Hi , I further went thru the logs of kamailio, and i see the below happening.
tls [tls_server.c:169]: tls_get_connect_server_name[]: xavp with outbound server name not found tls [tls_server.c:152]: tls_get_connect_server_id[]: found xavp with outbound server id: btip.176.com
Its strange its able to find the client profile based on server_id , but not able to find using the server_name
In tls_complete_init( )
if (c->flags & F_CONN_PASSIVE) { state=S_TLS_ACCEPTING; dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV, &c->rcv.dst_ip, c->rcv.dst_port, 0, 0); } else { state=S_TLS_CONNECTING; sname = tls_get_connect_server_name(); srvid = tls_get_connect_server_id(); dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid); }
Am acting as client, so it will hit the else part
the call to sname = tls_get_connect_server_name(); //failed with below logs tls [tls_server.c:169]: tls_get_connect_server_name[]: xavp with outbound server name not found
the call to srvid = tls_get_connect_server_id(); // success with below logs tls [tls_server.c:152]: tls_get_connect_server_id[]: found xavp with outbound server id: btip.176.com
And futher down in the function : as sname is NULL, it is not setting the server name extension in client hello message.
#ifndef OPENSSL_NO_TLSEXT if (sname!=NULL) { if(!SSL_set_tlsext_host_name(data->ssl, sname->s)) { if (data->ssl) SSL_free(data->ssl); if (data->rwbio) BIO_free(data->rwbio); goto error; } LM_DBG("outbound TLS server name set to: %s\n", sname->s); } #endif
Am i missing anything here w.r.t configuration ? or is it a bug ? which has been fixed in later versions ? Please help !!
Regards, Mahesh.B
On Thu, Dec 19, 2019 at 5:53 PM mahesh b mahesh.b.2487@gmail.com wrote:
Hi,
Am using Kamailio 5.1.9 version
My Setup : client1 -> kamailio server 1 ( IP : 10.211.160.172) ----> kamailio server 2( IP : 10.211.160.176) -> client2
I have a scenario where kamailio server 1 has to initiate an outgoing tls connection to kamailio server 2, i have set the server_name and server_id in the client profile in tls.cfg like below on kamailio server 1
[client:default] verify_certificate = no require_certificate = no server_name = mahesh.client.com
[client:10.211.160.172:5061] method = TLSv1+ verify_certificate = yes require_certificate = yes private_key = /root/mahesh_openssl/profile2/btip_172_server_private.key certificate = /root/mahesh_openssl/profile2/btip_172_server_public.crt ca_list = /root/mahesh_openssl/profile2/btip_ca_public.crt cipher_list = RSA verify_depth = 9 server_name = btip.176.com server_id = btip.176.com
And in sar.cfg
$xavp(tls=>server_name)="btip.176.com"; $xavp(tls=>server_id)="btip.176.com"; $du = "sip:10.211.160.176:5061;transport=tls"; .... t_relay();
What i observe is that , when client hello is sent by 10.211.160.172 to 10.211.160.176, i dont see Extension server_name being sent. Am i missing anything. Please help !