Hi Daniel.
After some try to configure kamailio 4.4.3 to act as SPI TLS client for Cisco SIP TLS gateways I have found one issue.
If I do client configuration for tls
[client:10.1.23.19:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca1.pem
[client:10.1.23.29:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca2.pem
[client:default] verify_certificate = no require_certificate = no
Kamailo always do default profile selection (I do configuration without server_name or server_id, with it kamailio works fine but there are some troubles to make selection of this parameters from config script, I need additional checks and queries)
after some research in tls module source code I have added some debug information in file tls_server.c:
if (c->flags & F_CONN_PASSIVE) { state=S_TLS_ACCEPTING; dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
&c->rcv.dst_ip, c->rcv.dst_port, 0, 0); } else { state=S_TLS_CONNECTING; sname = tls_get_connect_server_name(); srvid = tls_get_connect_server_id(); // ------------------------------------------------------------- DBG("Entered client config loockup (c->rcv.dst_port %d)\n", c->rcv.dst_port); DBG("Entered client config loockup (&c->rcv.dst_ip %s)\n", ip_addr2a(&c->rcv.dst_ip)); DBG("Entered client config loockup (c->rcv.src_port %d)\n", c->rcv.src_port); DBG("Entered client config loockup (&c->rcv.src_ip %s)\n", ip_addr2a(&c->rcv.src_ip)); // ------------------------------------------------------------- dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
}
After making Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:597]: parse_msg(): method: <INVITE> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:599]: parse_msg(): uri: sip:9098@10.1.23.19:5061;transport=TLS Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:601]: parse_msg(): version: <SIP/2.0>
I see
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 10.1.23.19 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls connection initialization Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound server name not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound server id not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:219]: tls_complete_init(): Entered client config loockup (c->rcv.dst_port 40123) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:220]: tls_complete_init(): Entered client config loockup (&c->rcv.dst_ip 10.1.23.23) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:221]: tls_complete_init(): Entered client config loockup (c->rcv.src_port 5061) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:222]: tls_complete_init(): Entered client config loockup (&c->rcv.src_ip 10.1.23.19)
Where: &c->rcv.dst_ip 10.1.23.23 - it is my local kamailio tls socket ip address to make tls connect from c->rcv.dst_port 40123 - it is my local kamailio tls socket port &c->rcv.src_ip 10.1.23.19 - ip of my TLS device to make tls connection to c->rcv.src_port 5061 - port of my TLS device to make tls connection to
so if I change line dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid); to dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.src_ip, c->rcv.src_port, sname, srvid);
I got correct client domain selection
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:233]: tls_complete_init(): Using initial TLS domain TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn []) Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started
Can you look at this code?
Thank you in advance.
-- Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com
tel: (+38067) 403-62-54
Hello,
can you open a pull request on github with the patch you propose for the fix?
- https://github.com/kamailio/kamailio
It is easier to review and travis-ci will take care to compile the patch and be sure it doesn't break latest master version.
Cheers, Daniel
On 26/10/16 08:59, Sergey Basov wrote:
Hi Daniel.
After some try to configure kamailio 4.4.3 to act as SPI TLS client for Cisco SIP TLS gateways I have found one issue.
