You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue description
We are encountering an issue where OpenSIPS (acting as a SIP proxy) is not adding the SNI (Server Name Indication) extension in the SSL/TLS handshake when sending requests to other SIP servers. This is problematic because many servers require the SNI to be set in the SSL/TLS handshake in order to route the request to the correct server instance. Without this, the request may fail, or it might be routed to an incorrect server.
In wireshark I see that Opensips proxy send TLS Hello to our server without including SNI extension.
To Reproduce
Configure OpenSIPS as a SIP proxy.
Set up OpenSIPS to route SIP requests (e.g., INVITE, REGISTER) to a remote SIP server over TLS.
Ensure the remote SIP server is configured to require SNI for correct routing.
Send a SIP request from OpenSIPS to the remote server.
Expected behavior
When OpenSIPS sends a TLS handshake to the remote SIP server, it should include the SNI extension in the handshake. This would allow the server to route the request to the correct virtual host.
System Logs
When use openssl library
ERROR:tls_openssl:openssl_tls_connect: New TLS connection to X.X.X.X:5061 failed
ERROR:tls_openssl:openssl_tls_connect: TLS error: 1 (ret=-1) err=Success(0)
ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:0A000126:SSL routines::unexpected eof while reading
ERROR:proto_tls:proto_tls_send: failed to send
ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3 failed
ERROR:tm:t_forward_nonack: sending request failed
ERROR:core:warning_builder: buffer size exceeded
WARNING:core:build_res_buf_from_sip_req: warning skipped -- too big
When use wolfssl library
ERROR:tls_wolfssl:_wolfssl_tls_connect: New TLS connection to X.X.X.X:5061 failed
ERROR:tls_wolfssl:_wolfssl_tls_connect: TLS connect error: -308, error state on socket
ERROR:proto_tls:proto_tls_send: failed to send
ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3 failed
ERROR:tm:t_forward_nonack: sending request failed
ERROR:core:warning_builder: buffer size exceeded
WARNING:core:build_res_buf_from_sip_req: warning skipped -- too big
route {
if (is_method("REGISTER")) {
if (!lookup("location")) {
t_relay("allow-no-cancel","tls:my.servername.com:5061");
exit;
}
t_relay();
exit;
}
}
Thanks in advance for your help!
The text was updated successfully, but these errors were encountered:
elsaid25
changed the title
[BUG]
No SNI (Server Name Indication) Extension Added When Sending Requests to Other Servers from opensips proxy
Nov 26, 2024
Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days.
OpenSIPS version
version: opensips 3.5.2 (x86_64/linux)
flags: STATS: On, DISABLE_NAGLE, USE_MCAST, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, HP_MALLOC, DBG_MALLOC, FAST_LOCK-ADAPTIVE_WAIT
ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535
poll method support: poll, epoll, sigio_rt, select.
Issue description
We are encountering an issue where OpenSIPS (acting as a SIP proxy) is not adding the SNI (Server Name Indication) extension in the SSL/TLS handshake when sending requests to other SIP servers. This is problematic because many servers require the SNI to be set in the SSL/TLS handshake in order to route the request to the correct server instance. Without this, the request may fail, or it might be routed to an incorrect server.
In wireshark I see that Opensips proxy send TLS Hello to our server without including SNI extension.
To Reproduce
Expected behavior
When OpenSIPS sends a TLS handshake to the remote SIP server, it should include the SNI extension in the handshake. This would allow the server to route the request to the correct virtual host.
System Logs
ERROR:tls_openssl:openssl_tls_connect: New TLS connection to X.X.X.X:5061 failed
ERROR:tls_openssl:openssl_tls_connect: TLS error: 1 (ret=-1) err=Success(0)
ERROR:tls_openssl:tls_print_errstack: TLS errstack: error:0A000126:SSL routines::unexpected eof while reading
ERROR:proto_tls:proto_tls_send: failed to send
ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3 failed
ERROR:tm:t_forward_nonack: sending request failed
ERROR:core:warning_builder: buffer size exceeded
WARNING:core:build_res_buf_from_sip_req: warning skipped -- too big
ERROR:tls_wolfssl:_wolfssl_tls_connect: New TLS connection to X.X.X.X:5061 failed
ERROR:tls_wolfssl:_wolfssl_tls_connect: TLS connect error: -308, error state on socket
ERROR:proto_tls:proto_tls_send: failed to send
ERROR:tm:msg_send: send() to X.X.X.X:5061 for proto tls/3 failed
ERROR:tm:t_forward_nonack: sending request failed
ERROR:core:warning_builder: buffer size exceeded
WARNING:core:build_res_buf_from_sip_req: warning skipped -- too big
Configuration file
udp_workers= 4
tcp_workers= 4
socket=udp:192.168.2.11:5060
socket=tls:192.168.2.11:5062
loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
modparam("tm", "fr_timeout", 10)
modparam("tm", "fr_inv_timeout", 30)
modparam("tm", "restart_fr_on_each_reply", 0)
modparam("tm", "onreply_avp_mode", 1)
loadmodule "rr.so"
modparam("rr", "append_fromtag", 0)
loadmodule "proto_udp.so"
loadmodule "proto_tcp.so"
#loadmodule "tls_openssl.so"
loadmodule "tls_wolfssl.so"
loadmodule "proto_tls.so"
loadmodule "tls_mgm.so"
modparam("tls_mgm", "tls_library", "wolfssl")
#server domain
modparam("tls_mgm","server_domain","sv_dom") # Define a TLS domain for a specific hostname or IP
modparam("tls_mgm", "match_ip_address", "[sv_dom]")
modparam("tls_mgm", "match_sip_domain", "[sv_dom]")
modparam("tls_mgm", "verify_cert", "[sv_dom]0")
modparam("tls_mgm", "require_cert", "[sv_dom]0")
modparam("tls_mgm", "tls_method", "[sv_dom]TLSv1_2-")
modparam("tls_mgm", "certificate","[sv_dom]/etc/opensips/tls/user/certificate.pem")
modparam("tls_mgm", "private_key","[sv_dom]/etc/opensips/tls/user/key.pem")
modparam("tls_mgm", "ca_list","[sv_dom]/etc/opensips/tls/user/user-calist.pem")
#Client domain
modparam("tls_mgm", "client_sip_domain_avp", "sip_test")
modparam("tls_mgm", "client_domain", "clt_dom")
modparam("tls_mgm", "match_sip_domain", "[clt_dom]")
modparam("tls_mgm", "match_ip_address", "[clt_dom]")
modparam("tls_mgm", "verify_cert", "[clt_dom]0")
modparam("tls_mgm", "require_cert", "[clt_dom]0")
modparam("tls_mgm", "tls_method", "[clt_dom]TLSv1_2-")
modparam("tls_mgm", "certificate", "[clt_dom]/etc/opensips/tls/user/certificate.pem")
modparam("tls_mgm", "private_key", "[clt_dom]/etc/opensips/tls/user/certificate.pem")
modparam("tls_mgm", "ca_list","[clt_dom]/etc/opensips/tls/user/user-calist.pem")
route {
if (is_method("REGISTER")) {
if (!lookup("location")) {
t_relay("allow-no-cancel","tls:my.servername.com:5061");
exit;
}
t_relay();
exit;
}
}
Thanks in advance for your help!
The text was updated successfully, but these errors were encountered: