Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared
cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx
0x7fbcd2229258 sn [])
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]:
tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2845]: tcpconn_do_send(): sending...
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2882]: tcpconn_do_send(): buf=
Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data]
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]:
tls_h_read_f(): protocol level error
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]:
tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there
are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in
the client hello.
is this related to kamailio refusing the connection because there is no server_name in the
client hello or something else?, if yes can it be forced to accept TLS connection without
server_name specified ?
my tls.cfg file is below
[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/certificate.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
ca_path = /etc/ssl/certs
[client:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no