13 Nov
2024
13 Nov
'24
8:06 a.m.
... (rest of reply)
If your clients connect to "sbctest.tel.redacted.xx" in the first
place, over TLS, then they verify the certificate against that FQDN.
If you use RR and you have the kamailio IP address in the Record-Route
header field(s), then the clients have to connect to that IP address
using TLS, and then the certificate validation should fail.
As a quick test, do BYEs work from the clients after NOTIFYs fail?
James
On Wed, 13 Nov 2024 at 13:04, James Browne <james(a)frideo.com> wrote:
I've another suggestion.
Check what's in in your Record-Route header fields.
On Wed, 13 Nov 2024 at 07:57, dries--- via sr-users
<sr-users(a)lists.kamailio.org> wrote:
>
> Thanks for replying, Fred!
>
> The client default was already set to no verification:
> [client:default]
> verify_certificate = no
> require_certificate = no
>
> This is the TLS config:
> [server:193.19x.x.x:5061]
> method = TLSv1.2+
> verify_certificate = no
> require_certificate = no
> private_key = /etc/kamailio/privkey.pem
> certificate = /etc/kamailio/fullchain.pem
> server_name = sbctest.tel.redacted.xx
> server_id = sbctest.tel.redacted.xx
> server_name_mode = 1
> verify_depth = 3
>
> [server:default]
> private_key = /etc/kamailio/privkey.pem
> certificate = /etc/kamailio/fullchain.pem
> verify_certificate = no
> require_certificate = no
> server_name = localhost
>
> As the Grandstreams are already registering over TLS, I assume that the correct
protocol is already configured. Any other suggestions?
>
> Regards,
> Dries
> __________________________________________________________
> Kamailio - Users Mailing List - Non Commercial Discussions
> To unsubscribe send an email to sr-users-leave(a)lists.kamailio.org
> Important: keep the mailing list in the recipients, do not reply only to the
sender!
> Edit mailing list options or unsubscribe: