hi all, i have configure tls support as this link: http://www.kamailio.org/docs/tls-devel.html#id2451496 and i add certificate to 3CX sip phone is "cacert.pem" but when i register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls [tls_server.c:392]: SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate",0 ) modparam("tls", "require_certificate",0 )
please suggest to fix this error. thanks and regards. Peter Green.
Am 09.09.2010 10:17, schrieb peter_green lion:
hi all, i have configure tls support as this link: http://www.kamailio.org/docs/tls-devel.html#id2451496 and i add certificate to 3CX sip phone is "cacert.pem" but when i register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls [tls_server.c:392]: SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does not accept the certificate of the server. So you have to debug why the SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards Klaus
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate",0 ) modparam("tls", "require_certificate",0 )
please suggest to fix this error. thanks and regards. Peter Green.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Date: Thu, 9 Sep 2010 11:13:19 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 10:17, schrieb peter_green lion:
hi all, i have configure tls support as this link: http://www.kamailio.org/docs/tls-devel.html#id2451496 and i add certificate to 3CX sip phone is "cacert.pem" but when i register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls [tls_server.c:392]: SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does not accept the certificate of the server. So you have to debug why the SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards Klaus
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate",0 ) modparam("tls", "require_certificate",0 )
please suggest to fix this error. thanks and regards. Peter Green.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
hi Klaus, i add certificate to internet explorer, but it fail: when i view this certificate i see that error:
"this certificate has expired or is not yet valid"
is mean this certificate is wrong ?
so how do i make it correct ?
thanks and regards, Peter Green.
Am 09.09.2010 12:00, schrieb peter_green lion:
Date: Thu, 9 Sep 2010 11:13:19 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 10:17, schrieb peter_green lion:
hi all, i have configure tls support as this link: http://www.kamailio.org/docs/tls-devel.html#id2451496 and i add certificate to 3CX sip phone is "cacert.pem" but when i register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls [tls_server.c:392]: SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does not accept the certificate of the server. So you h ave to debug why the SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards Klaus
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate",0 ) modparam("tls", "require_certificate",0 )
please suggest to fix this error. thanks and regards. Peter Green.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
hi Klaus, i add certificate to internet explorer, but it fail: when i view this certificate i see that error:
"this certificate has expired or is not yet valid"
is mean this certificate is wrong ?
Yes. It is either expired or not yet valid!
so how do i make it correct ?
Hope this ends this endless conversation
http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
regards klaus
Date: Thu, 9 Sep 2010 16:17:18 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 12:00, schrieb peter_green lion:
Date: Thu, 9 Sep 2010 11:13:19 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 10:17, schrieb peter_green lion:
hi all, i have configure tls support as this link: http://www.kamailio.org/docs/tls-devel.html#id2451496 and i add certificate to 3CX sip phone is "cacert.pem" but when i register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls [tls_server.c:392]: SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does not accept the certificate of the server. So you h ave to debug why the SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards Klaus
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate",0 ) modparam("tls", "require_certificate",0 )
please suggest to fix this error. thanks and regards. Peter Green.
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
hi Klaus, i add certificate to internet explorer, but it fail: when i view this certificate i see that error:
"this certificate has expired or is not yet valid"
is mean this certificate is wrong ?
Yes. It is either expired or not yet valid!
so how do i make it correct ?
Hope this ends this endless conversation
http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
regards klaus
hi Klaus, I hope i could close this question, but i cannot make it work. i did as the document which you send me. and when i test certificate with command as:
[root@appliance kamailio]# openssl s_client -connect localhost:5061 -tls1 -CAfile /etc/certs/demoCA/cert.pem CONNECTED(00000003) depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA verify return:1 depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com verify return:1 2962:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40 2962:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
[root@appliance kamailio]# openssl s_client -connect localhost:5061 -ssl2 -CAfile /etc/certs/demoCA/cert.pem CONNECTED(00000003) depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA verify return:1 depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com verify return:1 2963:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
[root@appliance kamailio]# openssl s_client -connect localhost:5061 -ssl3 -CAfile /etc/certs/demoCA/cert.pem CONNECTED(00000003) depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA verify return:1 depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com verify return:1 2964:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1086:SSL alert number 40 2964:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
and i have the same error as last email.
please help me to handle this error. thanks for help me. regards, Peter Green.
