Hello,
the error message indicates that the problem is related to the cipher support.
Did you already compared the list of supported ciphers from the Zoom side and your side,
e.g. with the methods listed here:
https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-sui…
Cheers,
Henning
--
Henning Westerholt -
https://skalatan.de/blog/
Kamailio services -
https://gilawa.com<https://gilawa.com/>
From: Mahmood Alkhalil via sr-users <sr-users(a)lists.kamailio.org>
Sent: Mittwoch, 18. September 2024 13:33
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Cc: Mahmood Alkhalil <mahmood.alkhalil(a)outlook.com>
Subject: [SR-Users] sni:uknown error in logs
Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared
cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx
0x7fbcd2229258 sn [])
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]:
tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2845]: tcpconn_do_send(): sending...
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2882]: tcpconn_do_send(): buf=
Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data]
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]:
tls_h_read_f(): protocol level error
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]:
tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there
are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in
the client hello.
is this related to kamailio refusing the connection because there is no server_name in the
client hello or something else?, if yes can it be forced to accept TLS connection without
server_name specified ?
my tls.cfg file is below
[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/certificate.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
ca_path = /etc/ssl/certs
[client:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no