(forgotten to cc the list)
Andreas Rehbein schrieb:
Hi Klaus,
until now (OpenSER 1.3.x without client verification) it was not necessary to import certs into snom. To force the snom to send Messages via tls, you need to insert something like "192.168.0.89:5061;transport=tls" in the outbound proxy field (but I'm sure you already knew)
Looks like SNOMs TLS implementation is a piece of crap.
If the server uses a TLS certificate with depth 1 (CA->server-cert), then the SNOM phone accepts the certificate and handshake succeeds. If the certificate has depth 2 (CA->subCA->server-cert), then the SNOM phone raises an error during handshake.
And strangely, the "trusted certificates" are not used at all for validation. Thus, SNOM uses the TLS connection solely for encryption, not for server authentication.
regards klaus
regards Andreas
-----Ursprüngliche Nachricht----- Von: Klaus Darilion [mailto:klaus.mailinglists@pernau.at] Gesendet: Freitag, 22. Januar 2010 13:17 An: Andreas Rehbein Cc: sr-users@lists.sip-router.org Betreff: Re: AW: AW: AW: [SR-Users] TLS problems
Andreas Rehbein schrieb:
Hello Klaus,
Linux: Red Hat Enterprise Linux 5; Kernel: 2.6.18-92.1.10.el5 OpenSSL: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Hi Andreas!
I fail to configure SNOM to accept the certificate. I imported the CA cert as trusted certificates, but TLS handshake is not successful. Is there something else I need to take care of?
I'm quite sure my certificates are OK as it works with eyebeam and QjSimple.
regards Klaus
-
Klaus Darilion