29 Dec
2006
29 Dec
'06
9:52 a.m.
You are correct, so just for the trial purposes if I want the TLS handshake
to be successful what credentials for the client should I use? i.e. can I do
something like:
openssl s_client -cert user-cert.pem -key user-privkey.pem -state -connect
10.30.00.41:5061
on doing this it comes back with an error saying Verify Return Code: 21
(Unable to verify the first certificate), Should I be using new certificates
or with the same set of certificates I can achive a successful handshake?
Thanks a lot..
Ncheeku
On 12/29/06, Steffen Witt <witt.steffen(a)googlemail.com> wrote:
Hello,
openssl can play client and/or server role.
Best regards,
Steffen
2006/12/29, Ncheeku Baranov <opensersubscribe(a)gmail.com>om>:
enabled
Thanks Steffen. Is there any freely available tls
client which can be
used
to check this settings and the handshake? That
will be really helpful..
Best regards,
NCheeku
On 12/28/06, Steffen Witt <witt.steffen(a)googlemail.com> wrote:
-accept
Hello Ncheeku,
change to the directory with your ".pem" files:
/usr/local/etc/openser/tls/user
>
>
> Then you can test your TLS handshake with the following command:
>
> openssl s_server -cert user-cert.pem -key user-privkey.pem -state 5061
server?
Openssl simulates a TLS server with your certificate/private key files
and it accepts only requests at port 5061.
Best regards,
Steffen
2006/12/28, Ncheeku Baranov <opensersubscribe(a)gmail.com>om>:
> Thanks a lot Steffen. Adding the new listen = udp: 10.30.100.41:5060
indeed
> > worked. How can I check the TLS handshake using openssl at the >
Thanks a lot..
>
>
>
> On 12/28/06, Steffen Witt < witt.steffen(a)googlemail.com> wrote:
> > Hello again,
> >
> > maybe you should add the following line to test your non-TLS UAs:
> >
> > disable_tls = 0
> > listen = udp:10.30.100.41:5060 <---
> > listen = tls:10.30.100.41:5061
> >
> >
> > You can check your TLS handshake by simulating your server with
openssl.
> >
> >
> > Please have a look at the following link that describes the TLS
support:
> > >
> > > http://www.openser.org/docs/tls.html
> > >
> > >
> > > Best regards,
> > > Steffen
> > >
> > >
> > >
> > >
> > > 2006/12/28, Ncheeku Baranov < opensersubscribe(a)gmail.com>gt;:
> > > > Hi,
> > > >
> > > > I am trying to make my non-TLS/TLS UA register with my TLS > > openSER.
> > > > Currently I am just working on my local machine with the client
UAs
on
> > the
> > > > same subnet,(so there is only one domain, but its not named).
Below
is
missing
> my
> > > configuration file:
> > >
> > > disable_tls = 0
> > > listen = tls:10.30.100.41:5061
> > > tls_verify_server = 1
> > > tls_verify_client = 0
> > > tls_require_client_certificate = 0
> > > tls_method = TLSv1
> > > tls_certificate =
> "/usr/local/etc/openser/tls/user/user-
> > > cert.pem"
> > > tls_private_key =
> "/usr/local/etc/openser/tls/user/user-
> > > privkey.pem"
> > > tls_ca_list =
> > > "usr/local/etc/openser/tls/user/user-calist.pem"
> > >
> > > However, with the above configuration the client UAs couldnot
register
> > and I
> > > > got 408 Request Time out Message. Is there any field that is to
> > make
> > > > this simple scenario work? What should be the values of
> > "tls_client_domain"
> > > > and "tls_server_domain" fields in this case?
> > > >
> > > > I noticed that when I start the openSER without TLS support
using
> > > > "openserctl start"
and do "ps -e" after that, there are more
openSER
> > > > processes running than if I
start openSER with TLS support in
which
case
I
> > see very few of these processes running.
> >
> > Your help is much appreciated....
> >
> > Best regards,
> > NCheeku
> >
> > _______________________________________________
> > Users mailing list
> > Users(a)openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> >
> >
> >
>