Hello,

the client has to be configured to present a certificate, and it doesn't do it based on kamailio log message:

INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate

Check the phone config to see if you can set such option. Kamailio can just see if a certificate is sent and if not reject the connection, if you have require_certificate = yes in the server profile of tls.cfg

You can eventually test with 'openssl s_client ...' to see details of client side certs in kamailio -- iirc, it has the options to specify client side certificate with -cert ... -key ...

Cheers,
Daniel

Hi Daniel

I’m testing with a Yealink T57W. It comes with a factory install certificate which will probably fail validation as the common name is the MAC.  

I'm not trying validate the client device’s certificate just get it to offer what it has so I can check the details.

Thanks

Mark

On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <miconda@gmail.com> wrote:

Hello,

what is the SIP client app you used? Is it configured to use its own tls certificate when connecting to the SIP server?

Cheers,
Daniel

On 02.07.20 18:51, Mark Boyce wrote:

Hi all

Been trying to grab the TLS cert details from incoming connections, but failing :-(

So with lines just before AUTH is called like this;

        if (proto == TLS) {

        xlog("L_INFO", "TLSDUMP $ci  peer_subject        : $tls_peer_subject\n");

Gets met with a log line line this;

INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 1.2.3.4:11797 using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256

INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 5.6.7.8:5061

INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate

...

INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS certificate from SSL structure

This is with verify_certificate and require_certificate set to no in tls.cfg

If I try and set the following in tls.cfg

[server:default]

method = TLSv1.2+

verify_certificate = no

require_certificate = yes

I see in the logs;

INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=22

INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/kamailio/tls-certs/cert.pem'

INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'

INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'

INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1

INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'

INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/kamailio/tls-certs/privkey.pem'

INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0

INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9

NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...

INFO: tls [tls_domain.c:692]: set_verification(): TLSs<default>: Client MUST present valid certificate

INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=20

INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: certificate='(null)'

INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: ca_list='(null)'

INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)'

INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: require_certificate=1

INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: cipher_list='(null)'

INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: private_key='(null)'

INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: verify_certificate=1

INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9

INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: Server MUST present valid certificate

...

ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed

Which looks like verification is being enabled when I add require?

Would someone be kind enough to point out what I am missing please? (Assuming it’s not a bug :-)

Thanks
Mark
-- 
Mark Boyce
Dark Origins Ltd

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla

Mark

-- 

Mark Boyce

Dark Origins Ltd

e: mark@darkorigins.com

t: 0345 0043 043

f: 0345 0043 044

-- 
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla