summary --
* [tls] Don't use OpenSSL<1.0.2 fallback on 1.1+
-- File Changes --
M src/modules/tls/tls_domain.c (12)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/2717.patchhttps://github.com/kamailio/kamailio/pull/2717.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/2717
**missing braces around initializer**
*mohq_funcs.c:2163*
```
LD (gcc) [M matrix.so] matrix.so
CC (gcc) [M mohqueue.so] mohq_locks.o
CC (gcc) [M mohqueue.so] mohq_funcs.o
mohq_funcs.c: In function 'send_rtp_answer':
mohq_funcs.c:2163:23: warning: missing braces around initializer [-Wmissing-braces]
2163 | fparam_t pzflag [1] = {"", FPARAM_STRING, {pflagbuf}, 0};
| ^
| {
mohq_funcs.c:2163:23: warning: missing braces around initializer [-Wmissing-braces]
2163 | fparam_t pzflag [1] = {"", FPARAM_STRING, {pflagbuf}, 0};
| ^
| { }
CC (gcc) [M mohqueue.so] mohq_db.o
CC (gcc) [M mohqueue.so] mohqueue_mod.o
make[3]: 'libsrdb1.so.1.0' is up to date.
LD (gcc) [M mohqueue.so] mohqueue.so
CC (gcc) [M msilo.so] msfuncs.o
CC (gcc) [M msilo.so] msilo.o
```
**"_POSIX_C_SOURCE" redefined**
```
CC (gcc) [M app_python.so] python_iface.o
CC (gcc) [M app_python.so] apy_kemi_export.o
In file included from /usr/include/python2.7/pyconfig.h:6,
from /usr/include/python2.7/Python.h:8,
from apy_kemi_export.c:30:
/usr/include/python2.7/pyconfig-64.h:1232: warning: "_POSIX_C_SOURCE" redefined
1232 | #define _POSIX_C_SOURCE 200112L
|
In file included from /usr/include/bits/libc-header-start.h:33,
from /usr/include/stdio.h:27,
from apy_kemi_export.c:26:
/usr/include/features.h:265: note: this is the location of the previous definition
265 | # define _POSIX_C_SOURCE 200809L
|
CC (gcc) [M app_python.so] mod_Core.o
CC (gcc) [M app_python.so] apy_kemi.o
In file included from /usr/include/python2.7/pyconfig.h:6,
from /usr/include/python2.7/Python.h:8,
from apy_kemi.c:25:
/usr/include/python2.7/pyconfig-64.h:1232: warning: "_POSIX_C_SOURCE" redefined
1232 | #define _POSIX_C_SOURCE 200112L
|
In file included from /usr/include/bits/libc-header-start.h:33,
from /usr/include/stdio.h:27,
from apy_kemi.c:21:
/usr/include/features.h:265: note: this is the location of the previous definition
265 | # define _POSIX_C_SOURCE 200809L
|
CC (gcc) [M app_python.so] python_msgobj.o
CC (gcc) [M app_python.so] mod_Router.o
CC (gcc) [M app_python.so] app_python_mod.
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2710
Hello,
the branch 5.5 has been created, to be used for releasing v5.5.x series.
To check out this branch, the following commands can be used:
  git clone https://github.com/kamailio/kamailio kamailio-5.5
  cd kamailio-5.5
  git checkout -b 5.5 origin/5.5
Pushing commits in this branch:
 git push origin 5.5:5.5
Note that 5.5 is an official stable branch, so only bug fixes, missing
kemi exports (discuss on sr-dev if not sure) or improvements to
documentation or helper tools can be pushed to this branch.
As usual, if there is a bug fixed, commit and push first to master
branch and then cherry pick to 5.5 branch:
 git cherry-pick -x COMMITID
In few weeks, the first release from branch 5.5 will be out,
respectively Kamailio v5.5.0.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.comwww.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training - Online
May 17-20, 2021 (Europe Timezone) - June 7-10, 2021 (America Timezone)
* https://www.asipto.com/sw/kamailio-advanced-training-online/