Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No SNI (Server Name Indication) Extension Added When Sending Requests to Other Servers from opensips proxy #3529

Open
elsaid25 opened this issue Nov 26, 2024 · 0 comments
Open

No SNI (Server Name Indication) Extension Added When Sending Requests to Other Servers from opensips proxy #3529

elsaid25 opened this issue Nov 26, 2024 · 0 comments

Comments

@elsaid25
Copy link

OpenSIPS version
version: opensips 3.5.2 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.

Issue description
We are encountering an issue where OpenSIPS (acting as a SIP proxy) is not adding the SNI (Server Name Indication) extension in the SSL/TLS handshake when sending requests to other SIP servers. This is problematic because many servers require the SNI to be set in the SSL/TLS handshake in order to route the request to the correct server instance. Without this, the request may fail, or it might be routed to an incorrect server.
In wireshark I see that Opensips proxy send TLS Hello to our server without including SNI extension.

To Reproduce

  • Configure OpenSIPS as a SIP proxy.
  • Set up OpenSIPS to route SIP requests (e.g., INVITE, REGISTER) to a remote SIP server over TLS.
  • Ensure the remote SIP server is configured to require SNI for correct routing.
  • Send a SIP request from OpenSIPS to the remote server.

Expected behavior
When OpenSIPS sends a TLS handshake to the remote SIP server, it should include the SNI extension in the handshake. This would allow the server to route the request to the correct virtual host.

System Logs

  • When use openssl library
    ERROR:tls_openssl:openssl_tls_connect: New TLS connection to X.X.X.X:5061 failed
    ERROR:tls_openssl:openssl_tls_connect: TLS error: 1 (ret=-1) err=Success(0)
    ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:0A000126:SSL routines::unexpected eof while reading
    ERROR:proto_tls:proto_tls_send: failed to send
    ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3 failed
    ERROR:tm:t_forward_nonack: sending request failed
    ERROR:core:warning_builder: buffer size exceeded
    WARNING:core:build_res_buf_from_sip_req: warning skipped -- too big
  • When use wolfssl library
    ERROR:tls_wolfssl:_wolfssl_tls_connect: New TLS connection to X.X.X.X:5061 failed
    ERROR:tls_wolfssl:_wolfssl_tls_connect: TLS connect error: -308, error state on socket
    ERROR:proto_tls:proto_tls_send: failed to send
    ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3 failed
    ERROR:tm:t_forward_nonack: sending request failed
    ERROR:core:warning_builder: buffer size exceeded
    WARNING:core:build_res_buf_from_sip_req: warning skipped -- too big

Configuration file
udp_workers= 4
tcp_workers= 4

socket=udp:192.168.2.11:5060
socket=tls:192.168.2.11:5062

loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
modparam("tm", "fr_timeout", 10)
modparam("tm", "fr_inv_timeout", 30)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
loadmodule "rr.so"
modparam("rr", "append_fromtag", 0)

loadmodule "proto_udp.so"
loadmodule "proto_tcp.so"

#loadmodule "tls_openssl.so"
loadmodule "tls_wolfssl.so"
loadmodule "proto_tls.so"

loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")

#server domain
modparam("tls_mgm","server_domain","sv_dom") # Define a TLS domain for a specific hostname or IP
modparam("tls_mgm", "match_ip_address", "[sv_dom]")
modparam("tls_mgm", "match_sip_domain", "[sv_dom]")
modparam("tls_mgm", "verify_cert", "[sv_dom]0")
modparam("tls_mgm", "require_cert", "[sv_dom]0")
modparam("tls_mgm", "tls_method", "[sv_dom]TLSv1_2-")
modparam("tls_mgm", "certificate","[sv_dom]/etc/opensips/tls/user/certificate.pem")
modparam("tls_mgm", "private_key","[sv_dom]/etc/opensips/tls/user/key.pem")
modparam("tls_mgm", "ca_list","[sv_dom]/etc/opensips/tls/user/user-calist.pem")

#Client domain
modparam("tls_mgm", "client_sip_domain_avp", "sip_test")
modparam("tls_mgm", "client_domain", "clt_dom")
modparam("tls_mgm", "match_sip_domain", "[clt_dom]")
modparam("tls_mgm", "match_ip_address", "[clt_dom]")
modparam("tls_mgm", "verify_cert", "[clt_dom]0")
modparam("tls_mgm", "require_cert", "[clt_dom]0")
modparam("tls_mgm", "tls_method", "[clt_dom]TLSv1_2-")
modparam("tls_mgm", "certificate", "[clt_dom]/etc/opensips/tls/user/certificate.pem")
modparam("tls_mgm", "private_key", "[clt_dom]/etc/opensips/tls/user/certificate.pem")
modparam("tls_mgm", "ca_list","[clt_dom]/etc/opensips/tls/user/user-calist.pem")

route {
if (is_method("REGISTER")) {
if (!lookup("location")) {
t_relay("allow-no-cancel","tls:my.servername.com:5061");
exit;
}
t_relay();
exit;
}
}

Thanks in advance for your help!
@elsaid25 elsaid25 changed the title [BUG] No SNI (Server Name Indication) Extension Added When Sending Requests to Other Servers from opensips proxy Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@elsaid25