Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote: > Hi folks!! > > Finally I had time to test the new TLS module and faced lots of > problems...probably due to my lack of security knowledge. If somebody > can point me few links where I can gain some knowledge I'll appreciate > it.. > > The problem: > > I create the cert,key and ca-list using the scripts present in > openser's TLS module. I am using the latest CVS version and SER does > not start giving the next error: > > ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load > certificate file '/usr/local/etc/ser/certs/user-cert.pem' > ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM > routines:PEM_read_bio:no start line > > Probably I did something wrong in the key creation or configure > something wrong in ser.cfg....The config is taken from a thread > present in serdev about the status of the SER TLS module and it's > really simple so I don't think it's wrong but anyway, here it is: > > > > loadmodule "/usr/local/lib/ser/modules/tls.so" > loadmodule "/usr/local/lib/ser/modules/sl.so" > loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" > > listen=tls:a.b.c.d:5061 > listen=tcp:a.b.c.d:5060 > listen=udp:a.b.c.d:5060 > > alias=mydomain.com > > #modparam("tls", "tls_method", "TLSv1") > modparam("tls", "tls_method", "SSLv23") > modparam("tls", "verify_certificate", 1) > modparam("tls", "require_certificate", 0) > modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") > modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") > modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") > #modparam("tls", "config", "tls.cfg") > > route { > if (proto == TLS && (method == "POST" || method == "GET")) { > create_via(); # XMLRPC requests do not contain via, create it > > if (!@tls.peer.verified) { > # Client did not provide certificate or it is not valid > xmlrpc_reply("400", "Unauthorized"); > break; > } > > if (@xmlrpc.method == "core.kill") { > # Make sure the client has the permission to execute the command > if (@tls.peer != "SER-Killer") { > xmlrpc_reply("400", "Access to core.kill denied"); > break; > } > } > > dispatch_rpc(); > break; > } > } > > > Any comments are highly appreciated, thanks! > > Samuel. > > _______________________________________________ > Serusers mailing list > serusers@lists.iptel.org > http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers