So was using letsebcrypt certificate, changed to another provider and it worked, not sure
why..
________________________________
From: Mahmood Alkhalil <mahmood.alkhalil(a)outlook.com>
Sent: Wednesday, September 18, 2024 4:56:33 PM
To: Henning Westerholt <hw(a)gilawa.com>om>; Kamailio (SER) - Users Mailing List
<sr-users(a)lists.kamailio.org>
Subject: Re: sni:uknown error in logs
From Zoom side, they are sending the below cipher suite when they initiate connection
request to my kamailio node in their Client Hello
As for my kamailio node, i sat the tls.cfg cipher_list to cipher_list= ALL:eNULL.
i think the ALL suit covers the cipher suite requested by zoom (which is part of TLS1.2),
or am i missing something? (am not very aware of TLS 😅)
[cid:1e2518b9-510f-44f1-81ea-ddc9ab8540e5]
Mahmood Alkhalil.
________________________________
From: Henning Westerholt <hw(a)gilawa.com>
Sent: Wednesday, September 18, 2024 4:44 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Cc: Mahmood Alkhalil <mahmood.alkhalil(a)outlook.com>
Subject: RE: sni:uknown error in logs
Hello,
the error message indicates that the problem is related to the cipher support.
Did you already compared the list of supported ciphers from the Zoom side and your side,
e.g. with the methods listed here:
https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-sui…
Cheers,
Henning
--
Henning Westerholt –
https://skalatan.de/blog/
Kamailio services –
https://gilawa.com<https://gilawa.com/>
From: Mahmood Alkhalil via sr-users <sr-users(a)lists.kamailio.org>
Sent: Mittwoch, 18. September 2024 13:33
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Cc: Mahmood Alkhalil <mahmood.alkhalil(a)outlook.com>
Subject: [SR-Users] sni:uknown error in logs
Hello Kamailio!
I'm etting up a kamailio server where it will receive STIP TLS connections from
Zoom.
kamailio is closing TLS connections with error stating "SSL routines::no shared
cipher (sni: unknown)" as below
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_server.c:270]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fbcd1e9dac8 ctx
0x7fbcd2229258 sn [])
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: tls [tls_domain.c:1018]:
tls_server_name_cb(): SSL_get_servername returned NULL: return SSL_TLSEXT_ERR_NOACK
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2845]: tcpconn_do_send(): sending...
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2881]: tcpconn_do_send(): after real write: c= 0x7fbcd3cb85d0 n=7 fd=8
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) DEBUG: <core>
[core/tcp_main.c:2882]: tcpconn_do_send(): buf=
Sep 18 13:28:02 dalia kamailio[18529]: [3B blob data]
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_server.c:1312]:
tls_h_read_f(): protocol level error
Sep 18 13:28:02 dalia kamailio[18529]: 9(18529) ERROR: tls [tls_util.h:49]:
tls_err_ret(): TLS accept:error:0A0000C1:SSL routines::no shared cipher (sni: unknown)
did a tcpdump trace to check the ciphers Zoom are using in the TLS client hello, and there
are 4 and are supported by openssl on TLSv1.2, BUT the reis no server_name extension in
the client hello.
is this related to kamailio refusing the connection because there is no server_name in the
client hello or something else?, if yes can it be forced to accept TLS connection without
server_name specified ?
my tls.cfg file is below
[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/key.pem
certificate = /etc/kamailio/certificate.pem
ca_list = /etc/ssl/certs/ca-certificates.crt
ca_path = /etc/ssl/certs
[client:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no