Date: Mon, 13 Sep 2010 10:38:34 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Show us your complete TLS configuration
regards Klaus Am 09.09.2010 20:06, schrieb peter_green lion:
SSL alert number 40
hi Klaus and all, my configure as:
first i install kamailio with mysql, db mysql and tls.
i configure kamailio to use mysql database , it work ok. i add 2 sip account :101/101 , 102/102.
i follow document tls module :http://www.kamailio.org/docs/modules/3.0.x/modules/tls.html#tls.overview
i make cert as :
Creating CA certificate ----------------------- 1. create CA dir mkdir ca cd ca 2. create ca dir structure and files (see ca(1)) mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf mkdir demoCA/private mkdir demoCA/newcerts touch demoCA/index.txt echo 01 >demoCA/serial 2. create CA private key openssl genrsa -out demoCA/private/cakey.pem 2048 chmod 600 demoCA/private/cakey.pem 3. create CA self-signed certificate openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
Creating a server/client certificate ------------------------------------ 1. create a certificate request (and its private key in privkey.pem) openssl req -out ser1_cert_req.pem -new -nodes WARNING: the organization name should be the same as in the ca certificate. 2. sign it with the ca certificate openssl ca -in ser1_cert_req.pem -out ser1_cert.pem 3. copy ser1_cert.pem to your ser config. dir
Setting ser to use the certificate ---------------------------------- 1. create the ca list file: for each of your ca certificates that you intend to use do: cat cacert.pem >>calist.pem 2. copy your ser certificate, private key and ca list file to your intended machine (preferably in your ser cfg. directory, this is the default place ser searches for) 3. set up ser.cfg to use the certificate if your ser certificate name is different from cert.pem or it is not placed in ser cfg. directory, add to your ser.cfg: modparam("tls", "certificate", "/path/cert_file_name") 4. set up ser to use the private key if your private key is not contained in the certificate (or the certificate name is not the default cert.pem), add to your ser.cfg: modparam("tls", "private_key", "/path/private_key_file") 5. set up ser to use the ca list (optional) add to your ser.cfg: modparam("tls", "ca_list", "/path/ca_list_file") 6. set up tls authentication options: modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1) (for more information see the module parameters documentation)
as follow your link :http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates i copy ser1_cert.pem, privkey.pem, cacert.pem to /usr/local/etc/kamailio i transfer cacert.pem to another pc to add to sip certificate. i add some line in kamailio.cfg as bellow:
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
modparam("tls", "certificate", "ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
i start kamailio ok. the log have line :
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]: TLSc<default>: tls_method=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]: TLSc<default>: certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]: TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]: TLSc<default>: require_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]: TLSc<default>: cipher_list='(null)' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]: TLSc<default>: private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]: TLSc<default>: verify_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]: TLSc<default>: verify_depth=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]: TLSc<default>: Server MUST present valid certificate Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]: tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl version 90802f) Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]: io_listen_loop: using epoll_lt io watch method (config)
when i add certificate to 3CX phone, i register, the log in server is :
SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate.
so i thing my problem is the certificate,or the bug in opnessl, my openssl version is OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008i used QJsimple is have the same problem.
please help me to check it again or suggest what i do to fix it. thanks and regards, Peter Green.
Am 13.09.2010 11:10, schrieb peter_green lion:
enable_tls=1 tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is standardized with TLSv1. Thus you should remove SSLv23 unless you explicitely know that the client can not handle TLSv1 (then the client would be buggy)
modparam("tls", "certificate", "ser1_cert.pem") modparam("tls", "private_key", "privkey.pem") modparam("tls", "ca_list", "cacert.pem") modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client certificate. Usually the SIP client does not have a TLS client certificate, thus Kamailio will terminate the TLS connection with handshake error. Set modparam("tls", "require_certificate", 0) and at least it should work with the "openssl s_client" tool.
regards Klaus
Date: Mon, 13 Sep 2010 11:40:33 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
enable_tls=1 tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is standardized with TLSv1. Thus you should remove SSLv23 unless you explicitely know that the client can not handle TLSv1 (then the client would be buggy)
modparam("tls", "certificate", "ser1_cert.pem") modparam("tls", "private_key", "privkey.pem") modparam("tls", "ca_list", "cacert.pem") modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client certificate. Usually the SIP client does not have a TLS client certificate, thus Kamailio will terminate the TLS connection with handshake error. Set modparam("tls", "require_certificate", 0) and at least it should work with the "openssl s_client" tool.