If I do client configuration for tls
[client:10.1.23.19:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca1.pem
[client:10.1.23.29:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca2.pem
[client:default] verify_certificate = no require_certificate = no
Kamailo always do default profile selection (I do configuration without server_name or server_id, with it kamailio works fine but there are some troubles to make selection of this parameters from config script, I need additional checks and queries)
after some research in tls module source code I have added some debug information in file tls_server.c:
if (c->flags & F_CONN_PASSIVE) { state=S_TLS_ACCEPTING; dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,&c->rcv.dst_ip, c->rcv.dst_port, 0, 0); } else { state=S_TLS_CONNECTING; sname = tls_get_connect_server_name(); srvid = tls_get_connect_server_id(); // ------------------------------------------------------------- DBG("Entered client config loockup (c->rcv.dst_port %d)\n", c->rcv.dst_port); DBG("Entered client config loockup (&c->rcv.dst_ip %s)\n", ip_addr2a(&c->rcv.dst_ip)); DBG("Entered client config loockup (c->rcv.src_port %d)\n", c->rcv.src_port); DBG("Entered client config loockup (&c->rcv.src_ip %s)\n", ip_addr2a(&c->rcv.src_ip)); // ------------------------------------------------------------- dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
}After making Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:597]: parse_msg(): method: <INVITE> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:599]: parse_msg(): uri: sip:9098@10.1.23.19:5061;transport=TLS Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:601]: parse_msg(): version: <SIP/2.0>
I see
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 10.1.23.19 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls connection initialization Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound server name not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound server id not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:219]: tls_complete_init(): Entered client config loockup (c->rcv.dst_port 40123) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:220]: tls_complete_init(): Entered client config loockup (&c->rcv.dst_ip 10.1.23.23) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:221]: tls_complete_init(): Entered client config loockup (c->rcv.src_port 5061) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:222]: tls_complete_init(): Entered client config loockup (&c->rcv.src_ip 10.1.23.19)
Where: &c->rcv.dst_ip 10.1.23.23 - it is my local kamailio tls socket ip address to make tls connect from c->rcv.dst_port 40123 - it is my local kamailio tls socket port &c->rcv.src_ip 10.1.23.19 - ip of my TLS device to make tls connection to c->rcv.src_port 5061 - port of my TLS device to make tls connection to
so if I change line dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid); to dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.src_ip, c->rcv.src_port, sname, srvid);
I got correct client domain selection
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:233]: tls_complete_init(): Using initial TLS domain TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn []) Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started
Can you look at this code?
Thank you in advance.
-- Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com
tel: (+38067) 403-62-54
Hi Daniel,
I have just create pull request for this change.
https://github.com/kamailio/kamailio/pull/842 -- Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com
tel: (+38067) 403-62-54
2016-11-01 12:09 GMT+02:00 Daniel-Constantin Mierla miconda@gmail.com:
Hello,
can you open a pull request on github with the patch you propose for the fix?
It is easier to review and travis-ci will take care to compile the patch and be sure it doesn't break latest master version.
Cheers, Daniel
On 26/10/16 08:59, Sergey Basov wrote:
Hi Daniel.
After some try to configure kamailio 4.4.3 to act as SPI TLS client for Cisco SIP TLS gateways I have found one issue.
If I do client configuration for tls
[client:10.1.23.19:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca1.pem
[client:10.1.23.29:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca2.pem
[client:default] verify_certificate = no require_certificate = no
Kamailo always do default profile selection (I do configuration without server_name or server_id, with it kamailio works fine but there are some troubles to make selection of this parameters from config script, I need additional checks and queries)
after some research in tls module source code I have added some debug information in file tls_server.c:
if (c->flags & F_CONN_PASSIVE) { state=S_TLS_ACCEPTING; dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,&c->rcv.dst_ip, c->rcv.dst_port, 0, 0); } else { state=S_TLS_CONNECTING; sname = tls_get_connect_server_name(); srvid = tls_get_connect_server_id(); // ------------------------------------------------------------- DBG("Entered client config loockup (c->rcv.dst_port %d)\n", c->rcv.dst_port); DBG("Entered client config loockup (&c->rcv.dst_ip %s)\n", ip_addr2a(&c->rcv.dst_ip)); DBG("Entered client config loockup (c->rcv.src_port %d)\n", c->rcv.src_port); DBG("Entered client config loockup (&c->rcv.src_ip %s)\n", ip_addr2a(&c->rcv.src_ip)); // ------------------------------------------------------------- dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
}After making Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:597]: parse_msg(): method: <INVITE> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:599]: parse_msg(): uri: sip:9098@10.1.23.19:5061;transport=TLS Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:601]: parse_msg(): version: <SIP/2.0>
I see
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 10.1.23.19 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls connection initialization Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound server name not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound server id not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:219]: tls_complete_init(): Entered client config loockup (c->rcv.dst_port 40123) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:220]: tls_complete_init(): Entered client config loockup (&c->rcv.dst_ip 10.1.23.23) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:221]: tls_complete_init(): Entered client config loockup (c->rcv.src_port 5061) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:222]: tls_complete_init(): Entered client config loockup (&c->rcv.src_ip 10.1.23.19)
Where: &c->rcv.dst_ip 10.1.23.23 - it is my local kamailio tls socket ip address to make tls connect from c->rcv.dst_port 40123 - it is my local kamailio tls socket port &c->rcv.src_ip 10.1.23.19 - ip of my TLS device to make tls connection to c->rcv.src_port 5061 - port of my TLS device to make tls connection to
so if I change line dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid); to dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.src_ip, c->rcv.src_port, sname, srvid);
I got correct client domain selection
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:233]: tls_complete_init(): Using initial TLS domain TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn []) Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started
Can you look at this code?
