Hi,
I want to deploy a kamailio v4.2.x setup with multiple domains, all resolve to same IPv4 address kamailio is listening on. I am bit confused about how to configure TLS certificates using tls config file as mentioned here,
http://kamailio.org/docs/modules/4.2.x/modules/tls.html#tls.p.config
The documentation states that,
-- If set the TLS module will load a special config file or config files from config directory, in which different TLS parameters can be specified on a per role (server or client) and domain basis (*for now only IPs*). The corresponding module parameters will be ignored. --
since all domains resolve single IP, so i assume i can specify only one section in tls config file with pair of key/pem file path. How can i specify more server certificates for same ip but with different domains?
Thank you.
Hello,
the SNI (server name indication) support was available in kamailio v1.5 and then lost when the code was integrated with ser. It was on my to-do to re-add it but no time for it in the past. I just pushed a partial patch that allows to set a server_name for each TLS server domain (context) configured in the tls.cfg, like:
[server:127.0.0.1:5061] method = TLSv1 ... server_name = localhost.loc
[server:127.0.0.1:5061] method = TLSv1 ... server_name = localhost1.loc
So far I had the time to add only for server side -- when Kamailio is accepting a TLS connection, should be able to select the context with server_name matching the one advertised by the client.
Soon I will add the option to set the server name for connections that are opened by kamailio towards other tls nodes.
Because it is impossible to know if the client will present a SNI, kamailio first selects the context based only on ip:port matching and once the SNI callback is executed, will switch to the appropriate one. Given that there can be more contexts for same ip:port, the last one matching in tls.cfg is selected first time. If no server name is matching after SNI callback, the the 'default' server context is selected.
I did just basic testing so far with SIP registration, therefore proper testing would be required on your side and feedback will be very appreciated.
Cheers, Daniel
On 12/02/15 15:15, Muhammad Shahzad wrote:
Hi,
I want to deploy a kamailio v4.2.x setup with multiple domains, all resolve to same IPv4 address kamailio is listening on. I am bit confused about how to configure TLS certificates using tls config file as mentioned here,
http://kamailio.org/docs/modules/4.2.x/modules/tls.html#tls.p.config
The documentation states that,
-- If set the TLS module will load a special config file or config files from config directory, in which different TLS parameters can be specified on a per role (server or client) and domain basis (*for now only IPs*). The corresponding module parameters will be ignored. --
since all domains resolve single IP, so i assume i can specify only one section in tls config file with pair of key/pem file path. How can i specify more server certificates for same ip but with different domains?
Thank you.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
This is excellent news. The support for service side connections is good enough for me. I will test and let you know if i face any problems.
Thank you very much for your help and cooperation.
On Tue, Feb 17, 2015 at 12:38 AM, Daniel-Constantin Mierla < miconda@gmail.com> wrote:
Hello,
the SNI (server name indication) support was available in kamailio v1.5 and then lost when the code was integrated with ser. It was on my to-do to re-add it but no time for it in the past. I just pushed a partial patch that allows to set a server_name for each TLS server domain (context) configured in the tls.cfg, like:
[server:127.0.0.1:5061] method = TLSv1 ... server_name = localhost.loc
[server:127.0.0.1:5061] method = TLSv1 ... server_name = localhost1.loc
So far I had the time to add only for server side -- when Kamailio is accepting a TLS connection, should be able to select the context with server_name matching the one advertised by the client.
Soon I will add the option to set the server name for connections that are opened by kamailio towards other tls nodes.
Because it is impossible to know if the client will present a SNI, kamailio first selects the context based only on ip:port matching and once the SNI callback is executed, will switch to the appropriate one. Given that there can be more contexts for same ip:port, the last one matching in tls.cfg is selected first time. If no server name is matching after SNI callback, the the 'default' server context is selected.
I did just basic testing so far with SIP registration, therefore proper testing would be required on your side and feedback will be very appreciated.
Cheers, Daniel
On 12/02/15 15:15, Muhammad Shahzad wrote:
Hi,
I want to deploy a kamailio v4.2.x setup with multiple domains, all resolve to same IPv4 address kamailio is listening on. I am bit confused about how to configure TLS certificates using tls config file as mentioned here,
http://kamailio.org/docs/modules/4.2.x/modules/tls.html#tls.p.config
The documentation states that,
-- If set the TLS module will load a special config file or config files from config directory, in which different TLS parameters can be specified on a per role (server or client) and domain basis (*for now only IPs*). The corresponding module parameters will be ignored. --
since all domains resolve single IP, so i assume i can specify only one section in tls config file with pair of key/pem file path. How can i specify more server certificates for same ip but with different domains?
Thank you.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing listsr-users@lists.sip-router.orghttp://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-- Daniel-Constantin Mierlahttp://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio World Conference, May 27-29, 2015 Berlin, Germany - http://www.kamailioworld.com
-
Daniel-Constantin Mierla -
Muhammad Shahzad