regards Klaus
hi Klaus and all,
i have changed all thing as you advice, but it cannot work, when i run command to check :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 CONNECTED(00000003) depth=1 /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 verify error:num=19:self signed certificate in certificate chain verify return:0
.................... subject=/C=vn/ST=hcm/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 issuer=/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 --- Acceptable client certificate CA names /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a@192.168.1.40 --- SSL handshake has read 2256 bytes and written 299 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 08F56E61E88ADF353D6EB77126706E4364F31FB31437153ABAB1A20090F8D77CE0BEA0E0B218DB6E7653FBD873E91735 Key-Arg : None Krb5 Principal: None Compression: 1 (zlib compression) Start Time: 1284411539 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) and :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 -CAfile cacert.pem CONNECTED(00000003) 2223:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
so what is the prolem ?
thanks and regards, Peter Green.
Date: Mon, 13 Sep 2010 11:40:33 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
enable_tls=1 tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is standardized with TLSv1. Thus you should remove SSLv23 unless you explicitely know that the client can not handle TLSv1 (then the client would be buggy)
modparam("tls", "certificate", "ser1_cert.pem") modparam("tls", "private_key", "privkey.pem") modparam("tls", "ca_list", "cacert.pem") modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client certificate. Usually the SIP client does not have a TLS client certificate, thus Kamailio will terminate the TLS connection with handshake error. Set modparam("tls", "require_certificate", 0) and at least it should work with the "openssl s_client" tool.
regards Klaus
hi Klaus and all, i thing this is bug in openssl, becau i have just install kamailio with tls support in ubuntu server which OS have openssl version 0.9.8k, and i have result as:
sip client can register with server via tls support(sometime it work and some time it cannot work, or it can register when i restart kamailio)
if it can register, i can make call but when callee answer, caller change to connect , but callee continue ringring. if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ? thanks and regards Peter Green.
Am 13.09.2010 12:44, schrieb peter_green lion:
hi Klaus and all, i thing this is bug in openssl, becau i have just install kamailio with tls support in ubuntu server which OS have openssl version 0.9.8k, and i have result as:
sip client can register with server via tls support(sometime it work and some time it cannot work, or it can register when i restart kamail io)
if it can register, i can make call but when callee answer, caller change to connect , but callee continue ringring. if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ?
I think this are normal NAT/TCP problems.
First you should try with TCP. Unless TCP works fine you SHOULD NOT test with TLS as TLS will not work too.
Make sure SIP over TCP works fine - e.g call fix_nated_contact() in your config just as you would do NAT traversal (even if you do not have NATs)
regards klaus
Date: Mon, 13 Sep 2010 17:00:16 +0200 From: klaus.mailinglists@pernau.at To: betergreen@live.com CC: sr-users@lists.sip-router.org Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 12:44, schrieb peter_green lion:
hi Klaus and all, i thing this is bug in openssl, becau i have just install kamailio with tls support in ubuntu server which OS have openssl version 0.9.8k, and i have result as:
sip client can register with server via tls support(sometime it work and some time it cannot work, or it can register when i restart kamail io)
if it can register, i can make call but when callee answer, caller change to connect , but callee continue ringring. if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ?
I think this are normal NAT/TCP problems.
First you should try with TCP. Unless TCP works fine you SHOULD NOT test with TLS as TLS will not work too.
Make sure SIP over TCP works fine - e.g call fix_nated_contact() in your config just as you would do NAT traversal (even if you do not have NATs)
regards klaus
Dear Klaus, i have do that first, i try with TCP and it works very good, my server and client in the same net work. But i change it to TLS, the problem was found. so i wonder why it is. and i mail to you who have more experience to fix it. and when caller call callee, i use ngrep to catch package through port 5060/5061 I see the TLS package, it is not a sip message. so I thing the problem is futher.and only 3CX phone can register with my server.
thanks for help me. best regards. Peter Green.
Am 13.09.2010 17:27, schrieb peter_green lion:
and when caller call callee, i use ngrep to catch package through port 5060/5061 I see the TLS package, it is not a sip message. so I thing the problem is futher.and only 3CX phone can register with my server.
Instead of ngrep you should use tcpdump to capture the whole SIP traffic to a file. Later open the pcap file in Wireshark and use the TLS-decrypting feature of Wireshark to analyze the decrypted SIP signaling.
Note: make sure to disable all Diffie-Hellman ciphers
regards Klaus
-
Klaus Darilion -
peter_green lion