29 Jan
2012
29 Jan
'12
2:11 p.m.
I found that my TLS client was not happy because my server cert is
signed by an intermediate root.
A quick search in Google found other people mentioning the same problem,
but no solution or documentation.
I've had a quick look in the Kamailio source and I notice it is using
the call:
SSL_CTX_use_certificate_chain_file
to load the certificate specified in tls.cfg with
certificate=myserver.pem
In practice, this means the intermediate certificates can be appended to
myserver.pem and Kamailio will present them to the TLS client:
Example:
Trust heirarchy:
trusted root
- inter 1
- inter 2
- server.example.com.pem
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem
cat inter2.pem >> chain-server.example.com.pem
cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
29 Jan
29 Jan
2:33 p.m.
29 jan 2012 kl. 13:11 skrev Daniel Pocock:
I found that my TLS client was not happy because my server cert is
signed by an intermediate root.
A quick search in Google found other people mentioning the same problem,
but no solution or documentation.
I've had a quick look in the Kamailio source and I notice it is using
the call:
SSL_CTX_use_certificate_chain_file
to load the certificate specified in tls.cfg with
certificate=myserver.pem
In practice, this means the intermediate certificates can be appended to
myserver.pem and Kamailio will present them to the TLS client:
Example:
Trust heirarchy:
trusted root
- inter 1
- inter 2
- server.example.com.pem
Construct the PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem
cat inter2.pem >> chain-server.example.com.pem
cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be documented
somewhere.
/O
3:53 p.m.
Construct the
PEM file in this exact order:
cat server.example.com.pem > chain-server.example.com.pem
cat inter2.pem >> chain-server.example.com.pem
cat inter1.pem >> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be documented
somewhere.
10:47 p.m.
2012/1/29 Daniel Pocock <daniel(a)pocock.com.au>au>:
It's a little bit different in Apache, where the
user specifies a file
containing intermediate certs - many of the CAs give instructions for
adding that file in Apache, but they make no mention of
OpenSSL/Kamailio/concatenating everything, so I imagine people will get
stuck on things like this
If your certificate is not signed by a root CA then you will be also
provided with an intermediary certificate which is signed by a root
CA, and that intermediary certificate validates yours.
So to use it, you must take your public certificate and the
intermediate certificate in PEM format and concatenate both, having
your public certificate at the top of the resulting file.
--
Iñaki Baz Castillo
<ibc(a)aliax.net>
11:27 p.m.
On 29/01/12 21:47, Iñaki Baz Castillo wrote:
2012/1/29 Daniel Pocock <daniel(a)pocock.com.au>au>:
Yes, that is exactly what I described in my original post - it is
working fine too
I notice that Asterisk needs to be patched to do it the way Kamailio does:
https://issues.asterisk.org/jira/browse/ASTERISK-17727
It's a little bit different in Apache, where
the user specifies a file
containing intermediate certs - many of the CAs give instructions for
adding that file in Apache, but they make no mention of
OpenSSL/Kamailio/concatenating everything, so I imagine people will get
stuck on things like this
If your certificate is not signed by a root CA then you will be also
provided with an intermediary certificate which is signed by a root
CA, and that intermediary certificate validates yours.
So to use it, you must take your public certificate and the
intermediate certificate in PEM format and concatenate both, having
your public certificate at the top of the resulting file.
30 Jan
30 Jan
9:58 a.m.
29 jan 2012 kl. 22:27 skrev Daniel Pocock:
On 29/01/12 21:47, Iñaki Baz Castillo wrote:
The Asterisk TCP/TLS implementation is marked experimental for a reason. And it's been
that way for many years.
/O
2012/1/29 Daniel Pocock
<daniel(a)pocock.com.au>au>:
Yes, that is exactly what I described in my original post - it is
working fine too
I notice that Asterisk needs to be patched to do it the way Kamailio does:
https://issues.asterisk.org/jira/browse/ASTERISK-17727 It's a little bit different in Apache, where
the user specifies a file
containing intermediate certs - many of the CAs give instructions for
adding that file in Apache, but they make no mention of
OpenSSL/Kamailio/concatenating everything, so I imagine people will get
stuck on things like this
If your certificate is not signed by a root CA then you will be also
provided with an intermediary certificate which is signed by a root
CA, and that intermediary certificate validates yours.
So to use it, you must take your public certificate and the
intermediate certificate in PEM format and concatenate both, having
your public certificate at the top of the resulting file.
1:51 p.m.
I notice that
Asterisk needs to be patched to do it the way Kamailio does:
https://issues.asterisk.org/jira/browse/ASTERISK-17727
The Asterisk TCP/TLS implementation is marked experimental for a reason. And it's
been that way for many years. 
2:53 p.m.
Hello,
On 1/29/12 2:53 PM, Daniel Pocock wrote:
This post will probably end up in Google - so people will find it that
way (including me, when I've forgotten this little detail at some point
in the future)
It's a little bit different in Apache, where the user specifies a file
containing intermediate certs - many of the CAs give instructions for
adding that file in Apache, but they make no mention of
OpenSSL/Kamailio/concatenating everything, so I imagine people will get
stuck on things like this we can include your notes to the readme, they may help
people looking
for same subject in the future.
If you create a patch against a docbook xml file in
modules/tls/doc/*.xml, adding a new section or to Important Notes, then
we will commit.
As a general policy, we are happy always to get improvements to
documentation, for large enhancements we can allow git commit as well.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- http://www.asipto.com
http://linkedin.com/in/miconda -- http://twitter.com/miconda
Construct the PEM file in this exact order:
cat server.example.com.pem> chain-server.example.com.pem
cat inter2.pem>> chain-server.example.com.pem
cat inter1.pem>> chain-server.example.com.pem
and then, in tls.cfg:
certificate=chain-server.example.com.pem
This applies to almost all OpenSSL based implementations. But it should be
documented somewhere.
4680
days inactive
4681
days old
7 comments
4 participants
participants (4)
-
Daniel Pocock -
Daniel-Constantin Mierla -
Iñaki Baz Castillo -
Olle E. Johansson