Re: [SR-Users] Issue with ca-list

It does. It has a combination of all of them. Over 50 CA’s pem files combined. From: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: Friday, 20 November 2020 at 15:48 To: George Goglidze &lt;george(a)ipcorp.co.uk&gt;uk>, Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt; Subject: Re: [SR-Users] Issue with ca-list Hello, does the client section ca_list file has the CA of the remote server? Cheers, Daniel On 20.11.20 15:56, George Goglidze wrote: Hi Daniel, No – you misunderstood me. It’s not the remote server that is not trusting us but we are not trusting the remote server. My SBC (Kamailio) is sending out TLS error unknown CA. Thanks, From: Daniel-Constantin Mierla <miconda@gmail.com><mailto:miconda@gmail.com> Date: Friday, 20 November 2020 at 14:48 To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org><mailto:sr-users@lists.kamailio.org>, George Goglidze <george@ipcorp.co.uk><mailto:george@ipcorp.co.uk> Subject: Re: [SR-Users] Issue with ca-list Hello, On 20.11.20 11:13, George Goglidze wrote: Hi Folks, I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server. I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061. I’ve configured the following in tls.cfg: [server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/certs/sbc-private.pem certificate = /etc/kamailio/certs/godaddy.pem ca_list = /etc/kamailio/certs/calist.pem In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server. Private_key and certificate are of my own server (public godaddy signed) [client:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/certs/sbc-private.pem certificate = /etc/kamailio/certs/godaddy.pem ca_list = /etc/kamailio/certs/godaddyca.pem In the section above the ca_list is godaddy’s ca and subordinate. In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module). Then the server replies with tls SERVER HELLO which includes it’s certificate But for some reason we are rejecting it: Alert (level: fatal, Description: Unknown CA) How should I set this up to make sure the remote server CA’s are verified? I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed by a trusted CA from its CAs trusted list. Cheers, Daniel -- Daniel-Constantin Mierla -- www.asipto.com<http://www.asipto.com> www.twitter.com/miconda<http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda<http://www.linkedin.com/in/miconda> Funding: https://www.paypal.me/dcmierla --> -- Daniel-Constantin Mierla -- www.asipto.com<http://www.asipto.com> www.twitter.com/miconda<http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda<http://www.linkedin.com/in/miconda> Funding: https://www.paypal.me/dcmierla -->