[sr-dev] [kamailio/kamailio] fix TLS client config selection based on dst ip and port (#842)

sergey-vb notifications at github.com
Wed Nov 2 07:35:03 CET 2016 

Hi All.

After some try to configure kamailio 4.4.3 to act as SPI TLS client for Cisco SIP TLS gateways I have found one issue.

If I do client configuration for tls

[client:10.1.23.19:5061]
verify_certificate = yes
ca_list = /etc/kamailio/CAs/ca1.pem

[client:10.1.23.29:5061]
verify_certificate = yes
ca_list = /etc/kamailio/CAs/ca2.pem

[client:default]
verify_certificate = no
require_certificate = no

Kamailo always do default profile selection (I do configuration without server_name or server_id, with it kamailio works fine but there are some troubles to make selection of this parameters from
config script, I need additional checks and queries)

after some research in tls module source code I have added some debug information in file tls_server.c:

```
 	if (c->flags & F_CONN_PASSIVE) {
 		state=S_TLS_ACCEPTING;
 		dom = tls_lookup_cfg(cfg, TLS_DOMAIN_SRV,
 								&c->rcv.dst_ip, c->rcv.dst_port, 0, 0);
 	} else {
 		state=S_TLS_CONNECTING;
 		sname = tls_get_connect_server_name();
 		srvid = tls_get_connect_server_id();
// -------------------------------------------------------------
                DBG("Entered client config loockup (c->rcv.dst_port %d)\n", c->rcv.dst_port);
                DBG("Entered client config loockup (&c->rcv.dst_ip %s)\n", ip_addr2a(&c->rcv.dst_ip));
                DBG("Entered client config loockup (c->rcv.src_port %d)\n", c->rcv.src_port);
                DBG("Entered client config loockup (&c->rcv.src_ip %s)\n", ip_addr2a(&c->rcv.src_ip));
// -------------------------------------------------------------
 		dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
						&c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
	}

```
After making a test call: 
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:597]: parse_msg():  method:  <INVITE>
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:599]: parse_msg():  uri: <sip:9098 at 10.1.23.19:5061;transport=TLS>
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [parser/msg_parser.c:601]: parse_msg():  version: <SIP/2.0>

I see:

Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 10.1.23.19
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:985]: tcpconn_new(): on port 5061, type 3
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: <core> [tcp_main.c:1295]: tcpconn_add(): hashes: 1394:0:0, 1
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:197]: tls_complete_init(): completing tls connection initialization
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:160]: tls_get_connect_server_name(): xavp with outbound server name not found
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:140]: tls_get_connect_server_id(): xavp with outbound server id not found
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:219]: tls_complete_init(): Entered client config loockup (c->rcv.dst_port 40123)
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:220]: tls_complete_init(): Entered client config loockup (&c->rcv.dst_ip 10.1.23.23)
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:221]: tls_complete_init(): Entered client config loockup (c->rcv.src_port 5061)
Oct 26 09:23:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:222]: tls_complete_init(): Entered client config loockup (&c->rcv.src_ip 10.1.23.19)

Where:
**&c->rcv.dst_ip 10.1.23.23** - it is my local kamailio tls socket ip address to make tls connect from
**c->rcv.dst_port 40123** - it is my local kamailio tls socket port
**&c->rcv.src_ip 10.1.23.19** - ip of my TLS device to make tls connection to
**c->rcv.src_port 5061** - port of my TLS device to make tls connection to

so if I change line
```
 		dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
						&c->rcv.dst_ip, c->rcv.dst_port, sname, srvid);
to
```
 ```
		dom = tls_lookup_cfg(cfg, TLS_DOMAIN_CLI,
						&c->rcv.src_ip, c->rcv.src_port, sname, srvid);
```


I got correct client domain selection from tls.cfg:

Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_server.c:233]: tls_complete_init(): Using initial TLS domain TLSc<10.1.23.19:5061> (dom 0x7fd2eefa3d68 ctx 0x7fd2ef7e70a8 sn [])
Oct 26 09:33:56 sip1 /usr/sbin/kamailio[20712]: DEBUG: tls [tls_domain.c:703]: sr_ssl_ctx_info_callback(): SSL handshake started 

You can view, comment on, or merge this pull request online at:

  https://github.com/kamailio/kamailio/pull/842

-- Commit Summary --

  * Merge pull request #3 from kamailio/master
  * modules/tls: fix TLS client config selection based on dst ip and port

-- File Changes --

    M modules/tls/tls_server.c (2)

-- Patch Links --

https://github.com/kamailio/kamailio/pull/842.patch
https://github.com/kamailio/kamailio/pull/842.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/pull/842
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20161101/53cf21cf/attachment-0001.html>

More information about the sr-dev mailing list