You are correct, so just for the trial purposes if I want the TLS handshake to be successful what credentials for the client should I use? i.e. can I do something like:
 
openssl s_client -cert user-cert.pem -key user-privkey.pem -state -connect 10.30.00.41:5061
 
on doing this it comes back with an error saying Verify Return Code: 21 (Unable to verify the first certificate), Should I be using new certificates or with the same set of certificates I can achive a successful handshake?
 
Thanks a lot..
Ncheeku
 
On 12/29/06, Steffen Witt <witt.steffen@googlemail.com> wrote:
Hello,

openssl can play client and/or server role.


Best regards,
Steffen


2006/12/29, Ncheeku Baranov < opensersubscribe@gmail.com>:
> Thanks Steffen. Is there any freely available tls client which can be used
> to check this settings and the handshake? That will be really helpful..
>
> Best regards,
> NCheeku
>
>
>
> On 12/28/06, Steffen Witt <witt.steffen@googlemail.com> wrote:
> > Hello Ncheeku,
> >
> > change to the directory with your ".pem" files:
> /usr/local/etc/openser/tls/user
> >
> >
> > Then you can test your TLS handshake with the following command:
> >
> > openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept
> 5061
> >
> > Openssl simulates a TLS server with your certificate/private key files
> > and it accepts only requests at port 5061.
> >
> >
> > Best regards,
> > Steffen
> >
> >
> >
> > 2006/12/28, Ncheeku Baranov <opensersubscribe@gmail.com >:
> > > Thanks a lot Steffen. Adding the new listen = udp: 10.30.100.41:5060
> indeed
> > > worked. How can I check the TLS handshake using openssl at the server?
> > > Thanks a lot..
> > >
> > >
> > >
> > > On 12/28/06, Steffen Witt < witt.steffen@googlemail.com> wrote:
> > > > Hello again,
> > > >
> > > > maybe you should add the following line to test your non-TLS UAs:
> > > >
> > > > disable_tls = 0
> > > > listen = udp: 10.30.100.41:5060   <---
> > > > listen = tls:10.30.100.41:5061
> > > >
> > > >
> > > > You can check your TLS handshake by simulating your server with
> openssl.
> > > >
> > > >
> > > > Please have a look at the following link that describes the TLS
> support:
> > > >
> > > > http://www.openser.org/docs/tls.html
> > > >
> > > >
> > > > Best regards,
> > > > Steffen
> > > >
> > > >
> > > >
> > > >
> > > > 2006/12/28, Ncheeku Baranov < opensersubscribe@gmail.com>:
> > > > > Hi,
> > > > >
> > > > > I am trying to make my non-TLS/TLS UA register with my TLS enabled
> > > openSER.
> > > > > Currently I am just working on my local machine with the client UAs
> on
> > > the
> > > > > same subnet,(so there is only one domain, but its not named). Below
> is
> > > my
> > > > > configuration file:
> > > > >
> > > > > disable_tls = 0
> > > > > listen = tls:10.30.100.41:5061
> > > > > tls_verify_server = 1
> > > > > tls_verify_client = 0
> > > > > tls_require_client_certificate = 0
> > > > > tls_method = TLSv1
> > > > > tls_certificate =
> > > "/usr/local/etc/openser/tls/user/user-
> > > > > cert.pem"
> > > > > tls_private_key =
> > > "/usr/local/etc/openser/tls/user/user-
> > > > > privkey.pem"
> > > > > tls_ca_list =
> > > > > "usr/local/etc/openser/tls/user/user-calist.pem"
> > > > >
> > > > > However, with the above configuration the client UAs couldnot
> register
> > > and I
> > > > > got 408 Request Time out Message. Is there any field that is missing
> to
> > > make
> > > > > this simple scenario work? What should be the values of
> > > "tls_client_domain"
> > > > > and "tls_server_domain" fields in this case?
> > > > >
> > > > > I noticed that when I start the openSER without TLS support using
> > > > > "openserctl start" and do "ps -e" after that, there are more openSER
> > > > > processes running than if I start openSER with TLS support in which
> case
> > > I
> > > > > see very few of these processes running.
> > > > >
> > > > > Your help is much appreciated....
> > > > >
> > > > > Best regards,
> > > > > NCheeku
> > > > >
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users@openser.org
> > > > > http://openser.org/cgi-bin/mailman/listinfo/users
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > >
> >
>
>