Re: [SR-Users] Problems establishing SIP signaling between MsTeams and Kamailio

I Used this tls.cfg Use bc2025.pem as extra, Microsoft needs this… And works fine on different Kamailio-msteams sbcs [server:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/privkey.pem certificate = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/fullchain.pem ca_list = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/bc2025.pem server_name = sbc.combivoipdom.nl [client:default] method = TLSv1.2+ verify_certificate = yes require_certificate = yes private_key = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/privkey.pem certificate = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/fullchain.pem ca_list = /etc/letsencrypt/live/sbc.combivoipdom.nl-0001/bc2025.pem Cheers Rob Van: sr-users &lt;sr-users-bounces(a)lists.kamailio.org&gt; Namens Daniel-Constantin Mierla Verzonden: donderdag 7 januari 2021 08:53 Aan: Kamailio (SER) - Users Mailing List &lt;sr-users(a)lists.kamailio.org&gt;rg>; Willy Valles Rios &lt;willyvalles17(a)gmail.com&gt; CC: Carlos Mestanza T. &lt;mestacart(a)gmail.com&gt; Onderwerp: Re: [SR-Users] Problems establishing SIP signaling between MsTeams and Kamailio Does this happen when Kamailio connects to MS Teams? The logs indicate the received TLS certificate is not trusted: Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed You can set debug=3 in kamailio.cfg and see if the DEBUG messages provide more hints. For me it worked fine with Letsencrypt certs in Kamailio and accepting what ever MS sent back. I used Debian 10 and libssl 1.1. Cheers, Daniel On 06.01.21 21:47, Willy Valles Rios wrote: Hello community, I am having trouble establishing SIP signaling between MsTeams and Kamailio. I currently have this configuration in my tls.cfg file [server: default] method = TLSv1.2 + verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/certificates/private-key.pem certificate = /etc/kamailio/certificates/certificate.pem [client: default] method = TLSv1.2 + verify_certificate = yes require_certificate = yes private_key = /etc/kamailio/certificates/private-key.pem certificate = /etc/kamailio/certificates/certificate.pem My domain was certified with ssl through an authoritative certifier (GoDaddy), however I see these errors in the / var / log / messages of the Kamailio server. Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_mod.c:389]: mod_init(): With ECDH-Support! Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_mod.c:392]: mod_init(): With Diffie Hellman Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_init.c:722]: tls_h_mod_init_f(): compiled with openssl version "OpenSSL 1.0.2k-fips 26 Jan 2017" (0x100020bf), kerberos support: on, compression: on Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_init.c:730]: tls_h_mod_init_f(): installed openssl library version "OpenSSL 1.0.2k-fips 26 Jan 2017" (0x100020bf), kerberos support: on, zlib compression: on#012 compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: WARNING: tls [tls_init.c:787]: tls_h_mod_init_f(): openssl bug #1491 (crash/mem leaks on low memory) workaround enabled (on low memory tls operations will fail preemptively) with free memory thresholds 13107200 and 6553600 bytes Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: [core/cfg/cfg_ctx.c:598]: cfg_set_now(): tls.low_mem_threshold1 has been changed to 13107200 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: [core/cfg/cfg_ctx.c:598]: cfg_set_now(): tls.low_mem_threshold2 has been changed to 6553600 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: [main.c:2834]: main(): processes (at least): 25 - shm size: 67108864 - pkg size: 4194304 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: [core/udp_server.c:154]: probe_max_receive_buffer(): SO_RCVBUF is initially 212992 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: [core/udp_server.c:206]: probe_max_receive_buffer(): SO_RCVBUF is finally 425984 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:305]: ksr_tls_fill_missing(): TLSs: tls_method=22 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:317]: ksr_tls_fill_missing(): TLSs: certificate='/etc/kamailio/certificados/certificate.pem' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:324]: ksr_tls_fill_missing(): TLSs: ca_list='(null)' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:331]: ksr_tls_fill_missing(): TLSs: crl='(null)' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:335]: ksr_tls_fill_missing(): TLSs: require_certificate=1 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:342]: ksr_tls_fill_missing(): TLSs: cipher_list='(null)' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:349]: ksr_tls_fill_missing(): TLSs: private_key='/etc/kamailio/certificados/private-key.pem' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:353]: ksr_tls_fill_missing(): TLSs: verify_certificate=1 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:356]: ksr_tls_fill_missing(): TLSs: verify_depth=9 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:359]: ksr_tls_fill_missing(): TLSs: verify_client=0 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: NOTICE: tls [tls_domain.c:1107]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='' ... Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:697]: set_verification(): TLSs: Client MUST present valid certificate Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:305]: ksr_tls_fill_missing(): TLSc: tls_method=22 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:317]: ksr_tls_fill_missing(): TLSc: certificate='/etc/kamailio/certificados/certificate.pem' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:324]: ksr_tls_fill_missing(): TLSc: ca_list='(null)' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:331]: ksr_tls_fill_missing(): TLSc: crl='(null)' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:335]: ksr_tls_fill_missing(): TLSc: require_certificate=1 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:342]: ksr_tls_fill_missing(): TLSc: cipher_list='(null)' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:349]: ksr_tls_fill_missing(): TLSc: private_key='/etc/kamailio/certificados/private-key.pem' Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:353]: ksr_tls_fill_missing(): TLSc: verify_certificate=1 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:356]: ksr_tls_fill_missing(): TLSc: verify_depth=9 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:359]: ksr_tls_fill_missing(): TLSc: verify_client=0 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32409]: INFO: tls [tls_domain.c:697]: set_verification(): TLSc: Server MUST present valid certificate Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32422]: INFO: jsonrpcs [jsonrpcs_sock.c:443]: jsonrpc_dgram_process(): a new child 0/32422 Jan 6 15:13:45 Kamailio-Server /usr/sbin/kamailio[32424]: INFO: ctl [io_listener.c:214]: io_listen_loop(): io_listen_loop: using epoll_lt io watch method (config) Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.75.24 Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66 Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32425]: ERROR: [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f45242be028 r: 0x7f45242be150 (-1) Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.132.46 Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66 Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32426]: ERROR: [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f45242d9278 r: 0x7f45242d93a0 (-1) Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 52.114.14.70 Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 161.35.44.66 Jan 6 15:13:55 Kamailio-Server /usr/sbin/kamailio[32427]: ERROR: [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f45242be028 r: 0x7f45242be150 (-1) Could you help me identify the problem please. Cheers Saludos Cordiales -- Willy Valles Rios Unified Communications Specialist phone: +51955747343 em@il: willyvalles17(a)gmail.com <mailto:willyvalles17@gmail.com> _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com> www.twitter.com/miconda <http://www.twitter.com/miconda> -- www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda> Funding: https://www.paypal.me/dcmierla