Hi,
I have just built Kamailio from Git master, configured TCP and TLS, and an HTTP event route. I was able to connect to Kamailio over TLS using Google Chrome (and saw the "SSL Error: The site's security certificate is not trusted!" page). After I clicked on "Proceed anyway" I saw the log message I put in the HTTP event route come out.
I also logged in with Jitsi using TLS and that worked fine too.
I tried this with both the WebSocket module loaded and without it, and it worked in both cases.
I also tried the above with TCP and that worked fine as well.
As far as I can tell TLS is working in Kamailio Git master.
Regards,
Peter
On Wed, Jul 11, 2012 at 9:37 PM, Peter Dunkley peter.dunkley@crocodile-rcs.com wrote:
Hi,
WebSockets over TLS works which requires establishing a TLS connection and exchanging an HTTP request and response. It doesn't sound like this connection is even getting passed the TLS handshake part?
Peter
Hi, That was my first guess. I will run some tests with plain tcp socket and post update.
cheers.
On Wed, 2012-07-11 at 17:14 +0200, Klaus Darilion wrote:
Maybe there were some changes fore websocket support which cause problems. Do plain TCP connections work?
klaus
On 11.07.2012 16:20, Aft nix wrote:
On Wed, Jul 11, 2012 at 6:56 PM, Klaus Darilion klaus.mailinglists@pernau.at wrote:
I just tested TLS with Kamailio 3.3.0 and Eyebeam and it works. Make sure to specify "ca_list" if intermediate certificates are used.
I was working with master branch, not 3.3 branch.
regards Klaus
On 09.07.2012 13:27, Aft nix wrote:
Hi,
I have enabled tls parameters as follows:
in kamailio.cfg
listen = tls:<IP>:<PORT>
in tls.cfg
[server:<IP>:<PORT>] method = TLSv1 verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/kamailio-selfsigned.key certificate = /usr/local/etc/kamailio/
kamailio-selfsigned.pem
Now if i try to connect to this interface using openssl s_client, it does connects, but now server certificate is sent from kamailio.
kamailio log shows this :
<core> [ip_addr.c:247]: tcpconn_new: new tcp connection: <CLIENTIP> <core> [tcp_main.c:10
On Thu, Jul 12, 2012 at 1:33 AM, Peter Dunkley peter.dunkley@crocodile-rcs.com wrote:
Hi,
I have just built Kamailio from Git master, configured TCP and TLS, and an HTTP event route. I was able to connect to Kamailio over TLS using Google Chrome (and saw the "SSL Error: The site's security certificate is not trusted!" page). After I clicked on "Proceed anyway" I saw the log message I put in the HTTP event route come out.
I also logged in with Jitsi using TLS and that worked fine too.
I tried this with both the WebSocket module loaded and without it, and it worked in both cases.
I also tried the above with TCP and that worked fine as well.
As far as I can tell TLS is working in Kamailio Git master.
Regards,
Peter
Thanks for the update. I've came to the same conclusion. I was going to post my results and saw your mail. Things are working for me right now. But i'm still kind of puzzled why it didn't work earlier. Apart from a new "tcp" listen directive i've not changed anything. i did a git pull though, which showed some update in tcp_main. look at the diff of most recent changes of tcp_main.c :(git diff $start $end -- tcp_main.c)
diff --git a/tcp_main.c b/tcp_main.c index a6e3019..c5a2547 100644 --- a/tcp_main.c +++ b/tcp_main.c @@ -1427,7 +1427,7 @@ static inline void _tcpconn_free(struct tcp_connection* c) #endif lock_destroy(&c->write_lock); #ifdef USE_TLS - if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) tls_tcpconn_clean(c); + if (unlikely(c->type==PROTO_TLS)) tls_tcpconn_clean(c); #endif shm_free(c); } @@ -1456,7 +1456,7 @@ void tcpconn_rm(struct tcp_connection* c) TCPCONN_UNLOCK; lock_destroy(&c->write_lock); #ifdef USE_TLS - if ((c->type==PROTO_TLS || c->type==PROTO_WSS)&&(c->extra_data)) tls_tcpconn_clean(c); + if ((c->type==PROTO_TLS)&&(c->extra_data)) tls_tcpconn_clean(c); #endif