30 Sep
2010
30 Sep
'10
11:27 a.m.
now that 3.1 has async tls support, i decided (first time ever) to try
to test tls. things went quite smoothly when i followed "Create
Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cer…
during the process, i fixed a typo in the doc, added two comments to cfg
part:
enable_tls=1
tcp_async=no # do not include in 3.1
listen=udp:0.0.0.0:5060
listen=tcp:0.0.0.0:5060
listen=tls:0.0.0.0:5061 # not needed in 3.1
and fixed wrong file references in client configurations:
eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add it
to the Windows certificate store (Start→Control Panel→Internet)
QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the
client PC and configure QjSimple to use this CA (“TLS CA file” and
“verify TLS server certificate)
earlier the paths pointed to certs/sip.mydomain.com files, which i think
were wrong. at least i was not able to get them working.
perhaps someone who is more familiar with tsl stuff could verify the
above changes.
-- juha
30 Sep
30 Sep
11:52 a.m.
New subject: "Create Certificates to be used with Kamailio" changes
I added note about configuring Snom phones to connect over TLS and
created a section from that part:
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_tls_and…
Also, in my configs I set:
tcp_connection_lifetime=3610
Which is slightly higher than max allowed registration time. Some
clients do not reconnect if tcp/tls connection is closed by server.
Maybe we should add this one in the wiki as well.
Cheers,
Daniel
On 9/30/10 5:27 PM, Juha Heinanen wrote:
now that 3.1 has async tls support, i decided (first
time ever) to try
to test tls. things went quite smoothly when i followed "Create
Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cer…
during the process, i fixed a typo in the doc, added two comments to cfg
part:
enable_tls=1
tcp_async=no # do not include in 3.1
listen=udp:0.0.0.0:5060
listen=tcp:0.0.0.0:5060
listen=tls:0.0.0.0:5061 # not needed in 3.1
and fixed wrong file references in client configurations:
eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add
it to the Windows certificate store (Start→Control Panel→Internet)
QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the
client PC and configure QjSimple to use this CA (“TLS CA file” and
“verify TLS server certificate)
earlier the paths pointed to certs/sip.mydomain.com files, which i think
were wrong. at least i was not able to get them working.
perhaps someone who is more familiar with tsl stuff could verify the
above changes.
-- juha
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://www.asipto.com
11:44 a.m.
New subject: "Create Certificates to be used with Kamailio" changes
one question about the certificate tutorial: is something else needed in
the config or certificate business, when sr talks over tls with another
sip proxy, e.g. another sr? namely in that case sr may be in client
role when tls session is established.
-- juha
12:14 p.m.
On Sep 30, 2010 at 18:44, Juha Heinanen <jh(a)tutpro.com> wrote:
one question about the certificate tutorial: is
something else needed in
the config or certificate business, when sr talks over tls with another
sip proxy, e.g. another sr? namely in that case sr may be in client
role when tls session is established.
Nothing special if needed.
However if you want to have different certificates in function of the
role, or who are you talking with, you need to use a separate tls config
file
(http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html…)
Andrei
12:56 p.m.
Andrei Pelinescu-Onciul writes:
However if you want to have different certificates in
function of the
role (server or client, or who are you talking with, you need to use a separate tls
config
file
(http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html…)
ok thanks. i added a note about that to the tuto.
one more thing i would like to add to the tuto if someone knows the
answer: how to capture/see sip over ssl packets in the proxy host using
wireshark, ngrep, or something?
-- juha
1:21 p.m.
On Sep 30, 2010 at 19:56, Juha Heinanen <jh(a)tutpro.com> wrote:
Andrei Pelinescu-Onciul writes:
ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061
Andrei
However if you want to have different
certificates in function of the
role (server or client, or who are you talking with, you need to use a separate tls
config
file
(http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html…)
ok thanks. i added a note about that to the tuto.
one more thing i would like to add to the tuto if someone knows the
answer: how to capture/see sip over ssl packets in the proxy host using
wireshark, ngrep, or something?
2:12 p.m.
Andrei Pelinescu-Onciul writes:
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as
specified as tls module private key:
modparam("tls", "private_key",
"/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i
also tried with -i eth0, but it didn't help.
-- juha
one more thing
i would like to add to the tuto if someone knows the
answer: how to capture/see sip over ssl packets in the proxy host using
wireshark, ngrep, or something?
ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061
3:20 p.m.
Juha Heinanen writes:
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as
specified as tls module private key:
modparam("tls", "private_key",
"/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i
also tried with -i eth0, but it didn't help.
i was able to figure out how do to it using wireshark. one needs to go
to Preferences/Protocols/SSL and there add to RSA keys list:
<ip-of-sip-proxy>,5061,sip,/etc/certs/sip.mydomain.com/key.pem
then in Options specify 'port 5061'. after that, new ssl connections
will be shown in clear.
i don't know why ssldump didn't work with the same key.pem file.
-- juha
1 Oct
1 Oct
3 a.m.
New subject: "Create Certificates to be used with Kamailio" changes
Am 30.09.2010 21:20, schrieb Juha Heinanen:
Juha Heinanen writes:
Just a note: this only works when non-DH ciphers are used. I added a
wiki page:
http://www.kamailio.org/dokuwiki/doku.php/tls:tls-decoding
regards
Klaus
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as
specified as tls module private key:
modparam("tls", "private_key",
"/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i
also tried with -i eth0, but it didn't help.
i was able to figure out how do to it using wireshark. one needs to go
to Preferences/Protocols/SSL and there add to RSA keys list:
<ip-of-sip-proxy>,5061,sip,/etc/certs/sip.mydomain.com/key.pem
then in Options specify 'port 5061'. after that, new ssl connections
will be shown in clear.
i don't know why ssldump didn't work with the same key.pem file.
