Hello,

set debug=3 in kamailio.cfg, restart kamailio and try to connect again with the client. Watch the logs and you should get more details about what happens there.

Cheers,
Daniel

On 06.09.19 19:05, david@aslo.us wrote:

Hello everyone,

 

I am trying to configure TLS in kamailio (5.2.4) following this guide: http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates

 

Modules:

 

#!define WITH_MYSQL

#!define WITH_AUTH

#!define WITH_USRLOCDB

#!define WITH_PRESENCE

#!define WITH_ALIASDB

#!define WITH_IMC

#!define WITH_TLS

 

When i try to connect via command line, this is the result (just including relevant parts):

 

$ openssl s_client -connect 192.X.X.X:5061 -tls1

CONNECTED(00000003)

depth=1 C = XX, ST = XXXX, L = XXXXXX, O = XXX CA, CN = XXX CA

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

No client certificate CA names sent

---

SSL handshake has read 2550 bytes and written 336 bytes

---

---

    Start Time: 1567787935

    Timeout   : 7200 (sec)

    Verify return code: 19 (self signed certificate in certificate chain)

---

read:errno=0

 

 

Now, when I setup my clients, they connect to the server, but they can't send messages or make calls.

 

 

This is the TLS startup LOG:

 

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_mod.c:372]: mod_init(): With ECDH-Support!

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_mod.c:375]: mod_init(): With Diffie Hellman

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: CRITICAL: tls [tls_init.c:671]: init_tls_h(): installed openssl library version is too different from the library the kamailio tls module was compiled with: installed "OpenSSL 1.1.1  11 Sep 2018" (0x1010100f), compiled "OpenSSL 1.1.0k  28 May 2019" (0x101000bf).#012 Please make sure a compatible version is used (tls_force_run in kamailio.cfg will override this check)

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: WARNING: tls [tls_init.c:680]: init_tls_h(): tls_force_run turned on, ignoring  openssl version mismatch

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: WARNING: tls [tls_init.c:778]: init_tls_h(): openssl bug #1491 (crash/mem leaks on low memory) workaround enabled (on low memory tls operations will fail preemptively) with free memory thresholds 12582912 and 6291456 bytes

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/cfg/cfg_ctx.c:595]: cfg_set_now(): tls.low_mem_threshold1 has been changed to 12582912

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/cfg/cfg_ctx.c:595]: cfg_set_now(): tls.low_mem_threshold2 has been changed to 6291456

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [main.c:2669]: main(): processes (at least): 24 - shm size: 67108864 - pkg size: 8388608

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/udp_server.c:153]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: <core> [core/udp_server.c:205]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=12

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/certs/192.X.X.X/cert.pem'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: ca_list='/etc/certs/demoCA/cert.pem'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=0

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/certs/192.X.X.X/key.pem'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: NOTICE: tls [tls_domain.c:1087]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:707]: set_verification(): TLSs<default>: No client certificate required and no checks performed

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=12

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: certificate='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: ca_list='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: require_certificate=0

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: cipher_list='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: private_key='(null)'

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: verify_certificate=0

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9

Sep  6 16:41:57 aslo-kamailio /usr/sbin/kamailio[5845]: INFO: tls [tls_domain.c:710]: set_verification(): TLSc<default>: Server MAY present invalid certificate

Sep  6 16:41:58 aslo-kamailio /usr/sbin/kamailio[5862]: INFO: jsonrpcs [jsonrpcs_sock.c:443]: jsonrpc_dgram_process(): a new child 0/5862

Sep  6 16:41:58 aslo-kamailio /usr/sbin/kamailio[5866]: INFO: ctl [io_listener.c:214]: io_listen_loop(): io_listen_loop:  using epoll_lt io watch method (config)

 

 

 

This is my tls.cfg file:

 

[server:default]

method = TLSv1

verify_certificate = no

require_certificate = no

private_key = /etc/certs/192.X.X.X/key.pem

certificate = /etc/certs/192.X.X.X/cert.pem

ca_list = /etc/certs/demoCA/cert.pem

#crl = /etc/kamailio/tls/crl.pem

 

# ---

# This is the default client domain profile.

# Settings in this domain will be used for all outgoing

# TLS connections that do not match any other

# client domain in this configuration file.

# We require that servers present valid certificate.

#

[client:default]

method = TLSv1

verify_certificate = no

require_certificate = no

 

 

These are the relevant parts of my kamailio.cfg:

 

# alias="sip.mydomain.com"

  alias=192.X.X.X:5060

  alias=192.X.X.X:5061

/* uncomment and configure the following line if you want Kamailio to

* bind on a specific interface/port/proto (default bind on all available) */

  listen=udp:192.X.X.X:5060

  listen=tcp:192.X.X.X:5060

  listen=tls:192.X.X.X:5061

 

 

#!ifdef WITH_TLS

enable_tls=yes

 

/* upper limit for TLS connections */

tls_max_connections=2048

#!endif

 

 

#!ifdef WITH_TLS

# ----- tls params -----

modparam("tls", "config", "/etc/kamailio/tls.cfg")

modparam("tls", "tls_force_run", 1)

#!endif

 

 

These are the errors that show up everytime i try to connect with a client:

 

Sep  6 16:53:42 aslo-kamailio /usr/sbin/kamailio[5870]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

Sep  6 16:53:42 aslo-kamailio /usr/sbin/kamailio[5870]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1)

Sep  6 16:53:43 aslo-kamailio /usr/sbin/kamailio[5874]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

Sep  6 16:53:43 aslo-kamailio /usr/sbin/kamailio[5874]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1)

Sep  6 16:53:44 aslo-kamailio /usr/sbin/kamailio[5875]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

Sep  6 16:53:44 aslo-kamailio /usr/sbin/kamailio[5875]: ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f7c4e3ddd00 r: 0x7f7c4e3ddd80 (-1)

 

Any help would be greatly appreciated.

 

Regards.

 
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio Advanced Training, Oct 21-23, 2019, Berlin, Germany -- https://asipto.com/u/kat