So was using letsebcrypt certificate, changed to another provider and it worked, not sure why..

From: Mahmood Alkhalil <mahmood.alkhalil@outlook.com>
Sent: Wednesday, September 18, 2024 4:56:33 PM
To: Henning Westerholt <hw@gilawa.com>; Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: Re: sni:uknown error in logs
 
From Zoom side, they are sending the below cipher suite when they initiate connection request to my kamailio node in their Client Hello
As for my kamailio node, i sat the tls.cfg cipher_list to cipher_list= ALL:eNULL.

i think the ALL suit covers the cipher suite requested by zoom (which is part of TLS1.2), or am i missing something? (am not very aware of TLS 😅)





Mahmood Alkhalil.

From: Henning Westerholt <hw@gilawa.com>
Sent: Wednesday, September 18, 2024 4:44 PM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Cc: Mahmood Alkhalil <mahmood.alkhalil@outlook.com>
Subject: RE: sni:uknown error in logs
 

Hello,

 

the error message indicates that the problem is related to the cipher support.

Did you already compared the list of supported ciphers from the Zoom side and your side, e.g. with the methods listed here:

 

https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers

 

Cheers,

 

Henning

 

--

Henning Westerholt – https://skalatan.de/blog/

Kamailio services – https://gilawa.com

 

From: Mahmood Alkhalil via sr-users <sr-users@lists.kamailio.org>
Sent: Mittwoch, 18. September 2024 13:33
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Cc: Mahmood Alkhalil <mahmood.alkhalil@outlook.com>
Subject: [SR-Users] sni:uknown error in logs

 

Hello Kamailio!

 

I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.

 

kamailio is closing TLS connections with error stating "SSL routines::no shared cipher (sni: unknown)" as below

 

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) DEBUG: tls [tls_server.c:270]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx 0x7fbcd2229258 sn [])

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) DEBUG: tls [tls_domain.c:1018]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) DEBUG: <core> [core/tcp_main.c:2845]: tcpconn_do_send(): sending...

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) DEBUG: <core> [core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) DEBUG: <core> [core/tcp_main.c:2882]: tcpconn_do_send(): buf=

Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data]

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error

Sep 18 13:28:02 dalia kamailio[18529]:  9(18529) ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)

 

did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in the client hello.

is this related to kamailio refusing the connection because there is no server_name in the client hello or something else?, if yes can it be forced to accept TLS connection without server_name specified ?

 

my tls.cfg file is below

 

[server:default]

method = TLSv1.2

verify_certificate = no

require_certificate = no

private_key = /etc/kamailio/key.pem

certificate = /etc/kamailio/certificate.pem

ca_list = /etc/ssl/certs/ca-certificates.crt

ca_path = /etc/ssl/certs

 

[client:default]

method = TLSv1.2+

verify_certificate = no

require_certificate = no