Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; }
if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } }
dispatch_rpc(); break; } }
Any comments are highly appreciated, thanks!
Samuel.