<!-- Kamailio Pull Request Template -->
<!-- IMPORTANT: - for detailed contributing guidelines, read: https://github.com/kamailio/kamailio/blob/master/.github/CONTRIBUTING.md - pull requests must be done to master branch, unless they are backports of fixes from master branch to a stable branch - backports to stable branches must be done with 'git cherry-pick -x ...' - code is contributed under BSD for core and main components (tm, sl, auth, tls) - code is contributed GPLv2 or a compatible license for the other components - GPL code is contributed with OpenSSL licensing exception -->
#### Pre-Submission Checklist <!-- Go over all points below, and after creating the PR, tick all the checkboxes that apply --> <!-- All points should be verified, otherwise, read the CONTRIBUTING guidelines from above--> <!-- If you're unsure about any of these, don't hesitate to ask on sr-dev mailing list --> - [x] Commit message has the format required by CONTRIBUTING guide - [x] Commits are split per component (core, individual modules, libs, utils, ...) - [x] Each component has a single commit (if not, squash them into one commit) - [x] No commits to README files for modules (changes must be done to docbook files in `doc/` subfolder, the README file is autogenerated)
#### Type Of Change - [ ] Small bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds new functionality) - [ ] Breaking change (fix or feature that would change existing functionality)
#### Checklist: <!-- Go over all points below, and after creating the PR, tick the checkboxes that apply --> - [ ] PR should be backported to stable branches - [x] Tested changes locally - [ ] Related to issue #XXXX (replace XXXX with an open issue number)
#### Description
PR adds new core option `tls_connection_match_domain` with the default value 0 (old behavior) to solve the problem when we need to have multiple TLS connections with different SNI to the same host:port endpoint. for example: multiple customers (authorized by cert) for MS Teams on the single kamailio instance.
originally, functions `_tcpconn_find` and `_tcpconn_add_alias_unsafe` use only endpoint and protocol to match connections. setting `tls_connection_match_domain` to `1` will match additionaly with `tls_domain_str()` output for matched TLS domain. as a result, we will be able to establish new TLS connections if TLS domain is changed instead of reusing of the existent one with the wrong SNI.
i'm not considering this PR as the final version but we need something to start with. looking forward for any input.
FIXME: not found the right place where new core option should be documented.
#### Behavior difference example
* /etc/kamailio/kamailio.cfg (relays all requests to 127.0.0.1:5081 using TLS domain matched by server_id retreived from RURI-User): ``` #!KAMAILIO
listen=udp:127.0.0.1:5060 listen=tls:127.0.0.1:5061
enable_tls = yes tls_connection_match_domain = 1
debug = 3
loadmodule "tls.so" modparam("tls", "config", "/etc/kamailio/tls.cfg") modparam("tls", "xavp_cfg", "tls")
loadmodule "ctl.so" loadmodule "pv.so" loadmodule "tm.so"
route { $xavp(tls=>server_id) = $rU; t_relay_to_tls("127.0.0.1", 5081); } ```
* /etc/kamailio/tls.cfg: ``` [server:default] certificate = /etc/ssl/certs/ssl-cert-snakeoil.pem private_key = /etc/ssl/private/ssl-cert-snakeoil.key
[client:any] server_name = server_name_1.invalid server_id = 1
[client:any] server_name = server_name_2.invalid server_id = 2 ```
* run tls server: ```bash $ openssl s_server -port 5081 -cert /etc/ssl/certs/ssl-cert-snakeoil.pem -key /etc/ssl/private/ssl-cert-snakeoil.key ```
* send `INVITE sip:1@127.0.0.1:5060` and `INVITE sip:2@127.0.0.1:5060` using sipp: ```bash $ for u in 1 2; do sipp -sn uac -m 1 -nd -recv_timeout 1 -bg -s $u 127.0.0.1:5060; done ```
* resulting `tls.list` for kamailio instance WITHOUT `tls_connection_match_domain = 1` (old behavior): ```bash # kamcmd tls.list { id: 1 dom: TLSc<any:server_name_1.invalid> sni: N/A timestamp: 2025-04-24 14:07:20 timeout: 118 src_ip: 127.0.0.1 src_port: 5081 dst_ip: 127.0.0.1 dst_port: 58808 cipher: unknown ct_wq_size: 1162 enc_rd_buf: 0 flags: 1 state: tls_connect } ```
* `tls.list` for kamailio instance WITH `tls_connection_match_domain = 1` (new behavior): ```bash # kamcmd tls.list { id: 1 dom: TLSc<any:server_name_1.invalid> sni: N/A timestamp: 2025-04-24 14:09:10 timeout: 117 src_ip: 127.0.0.1 src_port: 5081 dst_ip: 127.0.0.1 dst_port: 55480 cipher: unknown ct_wq_size: 581 enc_rd_buf: 0 flags: 1 state: tls_connect } { id: 2 dom: TLSc<any:server_name_2.invalid> sni: N/A timestamp: 2025-04-24 14:09:10 timeout: 117 src_ip: 127.0.0.1 src_port: 5081 dst_ip: 127.0.0.1 dst_port: 55488 cipher: unknown ct_wq_size: 581 enc_rd_buf: 0 flags: 1 state: tls_connect } ``` You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/4222
-- Commit Summary --
* core: support tls connection domain matching * tls: implement match_domain,match_connections_domain hooks * tls_wolfssl: implement match_domain,match_connections_domain hooks
-- File Changes --
M src/core/cfg.lex (3) M src/core/cfg.y (9) M src/core/globals.h (1) M src/core/tcp_main.c (14) M src/core/tls_hooks.h (9) M src/main.c (4) M src/modules/tls/tls_mod.c (2) M src/modules/tls/tls_rpc.c (12) M src/modules/tls/tls_server.c (97) M src/modules/tls/tls_server.h (8) M src/modules/tls_wolfssl/tls_rpc.c (12) M src/modules/tls_wolfssl/tls_server.c (94) M src/modules/tls_wolfssl/tls_server.h (7) M src/modules/tls_wolfssl/tls_wolfssl_mod.c (2)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/4222.patch https://github.com/kamailio/kamailio/pull/4222.diff