2 Nov
2016
2 Nov
'16
9:35 a.m.
Hi All.
After some try to configure kamailio 4.4.3 to act as SPI TLS client for Cisco SIP TLS
gateways I have found one issue.
If I do client configuration for tls
[client:10.1.23.19:5061]
verify_certificate = yes
ca_list = /etc/kamailio/CAs/ca1.pem
[client:10.1.23.29:5061]
verify_certificate = yes
ca_list = /etc/kamailio/CAs/ca2.pem
[client:default]
verify_certificate = no
require_certificate = no
Kamailo always do default profile selection (I do configuration without server_name or
server_id, with it kamailio works fine but there are some troubles to make selection of
this parameters from
config script, I need additional checks and queries)
after some research in tls module source code I have added some debug information in file
tls_server.c:
```
if (c->flags & F_CONN_PASSIVE) {
state=S_TLS_ACCEPTING;
dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
&c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
} else {
state=S_TLS_CONNECTING;
sname = tls_get_connect_server_name();
srvid = tls_get_connect_server_id();
// -------------------------------------------------------------
DBG("Entered client config loockup (c->rcv.dst_port %d)\n",
c->rcv.dst_port);
DBG("Entered client config loockup (&c->rcv.dst_ip
%s)\n", ip_addr2a(&c->rcv.dst_ip));
DBG("Entered client config loockup (c->rcv.src_port %d)\n",
c->rcv.src_port);
DBG("Entered client config loockup (&c->rcv.src_ip
%s)\n", ip_addr2a(&c->rcv.src_ip));
// -------------------------------------------------------------
dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
&c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
}
```
After making a test call:
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
[parser/msg_parser.c:597]: parse_msg(): method: <INVITE>
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
[parser/msg_parser.c:599]: parse_msg(): uri:
<sip:9098@10.1.23.19:5061;transport=TLS>
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core>
[parser/msg_parser.c:601]: parse_msg(): version: <SIP/2.0>
I see:
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [ip_addr.c:229]:
print_ip(): tcpconn_new: new tcp connection: 10.1.23.19
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:985]:
tcpconn_new(): on port 5061, type 3
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:1295]:
tcpconn_add(): hashes: 1394:0:0, 1
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:197]:
tls_complete_init(): completing tls connection initialization
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:160]:
tls_get_connect_server_name(): xavp with outbound server name not found
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:140]:
tls_get_connect_server_id(): xavp with outbound server id not found
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:219]:
tls_complete_init(): Entered client config loockup (c->rcv.dst_port 40123)
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:220]:
tls_complete_init(): Entered client config loockup (&c->rcv.dst_ip 10.1.23.23)
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:221]:
tls_complete_init(): Entered client config loockup (c->rcv.src_port 5061)
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:222]:
tls_complete_init(): Entered client config loockup (&c->rcv.src_ip 10.1.23.19)
Where:
**&c->rcv.dst_ip 10.1.23.23** - it is my local kamailio tls socket ip address to
make tls connect from
**c->rcv.dst_port 40123** - it is my local kamailio tls socket port
**&c->rcv.src_ip 10.1.23.19** - ip of my TLS device to make tls connection to
**c->rcv.src_port 5061** - port of my TLS device to make tls connection to
so if I change line
```
dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
&c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
to
```
```
dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
&c->rcv.src_ip, c->rcv.src_port, sname, srvid);
```
I got correct client domain selection from tls.cfg:
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:233]:
tls_complete_init(): Using initial TLS domain TLSc<10.1.23.19:5061> (dom
0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn [])
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_domain.c:703]:
sr_ssl_ctx_info_callback(): SSL handshake started
You can view, comment on, or merge this pull request online at:
https://github.com/kamailio/kamailio/pull/842
-- Commit Summary --
* Merge pull request #3 from kamailio/master
* modules/tls: fix TLS client config selection based on dst ip and port
-- File Changes --
M modules/tls/tls_server.c (2)
-- Patch Links --
https://github.com/kamailio/kamailio/pull/842.patch
https://github.com/kamailio/kamailio/pull/842.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842
2 Nov
2 Nov
5:59 p.m.
The [client...] section in the tls config is meant to specify the attributes when kamailio
opens a connection from that socket (kamailio acts as the client from the point of view of
tls connection). It is supposed to be local ip:port, not remoteip:port.
I understand that you are looking at having a section to match on remote IP, am I right?
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-257890506
6:39 p.m.
As i understand from
https://github.com/kamailio/kamailio/blob/master/modules/tls/tls.cfg
# Special settings for the iptel.org public SIP
# server. We do not verify the certificate of the
# server because it can be expired. The server
# implements authentication using SSL client
# certificates so configure the client certificate
# that was given to use by iptel.org staff here.
#
#[client:195.37.77.101:5061]
#verify_certificate = no
#certificate = ./modules/tls/iptel_client.pem
#private_key = ./modules/tls/iptel_key.pem
#ca_list = ./modules/tls/iptel_ca.pem
#crl = ./modules/tls/iptel_crl.pem
this is for match with remote ip and port when kamailio acts as client.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-257903411
6:44 p.m.
The client in this case is kamailio, so it's its certificate. Kamailio is not supposed
to have access to private key of the remote end point. iptel.org is the portal that was
used for SIP Express Router (SER), previous name of kamailio project.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-257904768
6:46 p.m.
sorry for incorrect formating.
i have made comment using mobile version
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-257905413
6:58 p.m.
In my case kamailio acts as client to cisco sip tls gateway to make outgoing calls.
and private_key is not remote server private key it is client private key to make client
authorization on remote server.
Without this cisco close tls connection.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-257909230
11:02 p.m.
The patch is breaking the expected behaviour so far. I see benefits on matching based on
remote address, but existing one has to be preserved as well.
One solution would be to add a new attribute in the section to specify the address to
match, like:
```
match=local
# or
match=remote
```
This can also be added for the server sections.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-257981881
3 Nov
3 Nov
12:02 p.m.
It is interesting but not easy solution.
Because tls_lookup_cfg accepting only one ip and port...
Another solution can be in [MANAGE_BRANCH] route add next check condition:
```
if ($rP == "TLS") {
$xavp(tls=>server_name) = $rd + ":" + $rp;
$xavp(tls=>server_id) = $rd + ":" + $rp;
}
```
and in tls.cfg:
```
[client:10.1.23.19:5061]
verify_certificate = yes
ca_list = /etc/kamailio/CAs/ca1.pem
private_key = /etc/kamailio/CAs/client1.key
server_name = 10.1.23.19:5061
server_id = 10.1.23.19:5061
```
It works too.
After location check i have ruri like 9098@10.1.23.19:5061;transport=TLS
May bee this is the simplest solution...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-258091140
12:49 p.m.
Closed #842.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#event-846118189
12:49 p.m.
The prototype of tls_lookup_cfg() can be changed if needed, that's not a problem.
The solution with xavp is ok and available now, the one with new match attribute may be an
alternative the config simpler.
Anyhow, I am closing this one, given there is a solution. If anyone considers to implement
the match config option, then a new pr should be opened.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842#issuecomment-258099664
2941
days inactive
2942
days old
9 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
sergey-vb