Hello!
I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work. So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files: calist.crt AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n server.key - key server.crt - cert The configuration of tls.cfg
[server:default] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/ssl/sectel.io.ssl/sip/server.key certificate = /etc/ssl/sectel.io.ssl/sip/server.crt ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt #crl = /etc/kamailio/crl.pem (however with or without ca_list nothing changes)
[client:default] verify_certificate = yes require_certificate = yes
And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Putting that in tls.cfg: [client:default] verify_certificate = no require_certificate = no
Make everything work. Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
Thanks!
Forgot to add cat /etc/issue Debian GNU/Linux 8 \n \l
kamailio -V version: kamailio 4.3.1 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 4.9.2
openssl version OpenSSL 1.0.1k 8 Jan 2015
2015-08-28 20:01 GMT+03:00 Alexandru Covalschi 568691@gmail.com:
Hello!
I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work. So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files: calist.crt AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n server.key - key server.crt - cert The configuration of tls.cfg
[server:default] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/ssl/sectel.io.ssl/sip/server.key certificate = /etc/ssl/sectel.io.ssl/sip/server.crt ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt #crl = /etc/kamailio/crl.pem (however with or without ca_list nothing changes)
[client:default] verify_certificate = yes require_certificate = yes
And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Putting that in tls.cfg: [client:default] verify_certificate = no require_certificate = no
Make everything work. Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
Thanks!
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
And server is under Amazon EC2, but that shouldn't really make any sense
2015-08-29 0:11 GMT+03:00 Alexandru Covalschi 568691@gmail.com:
Forgot to add cat /etc/issue Debian GNU/Linux 8 \n \l
kamailio -V version: kamailio 4.3.1 (x86_64/linux) flags: STATS: Off, USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MEM, SHM_MMAP, PKG_MALLOC, F_MALLOC, DBG_F_MALLOC, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLACKLIST, HAVE_RESOLV_RES ADAPTIVE_WAIT_LOOPS=1024, MAX_RECV_BUFFER_SIZE 262144, MAX_LISTEN 16, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB poll method support: poll, epoll_lt, epoll_et, sigio_rt, select. id: unknown compiled with gcc 4.9.2
openssl version OpenSSL 1.0.1k 8 Jan 2015
2015-08-28 20:01 GMT+03:00 Alexandru Covalschi 568691@gmail.com:
Hello!
I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work. So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files: calist.crt AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n server.key - key server.crt - cert The configuration of tls.cfg
[server:default] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/ssl/sectel.io.ssl/sip/server.key certificate = /etc/ssl/sectel.io.ssl/sip/server.crt ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt #crl = /etc/kamailio/crl.pem (however with or without ca_list nothing changes)
[client:default] verify_certificate = yes require_certificate = yes
And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Putting that in tls.cfg: [client:default] verify_certificate = no require_certificate = no
Make everything work. Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
Thanks!
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
When your server contacts the public server, your server acts as a tls client. So you may need to copy the server section settings (at least the calist) into the client section of tls.cfg.
Sent from my iPhone
On Aug 28, 2015, at 12:01 PM, Alexandru Covalschi 568691@gmail.com wrote:
Hello!
I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work. So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files: calist.crt AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n server.key - key server.crt - cert The configuration of tls.cfg
[server:default] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/ssl/sectel.io.ssl/sip/server.key certificate = /etc/ssl/sectel.io.ssl/sip/server.crt ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt #crl = /etc/kamailio/crl.pem (however with or without ca_list nothing changes)
[client:default] verify_certificate = yes require_certificate = yes
And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Putting that in tls.cfg: [client:default] verify_certificate = no require_certificate = no
Make everything work. Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
Thanks!
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/ _______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Any way of specifiying all popular certification centers it default calist? Shouldn't it use those which already exist in the system? (/etc/ssl/...)
2015-08-29 20:54 GMT+03:00 Ding Ma mading087@gmail.com:
When your server contacts the public server, your server acts as a tls client. So you may need to copy the server section settings (at least the calist) into the client section of tls.cfg.
Sent from my iPhone
On Aug 28, 2015, at 12:01 PM, Alexandru Covalschi 568691@gmail.com wrote:
Hello!
I'm having problems with Kamailio configuration with TLS. Or, maybe, that's my misunderstanding about how it should work. So, the issue - inbound TLS works just great, I can call everyone in my domain. I have PositiveSSL certificate, so I have such files: calist.crt AddTrustExternalCARoot.crt + COMODORSAAddTrustCA.crt + COMODORSADomainValidationSecureServerCA.crt divided by \n server.key - key server.crt - cert The configuration of tls.cfg
[server:default] method = SSLv23 verify_certificate = no require_certificate = no private_key = /etc/ssl/sectel.io.ssl/sip/server.key certificate = /etc/ssl/sectel.io.ssl/sip/server.crt ca_list = /etc/ssl/sectel.io.ssl/sip/calist.crt #crl = /etc/kamailio/crl.pem (however with or without ca_list nothing changes)
[client:default] verify_certificate = yes require_certificate = yes
And with that configuration when I'm trying to call to ostel.co (public SIP service supporting TLS) from my server I get such error: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Putting that in tls.cfg: [client:default] verify_certificate = no require_certificate = no
Make everything work. Cross-domain calling is essential and I'm just trying to figure out - what's the problem? Is that my certificate, is that ostel.co certificate or it is just the way it should be?
Thanks!
-- Alexandru Covalschi ABRISS-Solutions VoIP engineer and system administrator phone: +37367398493 web: http://abs-telecom.com/
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Alexandru Covalschi writes:
Any way of specifiying all popular certification centers it default calist? Shouldn't it use those which already exist in the system? (/etc/ssl/...)
I once tried to include all that are in /etc/ssl/certs/. If I remember correctly, Kamailio used lots of memory and/or took long time to start.
Perhaps it would be possible to make Kamailio to cache in memory only those that have been recently used.
-- Juha
Can you please specify how to include multiple certs into ca list? 30 авг. 2015 г. 17:37 пользователь "Juha Heinanen" jh@tutpro.com написал:
Alexandru Covalschi writes:
Any way of specifiying all popular certification centers it default
calist?
Shouldn't it use those which already exist in the system? (/etc/ssl/...)
I once tried to include all that are in /etc/ssl/certs/. If I remember correctly, Kamailio used lots of memory and/or took long time to start.
Perhaps it would be possible to make Kamailio to cache in memory only those that have been recently used.
-- Juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Ah, thought Kamailio may have a variable to specify a whole folder :) Thanks!
2015-08-30 19:04 GMT+03:00 Juha Heinanen jh@tutpro.com:
Alexandru Covalschi writes:
Can you please specify how to include multiple certs into ca list?
on debian:
cat /etc/ss/certs/* > ca_list
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
-
Alexandru Covalschi -
Ding Ma -
Juha Heinanen