4 Oct
4 Oct
6:54 a.m.
On Sep 30, 2010 at 21:12, Juha Heinanen <jh(a)tutpro.com> wrote:
Andrei Pelinescu-Onciul writes:
i tried with command
ssldump -i any -k /etc/sip-proxy/certs/sip-proxy/key.pem tcp and port 5061
where /etc/sip-proxy/certs/sip-proxy/key.pem is the same file as
specified as tls module private key:
modparam("tls", "private_key",
"/etc/sip-proxy/certs/sip-proxy/key.pem")
nothing comes to console. i must have misunderstood the command. i
also tried with -i eth0, but it didn't help.
For me it doesn't work with -i any, but works with -i eth0.
To quickly create a test tls connection I use:
openssl s_client -connect host:5061 -tls1
Andrei
one more
thing i would like to add to the tuto if someone knows the
answer: how to capture/see sip over ssl packets in the proxy host using
wireshark, ngrep, or something?
ssldump -k modules/tls/sip-router-selfsigned.key tcp and port 5061
12:09 p.m.
New subject: "Create Certificates to be used with Kamailio" changes
You are right.
Thanks for fixing my bugs :-)
Klaus
Am 30.09.2010 17:27, schrieb Juha Heinanen:
now that 3.1 has async tls support, i decided (first
time ever) to try
to test tls. things went quite smoothly when i followed "Create
Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cer…
during the process, i fixed a typo in the doc, added two comments to cfg
part:
enable_tls=1
tcp_async=no # do not include in 3.1
listen=udp:0.0.0.0:5060
listen=tcp:0.0.0.0:5060
listen=tls:0.0.0.0:5061 # not needed in 3.1
and fixed wrong file references in client configurations:
eyebeam: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the Windows PC and add
it to the Windows certificate store (Start→Control Panel→Internet)
QjSimple: copy the CA certificate (/etc/certs/demoCA/cert.pem) to the
client PC and configure QjSimple to use this CA (“TLS CA file” and
“verify TLS server certificate)
earlier the paths pointed to certs/sip.mydomain.com files, which i think
were wrong. at least i was not able to get them working.
perhaps someone who is more familiar with tsl stuff could verify the
above changes.
-- juha
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
12:12 p.m.
On Sep 30, 2010 at 18:27, Juha Heinanen <jh(a)tutpro.com> wrote:
Andrei
now that 3.1 has async tls support, i decided (first
time ever) to try
to test tls. things went quite smoothly when i followed "Create
Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cer…
during the process, i fixed a typo in the doc, added two comments to cfg
part:
enable_tls=1
tcp_async=no # do not include in 3.1
listen=udp:0.0.0.0:5060
listen=tcp:0.0.0.0:5060
^^^^^^^^ it should not be 0.0.0.0 but an
actual IP.
If you use 0.0.0.0 you _must_ set adevertised_adress or
you will have some strange Vias && RRs.
listen=tls:0.0.0.0:5061 # not needed in 3.1
^^^^^^^^^^^^^^^^ - it's optional only if you have another
listen which does not specify the protocol
(e.g. listen=10.0.0.2:5060 or
listen=10.0.0.2). In this case ser will
listen on all protocols on the default
port). I
This is true also for 3.0 and at least for
all ser versions.
In general I use
http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html…
as a quick setup reminder.
11:57 a.m.
Andrei Pelinescu-Onciul writes:
ok, fixed.
enable_tls=1
tcp_async=no # do not include in 3.1
listen=udp:0.0.0.0:5060
listen=tcp:0.0.0.0:5060
^^^^^^^^ it should not be 0.0.0.0 but an
actual IP.
If you use 0.0.0.0 you _must_ set adevertised_adress or
you will have some strange Vias && RRs.
listen=tls:0.0.0.0:5061 # not needed in 3.1
^^^^^^^^^^^^^^^^ - it's optional only if you have another
listen which does not specify the protocol
(e.g. listen=10.0.0.2:5060 or
listen=10.0.0.2). In this case ser will
listen on all protocols on the default
port). I
This is true also for 3.0 and at least for
all ser versions. In general I use
http://sip-router.org/docbook/sip-router/branch/master/modules/tls/tls.html…
as a quick setup reminder.
i read that too, but it was not as easy to follow as the tuto.
-- juha
1 Oct
1 Oct
3:03 a.m.
New subject: "Create Certificates to be used with Kamailio" changes
Am 30.09.2010 17:27, schrieb Juha Heinanen:
now that 3.1 has async tls support, i decided (first
time ever) to try
to test tls. things went quite smoothly when i followed "Create
Certificates to be used with Kamailio" document
http://kamailio.org/dokuwiki/doku.php/tls:create-certificates#using_the_cer…
during the process, i fixed a typo in the doc, added two comments to cfg
part:
enable_tls=1
tcp_async=no # do not include in 3.1
listen=udp:0.0.0.0:5060
listen=tcp:0.0.0.0:5060
listen=tls:0.0.0.0:5061 # not needed in 3.1
I wonder which IP address is used as TLS socket if you do not specify it
in the config file?
I always specify it explicitly as I do not want any kind of automatism.
regards
Klaus
5249
days inactive
5253
days old
14 comments
4 participants
participants (4)
-
Andrei Pelinescu-Onciul -
Daniel-Constantin Mierla -
Juha Heinanen -
Klaus Darilion