Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx 0x7fbcd2229258 sn []) Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2845]: tcpconn_do_send(): sending... Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8 Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2882]: tcpconn_do_send(): buf= Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data] Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in the client hello. is this related to kamailio refusing the connection because there is no server_name in the client hello or something else?, if yes can it be forced to accept TLS connection without server_name specified ?
my tls.cfg file is below
[server:default] method = TLSv1.2 verify_certificate = no require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/certificate.pem ca_list = /etc/ssl/certs/ca-certificates.crt ca_path = /etc/ssl/certs
[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no
Hello,
the error message indicates that the problem is related to the cipher support. Did you already compared the list of supported ciphers from the Zoom side and your side, e.g. with the methods listed here:
https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suit...
Cheers,
Henning
-- Henning Westerholt - https://skalatan.de/blog/ Kamailio services - https://gilawa.comhttps://gilawa.com/
From: Mahmood Alkhalil via sr-users sr-users@lists.kamailio.org Sent: Mittwoch, 18. September 2024 13:33 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Mahmood Alkhalil mahmood.alkhalil@outlook.com Subject: [SR-Users] sni:uknown error in logs
Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx 0x7fbcd2229258 sn []) Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2845]: tcpconn_do_send(): sending... Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8 Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2882]: tcpconn_do_send(): buf= Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data] Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in the client hello. is this related to kamailio refusing the connection because there is no server_name in the client hello or something else?, if yes can it be forced to accept TLS connection without server_name specified ?
my tls.cfg file is below
[server:default] method = TLSv1.2 verify_certificate = no require_certificate = no private_key = /etc/kamailio/key.pem certificate = /etc/kamailio/certificate.pem ca_list = /etc/ssl/certs/ca-certificates.crt ca_path = /etc/ssl/certs
[client:default] method = TLSv1.2+ verify_certificate = no require_certificate = no
From Zoom side, they are sending the below cipher suite when they initiate connection request to my kamailio node in their Client Hello As for my kamailio node, i sat the tls.cfg cipher_list to cipher_list= ALL:eNULL.
i think the ALL suit covers the cipher suite requested by zoom (which is part of TLS1.2), or am i missing something? (am not very aware of TLS 😅)
[cid:1e2518b9-510f-44f1-81ea-ddc9ab8540e5]
Mahmood Alkhalil. ________________________________ From: Henning Westerholt hw@gilawa.com Sent: Wednesday, September 18, 2024 4:44 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Mahmood Alkhalil mahmood.alkhalil@outlook.com Subject: RE: sni:uknown error in logs
Hello,
the error message indicates that the problem is related to the cipher support.
Did you already compared the list of supported ciphers from the Zoom side and your side, e.g. with the methods listed here:
https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suit...
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Mahmood Alkhalil via sr-users sr-users@lists.kamailio.org Sent: Mittwoch, 18. September 2024 13:33 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Mahmood Alkhalil mahmood.alkhalil@outlook.com Subject: [SR-Users] sni:uknown error in logs
Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx 0x7fbcd2229258 sn [])
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2845]: tcpconn_do_send(): sending...
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2882]: tcpconn_do_send(): buf=
Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data]
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in the client hello.
is this related to kamailio refusing the connection because there is no server_name in the client hello or something else?, if yes can it be forced to accept TLS connection without server_name specified ?
my tls.cfg file is below
[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/certificate.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
ca_path = /etc/ssl/certs
[client:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no
So was using letsebcrypt certificate, changed to another provider and it worked, not sure why.. ________________________________ From: Mahmood Alkhalil mahmood.alkhalil@outlook.com Sent: Wednesday, September 18, 2024 4:56:33 PM To: Henning Westerholt hw@gilawa.com; Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Subject: Re: sni:uknown error in logs
From Zoom side, they are sending the below cipher suite when they initiate connection request to my kamailio node in their Client Hello As for my kamailio node, i sat the tls.cfg cipher_list to cipher_list= ALL:eNULL.
i think the ALL suit covers the cipher suite requested by zoom (which is part of TLS1.2), or am i missing something? (am not very aware of TLS 😅)
[cid:1e2518b9-510f-44f1-81ea-ddc9ab8540e5]
Mahmood Alkhalil. ________________________________ From: Henning Westerholt hw@gilawa.com Sent: Wednesday, September 18, 2024 4:44 PM To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Mahmood Alkhalil mahmood.alkhalil@outlook.com Subject: RE: sni:uknown error in logs
Hello,
the error message indicates that the problem is related to the cipher support.
Did you already compared the list of supported ciphers from the Zoom side and your side, e.g. with the methods listed here:
https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suit...
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.comhttps://gilawa.com/
From: Mahmood Alkhalil via sr-users sr-users@lists.kamailio.org Sent: Mittwoch, 18. September 2024 13:33 To: Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org Cc: Mahmood Alkhalil mahmood.alkhalil@outlook.com Subject: [SR-Users] sni:uknown error in logs
Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx 0x7fbcd2229258 sn [])
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]: tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2845]: tcpconn_do_send(): sending...
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core> [core/tcp_main.c:2882]: tcpconn_do_send(): buf=
Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data]
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]: tls_h_read_f(): protocol level error
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]: tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in the client hello.
is this related to kamailio refusing the connection because there is no server_name in the client hello or something else?, if yes can it be forced to accept TLS connection without server_name specified ?
my tls.cfg file is below
[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/certificate.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
ca_path = /etc/ssl/certs
[client:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no
-
Henning Westerholt -
Mahmood Alkhalil