Pre-Submission Checklist

• Commit message has the format required by CONTRIBUTING guide
• Commits are split per component (core, individual modules, libs, utils, ...)
• Each component has a single commit (if not, squash them into one commit)
• No commits to README files for modules (changes must be done to docbook files
  in doc/ subfolder, the README file is autogenerated)

Type Of Change

• Small bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds new functionality)
• Breaking change (fix or feature that would change existing functionality)

Checklist:

• PR should be backported to stable branches
• Tested changes locally
• Related to issue #XXXX (replace XXXX with an open issue number)

Description

PR adds new core option tls_connection_match_domain with the default value 0 (old behavior)
to solve the problem when we need to have multiple TLS connections with different SNI to the same host:port endpoint.
for example: multiple customers (authorized by cert) for MS Teams on the single kamailio instance.

originally, functions _tcpconn_find and _tcpconn_add_alias_unsafe use only endpoint and protocol to match connections.
setting tls_connection_match_domain to 1 will match additionaly with tls_domain_str() output for matched TLS domain.
as a result, we will be able to establish new TLS connections if TLS domain is changed instead of reusing of the existent one with the wrong SNI.

i'm not considering this PR as the final version but we need something to start with. looking forward for any input.

FIXME: not found the right place where new core option should be documented.

Behavior difference example

• /etc/kamailio/kamailio.cfg
  (relays all requests to 127.0.0.1:5081 using TLS domain matched by server_id retreived from RURI-User):

#!KAMAILIO

listen=udp:127.0.0.1:5060
listen=tls:127.0.0.1:5061

enable_tls = yes
tls_connection_match_domain = 1

debug = 3

loadmodule "tls.so"
modparam("tls", "config", "/etc/kamailio/tls.cfg")
modparam("tls", "xavp_cfg", "tls")

loadmodule "ctl.so"
loadmodule "pv.so"
loadmodule "tm.so"

route {
    $xavp(tls=>server_id) = $rU;
    t_relay_to_tls("127.0.0.1", 5081);
}

• /etc/kamailio/tls.cfg:

[server:default]
certificate = /etc/ssl/certs/ssl-cert-snakeoil.pem
private_key = /etc/ssl/private/ssl-cert-snakeoil.key

[client:any]
server_name = server_name_1.invalid
server_id = 1

[client:any]
server_name = server_name_2.invalid
server_id = 2

• run tls server:

$ openssl s_server -port 5081 -cert /etc/ssl/certs/ssl-cert-snakeoil.pem -key /etc/ssl/private/ssl-cert-snakeoil.key

• send INVITE sip:1@127.0.0.1:5060 and INVITE sip:2@127.0.0.1:5060 using sipp:

$ for u in 1 2; do sipp -sn uac -m 1 -nd -recv_timeout 1 -bg -s $u 127.0.0.1:5060; done

• resulting tls.list for kamailio instance WITHOUT tls_connection_match_domain = 1 (old behavior):

# kamcmd tls.list
{
        id: 1
        dom: TLSc<any:server_name_1.invalid>
        sni: N/A
        timestamp: 2025-04-24 14:07:20
        timeout: 118
        src_ip: 127.0.0.1
        src_port: 5081
        dst_ip: 127.0.0.1
        dst_port: 58808
        cipher: unknown
        ct_wq_size: 1162
        enc_rd_buf: 0
        flags: 1
        state: tls_connect
}

• tls.list for kamailio instance WITH tls_connection_match_domain = 1 (new behavior):

# kamcmd tls.list
{
        id: 1
        dom: TLSc<any:server_name_1.invalid>
        sni: N/A
        timestamp: 2025-04-24 14:09:10
        timeout: 117
        src_ip: 127.0.0.1
        src_port: 5081
        dst_ip: 127.0.0.1
        dst_port: 55480
        cipher: unknown
        ct_wq_size: 581
        enc_rd_buf: 0
        flags: 1
        state: tls_connect
}
{
        id: 2
        dom: TLSc<any:server_name_2.invalid>
        sni: N/A
        timestamp: 2025-04-24 14:09:10
        timeout: 117
        src_ip: 127.0.0.1
        src_port: 5081
        dst_ip: 127.0.0.1
        dst_port: 55488
        cipher: unknown
        ct_wq_size: 581
        enc_rd_buf: 0
        flags: 1
        state: tls_connect
}

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/4222

Commit Summary

• ebb35c1 core: support tls connection domain matching
• 621a2d3 tls: implement match_domain,match_connections_domain hooks
• ab76b93 tls_wolfssl: implement match_domain,match_connections_domain hooks

File Changes

(14 files)

• M src/core/cfg.lex (3)
• M src/core/cfg.y (9)
• M src/core/globals.h (1)
• M src/core/tcp_main.c (14)
• M src/core/tls_hooks.h (9)
• M src/main.c (4)
• M src/modules/tls/tls_mod.c (2)
• M src/modules/tls/tls_rpc.c (12)
• M src/modules/tls/tls_server.c (97)
• M src/modules/tls/tls_server.h (8)
• M src/modules/tls_wolfssl/tls_rpc.c (12)
• M src/modules/tls_wolfssl/tls_server.c (94)
• M src/modules/tls_wolfssl/tls_server.h (7)
• M src/modules/tls_wolfssl/tls_wolfssl_mod.c (2)

Patch Links:

• https://github.com/kamailio/kamailio/pull/4222.patch
• https://github.com/kamailio/kamailio/pull/4222.diff

—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <kamailio/kamailio/pull/4222@github.com>