Discussion:
[sr-dev] [kamailio/kamailio] TLS: same TLSc is used for different outbound connection when it is switched with tls_set_connect_server_id() (#2760)
arkadiam
2021-06-03 16:56:15 UTC
Permalink
### Description

Thank you for implementing #2413, I'm looking forward to use it.

I was trying it on a dev system. It works fine when the same TLS client needs to be selected for ALL connections.

Having issue with it when connection expected to alternate between multiple configured TLS clients.
When configured as bellow and event_route alternates between connections (like in logs bellow) connection is always using TLSc with one of the server-ids, e.g. "domain-02".

It looks like it's a race between setting server id in event_route and a "thread" that starts TLS client. In my observations only one TLS client is used.

Expecting: each outbound connection use TLSc as it was set by tls_set_connect_server_id().

```
event_route[tm:local-request] {
if (is_method("OPTIONS")) {
$var(contact) = "Contact: <sip:" + $fd + ":5061;transport=tls>\r\n";
append_hf("$var(contact)");

if ($fd == "domain-01") {
tls_set_connect_server_id("domain-01");
xlog("L_INFO", "ID=$ci|tls_set_connect_server_id(domain-01)\n");
} else if ($fd == "domain-02") {
tls_set_connect_server_id("domain-02");
xlog("L_INFO", "ID=$ci|tls_set_connect_server_id(domain-02)\n");
}
}
}
```

Dispatcher configured as:
```
loadmodule "dispatcher.so"
modparam("dispatcher", "list_file", "/etc/kamailio/dispatcher.list")
modparam("dispatcher", "ds_probing_mode", 1)
modparam("dispatcher", "ds_ping_interval", 60)
```
With records like:
```
1 sip:sip1.host.com;transport=tls 0 1 socket=tls:111.222.233.11:5061;ping_from=sip:my-domain-01.com
1 sip:sip2.host.com;transport=tls 0 2 socket=tls:111.222.233.12:5061;ping_from=sip:my-domain-01.com
1 sip:sip3.host.com;transport=tls 0 3 socket=tls:111.222.233.13:5061;ping_from=sip:my-domain-01.com
2 sip:sip1.host.com;transport=tls 0 1 socket=tls:111.222.233.21:5061;ping_from=sip:my-domain-02.com
2 sip:sip2.host.com;transport=tls 0 2 socket=tls:111.222.233.22:5061;ping_from=sip:my-domain-02.com
2 sip:sip3.host.com;transport=tls 0 3 socket=tls:111.222.233.23:5061;ping_from=sip:my-domain-02.com
```

#### Log Messages

```
Jun 3 11:57:44 INFO: <script>: ID=4eadda397f10fcb1-***@1.2.3.4|tls_set_connect_server_id(domain-02)
Jun 3 11:57:44 INFO: <script>: ID=4eadda397f10fcb2-***@1.2.3.4|tls_set_connect_server_id(domain-01)
Jun 3 11:57:44 INFO: <script>: ID=4eadda397f10fcb3-***@1.2.3.4|tls_set_connect_server_id(domain-02)
Jun 3 11:57:44 INFO: <script>: ID=4eadda397f10fcb4-***@1.2.3.4|tls_set_connect_server_id(domain-01)
Jun 3 11:57:44 INFO: <script>: ID=4eadda397f10fcb5-***@1.2.3.4|tls_set_connect_server_id(domain-02)
Jun 3 11:57:44 INFO: <script>: ID=4eadda397f10fcb6-***@1.2.3.4|tls_set_connect_server_id(domain-01)

```

### Additional Information

* **Kamailio Version** - output of `kamailio -v`

```
version: kamailio 5.5.0 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: unknown
compiled with gcc 7.5.0
```

* **Operating System**:

```
Linux dev03 4.15.0-143-generic #147-Ubuntu SMP Wed Apr 14 16:10:11 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 18.04.5 LTS
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2760
Tim Chubb
2021-06-03 18:06:10 UTC
Permalink
I was half way through writing a less detailed version of a very similar issue i am having too, having to send options presenting a specific servername and cert

same environment as well (ubuntu 18.04, kam 5.5.0)

I have noticed that the xavp sni settings seems to only work on one thread as well if you loop the message back and set via request_route
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2760#issuecomment-854073385
Tim Chubb
2021-06-04 08:03:37 UTC
Permalink
@arkadiam Pretty sure we are both trying to do same thing judging by your dispatcher and routing config, multi domain telephony integration with a cloud comms platform?

Its frustrating that SNI is being flakey as it works very nicely if you have a single cert with multiple SAN's defined but that less than ideal from a management point of view (but doesnt seem to have the performance hit loading multiple certs has #2312 )

For sake of completeness my virtually identical config is as follows:
```event_route[tm:local-request] {
if(is_method("OPTIONS") && $ru =~ "vendor.com") {
xlogl("L INFO", "Dispatcher Pinging ruri: $ru turi: $tu furi: $fu");
append_hf("Contact: <sip:$fd:5061;transport=tls>\r\n");
tls_set_connect_server_id($fd);
xlogl("L INFO","SNI ID: $fd");
}
}
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2760#issuecomment-854463465
Loading...