shm_free(c); } @@ -2270,7 +2270,7 @@ static int tcpconn_send_put(struct tcp_connection* c, const char* buf, { do_close_fd=0; #ifdef USE_TLS - if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) { + if (unlikely(c->type==PROTO_TLS)) { t_buf = buf; t_len = len; do { @@ -2372,7 +2372,7 @@ static int tcpconn_send_put(struct tcp_connection* c, const char* buf, } #ifdef USE_TLS - if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) { + if (unlikely(c->type==PROTO_TLS)) { /* for TLS the TLS processing and the send must happen atomically w/ respect to other sends on the same connection (otherwise reordering might occur which would break TLS) => @@ -2958,7 +2958,7 @@ inline static void tcpconn_close_main_fd(struct tcp_connection* tcpconn) fd=tcpconn->s; #ifdef USE_TLS - if (tcpconn->type==PROTO_TLS || tcpconn->type==PROTO_WSS) + if (tcpconn->type==PROTO_TLS) tls_close(tcpconn, fd); #endif #ifdef TCP_FD_CACHE @@ -3025,7 +3025,7 @@ inline static void tcpconn_destroy(struct tcp_connection* tcpconn) tcpconn_close_main_fd(tcpconn); tcpconn->flags|=F_CONN_FD_CLOSED; (*tcp_connections_no)--; - if (unlikely(tcpconn->type==PROTO_TLS || tcpconn->type==PROTO_WSS)) + if (unlikely(tcpconn->type==PROTO_TLS)) (*tls_connections_no)--; } _tcpconn_free(tcpconn); /* destroys also the wbuf_q if still present*/ @@ -3073,7 +3073,7 @@ inline static int tcpconn_put_destroy(struct tcp_connection* tcpconn) tcpconn_close_main_fd(tcpconn); tcpconn->flags|=F_CONN_FD_CLOSED; (*tcp_connections_no)--; - if (unlikely(tcpconn->type==PROTO_TLS || tcpconn->type==PROTO_WSS)) + if (unlikely(tcpconn->type==PROTO_TLS)) (*tls_connections_no)--; } /* all the flags / ops on the tcpconn must be done prior to decrementing @@ -4509,7 +4509,7 @@ static inline void tcpconn_destroy_all(void) fd=-1; } #ifdef USE_TLS - if (fd>0 && (c->type==PROTO_TLS || c->type==PROTO_WSS)) + if (fd>0 && c->type==PROTO_TLS) tls_close(c, fd); #endif _tcpconn_rm(c); @@ -4522,7 +4522,7 @@ static inline void tcpconn_destroy_all(void) tcp_safe_close(fd); } (*tcp_connections_no)--; - if (unlikely(c->type==PROTO_TLS || c->type==PROTO_WSS)) + if (unlikely(c->type==PROTO_TLS)) (*tls_connections_no)--; c=next; }
I don't know if that changed anything.
Most likely i have done something silly which i am not finding at this moment.
Whatever, as things work so the thread should be marked SOLVED. Though it irks me that i still dont know, what went wrong.
Cheers.
On Wed, Jul 11, 2012 at 9:37 PM, Peter Dunkley peter.dunkley@crocodile-rcs.com wrote:
Hi,
WebSockets over TLS works which requires establishing a TLS connection and exchanging an HTTP request and response. It doesn't sound like this connection is even getting passed the TLS handshake part?
Peter
Hi, That was my first guess. I will run some tests with plain tcp socket and post update.
cheers.
On Wed, 2012-07-11 at 17:14 +0200, Klaus Darilion wrote:
Maybe there were some changes fore websocket support which cause problems. Do plain TCP connections work?
klaus
On 11.07.2012 16:20, Aft nix wrote:
On Wed, Jul 11, 2012 at 6:56 PM, Klaus Darilion klaus.mailinglists@pernau.at wrote:
I just tested TLS with Kamailio 3.3.0 and Eyebeam and it works. Make sure to specify "ca_list" if intermediate certificates are used.
I was working with master branch, not 3.3 branch.
regards Klaus
On 09.07.2012 13:27, Aft nix wrote:
Hi,
I have enabled tls parameters as follows:
in kamailio.cfg
listen = tls:<IP>:<PORT>
in tls.cfg
[server:<IP>:<PORT>] method = TLSv1 verify_certificate = no require_certificate = no private_key = /usr/local/etc/kamailio/kamailio-selfsigned.key certificate = /usr/local/etc/kamailio/
kamailio-selfsigned.pem
Now if i try to connect to this interface using openssl s_client, it does connects, but now server certificate is sent from kamailio.
kamailio log shows this :
<core> [ip_addr.c:247]: tcpconn_new: new tcp connection: <CLIENTIP> <core> [tcp_main.c:10
-
Aft nix -
Peter Dunkley