2 Feb
2007
2 Feb
'07
12:21 p.m.
Hi,
I do have OpenSER 1.1.0 with TLS support on Debian Sarge working nicely,
and my SNOM 360 registers against it nicely. When using OpenSER 1.2 (2
days old CVS build) with TLS on Debian Etch with SNOM 360 and own signed
certificates (with tls/tools & own machine names) I get debug info
(below) from OpenSER. Any ideas with that "peer did not send
sertificate" ?
Thank you so many times,
-Mika
--- clip ---
Feb 2 13:15:10 localhost openser[20855]: tcp_receive_timeout: 0xb59e1900
expired (296, 297) lt=0
Feb 2 13:15:10 localhost openser[20855]: DBG: io_watch_del (0x8122980,
18, -1, 0x10) fd_no=2 called
Feb 2 13:15:10 localhost openser[20855]: releasing con 0xb59e1900, state
0, fd=18, id=2
Feb 2 13:15:10 localhost openser[20855]: extra_data (nil)
Feb 2 13:15:10 localhost openser[20859]: handle_tcp_child: reader
response= b59e1900, 0 from 0
Feb 2 13:15:10 localhost openser[20859]: DBG: io_watch_add(0x8122820, 23,
2, 0xb59e1900), fd_no=15
Feb 2 13:15:10 localhost openser[20859]: handle_tcp_child: CONN_RELEASE
0xb59e1900 refcnt= 0
Feb 2 13:15:10 localhost openser[20859]: tcpconn_new: new tcp connection
to: 193.65.183.233
Feb 2 13:15:10 localhost openser[20859]: tcpconn_new: on port 2063, type 3
Feb 2 13:15:10 localhost openser[20859]: tls_tcpconn_init: Entered:
Creating a whole new ssl connection
Feb 2 13:15:10 localhost openser[20859]: tls_tcpconn_init: Looking up
socket based TLS server domain [193.65.183.13:5061]
Feb 2 13:15:10 localhost openser[20859]: tls_find_server_domain: virtual
TLS server domain not found, Using default TLS server domain settings
Feb 2 13:15:10 localhost openser[20859]: tls_tcpconn_init: Found socket
based TLS server domain [0.0.0.0:0]
Feb 2 13:15:10 localhost openser[20859]: tls_tcpconn_init: Setting in
ACCEPT mode (server)
Feb 2 13:15:10 localhost openser[20859]: tcpconn_add: hashes: 462, 9
Feb 2 13:15:10 localhost openser[20859]: handle_new_connect: new
connection: 0xb5a06c88 24 flags: 0002
Feb 2 13:15:10 localhost openser[20859]: send2child: to tcp child 0
6(20855), 0xb5a06c88
Feb 2 13:15:10 localhost openser[20855]: received n=4 con=0xb5a06c88, fd=18
Feb 2 13:15:10 localhost openser[20855]: DBG: io_watch_add(0x8122980, 18,
2, 0xb5a06c88), fd_no=1
Feb 2 13:15:11 localhost openser[20855]: tls_update_fd: New fd is 18
Feb 2 13:15:11 localhost openser[20855]: tls_update_fd: New fd is 18
Feb 2 13:15:11 localhost openser[20855]: tls_accept: Error in SSL:
Feb 2 13:15:11 localhost openser[20855]: tls_error: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
Feb 2 13:15:11 localhost openser[20855]: DBG: io_watch_del (0x8122980,
18, -1, 0x10) fd_no=2 called
Feb 2 13:15:11 localhost openser[20855]: releasing con 0xb5a06c88, state
-2, fd=18, id=9
Feb 2 13:15:11 localhost openser[20855]: extra_data 0xb59f1a18
Feb 2 13:15:11 localhost openser[20859]: handle_tcp_child: reader
response= b5a06c88, -2 from 0
Feb 2 13:15:11 localhost openser[20859]: tcpconn_destroy: destroying
connection 0xb5a06c88, flags 0002
Feb 2 13:15:11 localhost openser[20859]: tls_close: Closing SSL connection
Feb 2 13:15:11 localhost openser[20859]: tls_update_fd: New fd is 24
Feb 2 13:15:11 localhost openser[20859]: tls_shutdown: Shutdown successful
Feb 2 13:15:11 localhost openser[20859]: tls_tcpconn_clean: Entered
-- clip ---
2 Feb
2 Feb
2:44 p.m.
Hi again,
My openssl is openssl-0.9.8c-4, and SNOM 360 firmware is latest 6.5.2. I
also found that somebody had problems with certificate bit size
(2048/512), so generated totally new 1024 CA and 1024 certificate
request, but still no luck with SNOM. ssldump seems like this:
Thanks for any hints / tips,
-Mika
-- clip --
1 1 0.0710 (0.0710) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0780 (0.0069) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
0e 74 fa c8 ed 22 e1 8b 0c ad aa ce f0 70 a0 a9
d6 5c d1 23 14 06 fc 37 9b 2d 7c 89 73 1c 0b 80
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
1 3 0.0780 (0.0000) S>C Handshake
Certificate
1 4 0.0780 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
ServerHelloDone
1 5 0.3278 (0.2498) C>S Handshake
Certificate
1 6 0.3278 (0.0000) C>S Handshake
ClientKeyExchange
1 7 0.3278 (0.0000) C>S ChangeCipherSpec
1 8 0.3278 (0.0000) C>S Handshake
1 9 0.3280 (0.0002) S>C Alert
level fatal
value handshake_failure
1 0.3284 (0.0003) S>C TCP RST
-- clip --
5 Feb
5 Feb
12:03 p.m.
Hello,
in 1.2.0 the requirement of client certificate as well as verification
of sever and client certificate are set on by default. Maybe you had
them off in the old version. See the tls manual to change the values of
those parameters.
http://www.openser.org/docs/tls.html#AEN293
Cheers,
Daniel
On 02/02/07 14:44, mika.saari(a)wipsl.com wrote:
Hi again,
My openssl is openssl-0.9.8c-4, and SNOM 360 firmware is latest 6.5.2. I
also found that somebody had problems with certificate bit size
(2048/512), so generated totally new 1024 CA and 1024 certificate
request, but still no luck with SNOM. ssldump seems like this:
Thanks for any hints / tips,
-Mika
-- clip --
1 1 0.0710 (0.0710) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0780 (0.0069) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
0e 74 fa c8 ed 22 e1 8b 0c ad aa ce f0 70 a0 a9
d6 5c d1 23 14 06 fc 37 9b 2d 7c 89 73 1c 0b 80
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod NULL
1 3 0.0780 (0.0000) S>C Handshake
Certificate
1 4 0.0780 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_types unknown value
ServerHelloDone
1 5 0.3278 (0.2498) C>S Handshake
Certificate
1 6 0.3278 (0.0000) C>S Handshake
ClientKeyExchange
1 7 0.3278 (0.0000) C>S ChangeCipherSpec
1 8 0.3278 (0.0000) C>S Handshake
1 9 0.3280 (0.0002) S>C Alert
level fatal
value handshake_failure
1 0.3284 (0.0003) S>C TCP RST
-- clip --
_______________________________________________
Users mailing list
Users(a)openser.org
http://openser.org/cgi-bin/mailman/listinfo/users
6503
days inactive
6506
days old
2 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
mika.saari@wipsl.com