Discussion:
[SR-Users] Support for TLS server_name extension (aka SNI=server name indication)
Barry Flanagan
2014-08-29 13:25:36 UTC
Permalink
Hi,

Back in Kamailio 1.5, the release notes state:

"support for TLS server_name extension (aka SNI=server name indication)"

However, I cannot find any indication of this in the current TLS docs, and
trying to set tls_server_name or server_name in tls.cfg fails with
"unsupported option".

Is this actually supported?

Thanks.

-Barry Flanagan
Daniel-Constantin Mierla
2014-08-29 14:11:26 UTC
Permalink
Hello,

starting with 3.0 we got the implementation from SER at that time (being
more flexible with config and later getting asynchronous support).

A quick grep in the sources shows things related to server_name, but
apparently is just for accessing them via cfg selects.

I cc-ed Jan who is author of some commits related to server name and
Klaus who did the patch for old kamailio -- maybe they remember how far
it got with server name implementation and if it got at least the parts
from old kamailio to 3.0.

Cheers,
Daniel
Post by Barry Flanagan
Hi,
"support for TLS server_name extension (aka SNI=server name indication)"
However, I cannot find any indication of this in the current TLS docs,
and trying to set tls_server_name or server_name in tls.cfg fails with
"unsupported option".
Is this actually supported?
Thanks.
-Barry Flanagan
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany ::: Oct 15-17, San Francisco, USA
Klaus Darilion
2014-09-02 13:57:41 UTC
Permalink
Indeed, currently Kamailio does not support SNI (was dropped with ser merge)

Klaus
Post by Daniel-Constantin Mierla
Hello,
starting with 3.0 we got the implementation from SER at that time (being
more flexible with config and later getting asynchronous support).
A quick grep in the sources shows things related to server_name, but
apparently is just for accessing them via cfg selects.
I cc-ed Jan who is author of some commits related to server name and
Klaus who did the patch for old kamailio -- maybe they remember how far
it got with server name implementation and if it got at least the parts
from old kamailio to 3.0.
Cheers,
Daniel
Post by Barry Flanagan
Hi,
"support for TLS server_name extension (aka SNI=server name indication)"
However, I cannot find any indication of this in the current TLS docs,
and trying to set tls_server_name or server_name in tls.cfg fails with
"unsupported option".
Is this actually supported?
Thanks.
-Barry Flanagan
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany ::: Oct 15-17, San Francisco, USA
Daniel-Constantin Mierla
2014-09-02 14:49:25 UTC
Permalink
Hi Klaus,

thanks for updating on the status.

Do you remember what implied to add support for SNI?

It should be brought back if we lost it. Maybe you can adapt the old
patch if it not something that complex and you have time to look at it.
Otherwise, any further details about what you had to do in the past
would help to add support for it again.

Daniel
Post by Klaus Darilion
Indeed, currently Kamailio does not support SNI (was dropped with ser merge)
Klaus
Post by Daniel-Constantin Mierla
Hello,
starting with 3.0 we got the implementation from SER at that time (being
more flexible with config and later getting asynchronous support).
A quick grep in the sources shows things related to server_name, but
apparently is just for accessing them via cfg selects.
I cc-ed Jan who is author of some commits related to server name and
Klaus who did the patch for old kamailio -- maybe they remember how far
it got with server name implementation and if it got at least the parts
from old kamailio to 3.0.
Cheers,
Daniel
Post by Barry Flanagan
Hi,
"support for TLS server_name extension (aka SNI=server name indication)"
However, I cannot find any indication of this in the current TLS docs,
and trying to set tls_server_name or server_name in tls.cfg fails with
"unsupported option".
Is this actually supported?
Thanks.
-Barry Flanagan
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany ::: Oct 15-17, San Francisco, USA
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany ::: Oct 15-17, San Francisco, USA
Klaus Darilion
2014-09-02 15:01:43 UTC
Permalink
Adding SNI was rather easy. I used the original SNI patch for Apache and
copy-pasted this patch into Kamailio. We could do this again, but this
patch does not have any license details, thus I would recommend to not
do it. Unfortunately I haven't found proper SNI API desription of
libssl. Maybe we can find some software with SNI support and BSD license
and then copy/paste the code.

regards
Klaus
Post by Daniel-Constantin Mierla
Hi Klaus,
thanks for updating on the status.
Do you remember what implied to add support for SNI?
It should be brought back if we lost it. Maybe you can adapt the old
patch if it not something that complex and you have time to look at it.
Otherwise, any further details about what you had to do in the past
would help to add support for it again.
Daniel
Post by Klaus Darilion
Indeed, currently Kamailio does not support SNI (was dropped with ser merge)
Klaus
Post by Daniel-Constantin Mierla
Hello,
starting with 3.0 we got the implementation from SER at that time (being
more flexible with config and later getting asynchronous support).
A quick grep in the sources shows things related to server_name, but
apparently is just for accessing them via cfg selects.
I cc-ed Jan who is author of some commits related to server name and
Klaus who did the patch for old kamailio -- maybe they remember how far
it got with server name implementation and if it got at least the parts
from old kamailio to 3.0.
Cheers,
Daniel
Post by Barry Flanagan
Hi,
"support for TLS server_name extension (aka SNI=server name
indication)"
However, I cannot find any indication of this in the current TLS docs,
and trying to set tls_server_name or server_name in tls.cfg fails with
"unsupported option".
Is this actually supported?
Thanks.
-Barry Flanagan
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Next Kamailio Advanced Trainings 2014 - http://www.asipto.com
Sep 22-25, Berlin, Germany ::: Oct 15-17, San Francisco, USA
James Cloos
2014-09-03 00:28:13 UTC
Permalink
KD> Maybe we can find some software with SNI support and BSD license
KD> and then copy/paste the code.

nginx is a possibility.

-JimC
--
James Cloos <cloos-GRsvFm/Gh/***@public.gmane.org> OpenPGP: 0x997A9F17ED7DAEA6
Loading...