Thank you in advance.
-- Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com
tel: (+38067) 403-62-54
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio Advanced Training, Berlin, Nov 28-30, 2016 - http://www.asipto.com
Hello,
thanks, I will review it there.
Cheers, Daniel
On 02/11/16 07:37, Sergey Basov wrote:
Hi Daniel,
I have just create pull request for this change.
https://github.com/kamailio/kamailio/pull/842
Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com
tel: (+38067) 403-62-54
2016-11-01 12:09 GMT+02:00 Daniel-Constantin Mierla miconda@gmail.com:
Hello,
can you open a pull request on github with the patch you propose for the fix?
It is easier to review and travis-ci will take care to compile the patch and be sure it doesn't break latest master version.
Cheers, Daniel
On 26/10/16 08:59, Sergey Basov wrote:
Hi Daniel.
After some try to configure kamailio 4.4.3 to act as SPI TLS client for Cisco SIP TLS gateways I have found one issue.
If I do client configuration for tls
[client:10.1.23.19:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca1.pem
[client:10.1.23.29:5061] verify_certificate = yes ca_list = /etc/kamailio/CAs/ca2.pem
[client:default] verify_certificate = no require_certificate = no
Kamailo always do default profile selection (I do configuration without server_name or server_id, with it kamailio works fine but there are some troubles to make selection of this parameters from config script, I need additional checks and queries)
after some research in tls module source code I have added some debug information in file tls_server.c:
if (c->flags & F_CONN_PASSIVE) { state=S_TLS_ACCEPTING; dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,&c->rcv.dst_ip, c->rcv.dst_port, 0, 0); } else { state=S_TLS_CONNECTING; sname = tls_get_connect_server_name(); srvid = tls_get_connect_server_id(); // ------------------------------------------------------------- DBG("Entered client config loockup (c->rcv.dst_port %d)\n", c->rcv.dst_port); DBG("Entered client config loockup (&c->rcv.dst_ip %s)\n", ip_addr2a(&c->rcv.dst_ip)); DBG("Entered client config loockup (c->rcv.src_port %d)\n", c->rcv.src_port); DBG("Entered client config loockup (&c->rcv.src_ip %s)\n", ip_addr2a(&c->rcv.src_ip)); // ------------------------------------------------------------- dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
}After making Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:597]: parse_msg(): method: <INVITE> Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:599]: parse_msg(): uri: sip:9098@10.1.23.19:5061;transport=TLS Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:601]: parse_msg(): version: <SIP/2.0>
I see
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 10.1.23.19 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1 Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls connection initialization Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound server name not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound server id not found Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:219]: tls_complete_init(): Entered client config loockup (c->rcv.dst_port 40123) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:220]: tls_complete_init(): Entered client config loockup (&c->rcv.dst_ip 10.1.23.23) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:221]: tls_complete_init(): Entered client config loockup (c->rcv.src_port 5061) Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:222]: tls_complete_init(): Entered client config loockup (&c->rcv.src_ip 10.1.23.19)
Where: &c->rcv.dst_ip 10.1.23.23 - it is my local kamailio tls socket ip address to make tls connect from c->rcv.dst_port 40123 - it is my local kamailio tls socket port &c->rcv.src_ip 10.1.23.19 - ip of my TLS device to make tls connection to c->rcv.src_port 5061 - port of my TLS device to make tls connection to
so if I change line dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.dst_ip, c->rcv.dst_port, sname, srvid); to dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI, &c->rcv.src_ip, c->rcv.src_port, sname, srvid);
I got correct client domain selection
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:233]: tls_complete_init(): Using initial TLS domain TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn []) Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started
Can you look at this code?
Thank you in advance.
-- Best regards, Sergey Basov e-mail: sergey.v.basov@gmail.com
tel: (+38067) 403-62-54
-- Daniel-Constantin Mierla http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda Kamailio Advanced Training, Berlin, Nov 28-30, 2016 - http://www.asipto.com
-
Daniel-Constantin Mierla -
Sergey Basov