Date: Mon, 13 Sep 2010 11:40:33 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
enable_tls=1 tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is standardized with TLSv1. Thus you should remove SSLv23 unless you explicitely know that the client can not handle TLSv1 (then the client would be buggy)
modparam("tls", "certificate", "ser1_cert.pem") modparam("tls", "private_key", "privkey.pem") modparam("tls", "ca_list", "cacert.pem") modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client certificate. Usually the SIP client does not have a TLS client certificate, thus Kamailio will terminate the TLS connection with handshake error. Set modparam("tls", "require_certificate", 0) and at least it should work with the "openssl s_client" tool.
regards Klaus
hi Klaus and all,
i have changed all thing as you advice, but it cannot work, when i run command to check :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 CONNECTED(00000003) depth=1 /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 verify error:num=19:self signed certificate in certificate chain verify return:0
.................... subject=/C=vn/ST=hcm/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 issuer=/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 --- Acceptable client certificate CA names /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 --- SSL handshake has read 2256 bytes and written 299 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 08F56E61E88ADF353D6EB77126706E4364F31FB31437153ABAB1A20090F8D77CE0BEA0E0B218DB6E7653FBD873E91735 Key-Arg : None Krb5 Principal: None Compression: 1 (zlib compression) Start Time: 1284411539 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) and :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 -CAfile cacert.pem CONNECTED(00000003) 2223:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
so what is the prolem ?
thanks and regards, Peter Green.