9 Sep
2010
9 Sep
'10
4:17 a.m.
hi all,
i have configure tls support as this link:
http://www.kamailio.org/docs/tls-devel.html#id2451496
and i add certificate to 3CX sip phone is "cacert.pem" but when i register sip
phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls [tls_server.c:392]:
SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
modparam("tls", "certificate",
"/usr/local/etc/kamailio//tls/user/user-cert.pem")
modparam("tls", "private_key",
"/usr/local/etc/kamailio//tls/user/user-privkey.pem")
modparam("tls", "ca_list",
"/usr/local/etc/kamailio//tls/user/user-calist.pem")
modparam("tls", "verify_certificate",0 )
modparam("tls", "require_certificate",0 )
please suggest to fix this error.
thanks and regards.
Peter Green.
9 Sep
9 Sep
5:13 a.m.
Am 09.09.2010 10:17, schrieb peter_green lion:
hi all,
i have configure tls support as this link:
http://www.kamailio.org/docs/tls-devel.html#id2451496
and i add certificate to 3CX sip phone is "cacert.pem" but when i
register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does
not accept the certificate of the server. So you have to debug why the
SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards
Klaus
my configure in kamailio.cfg as :
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
modparam("tls", "certificate",
"/usr/local/etc/kamailio//tls/user/user-cert.pem")
modparam("tls", "private_key",
"/usr/local/etc/kamailio//tls/user/user-privkey.pem")
modparam("tls", "ca_list",
"/usr/local/etc/kamailio//tls/user/user-calist.pem")
modparam("tls", "verify_certificate",0 )
modparam("tls", "require_certificate",0 )
please suggest to fix this error.
thanks and regards.
Peter Green.
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users(a)lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
6 a.m.
Date: Thu, 9 Sep 2010 11:13:19 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 10:17, schrieb peter_green lion:
hi Klaus,
i add certificate to internet explorer, but it fail:
when i view this certificate i see that error:
"this certificate has expired or is not yet valid"
is mean this certificate is wrong ?
so how do i make it correct ?
thanks and regards,
Peter Green.
hi all,
i have configure tls support as this link:
http://www.kamailio.org/docs/tls-devel.html#id2451496
and i add certificate to 3CX sip phone is "cacert.pem" but when i
register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does
not accept the certificate of the server. So you have to debug why the
SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards
Klaus
>
> my configure in kamailio.cfg as :
>
> modparam("tls", "tls_method", "TLSv1")
> modparam("tls", "tls_method", "SSLv23")
> modparam("tls", "certificate",
> "/usr/local/etc/kamailio//tls/user/user-cert.pem")
> modparam("tls", "private_key",
> "/usr/local/etc/kamailio//tls/user/user-privkey.pem")
> modparam("tls", "ca_list",
> "/usr/local/etc/kamailio//tls/user/user-calist.pem")
> modparam("tls", "verify_certificate",0 )
> modparam("tls", "require_certificate",0 )
>
>
> please suggest to fix this error.
> thanks and regards.
> Peter Green.
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
10:17 a.m.
Am 09.09.2010 12:00, schrieb peter_green lion:
Yes. It is either expired or not yet valid!
Date: Thu, 9 Sep 2010 11:13:19 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 10:17, schrieb peter_green lion:
hi Klaus,
i add certificate to internet explorer, but it fail:
when i view this certificate i see that error:
"this certificate has expired or is not yet valid"
is mean this certificate is wrong ? hi all,
i have configure tls support as this link:
http://www.kamailio.org/docs/tls-devel.html#id2451496
and i add certificate to 3CX sip phone is "cacert.pem" but when i
register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does
not accept the certificate of the server. So you h ave to debug why the
SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards
Klaus
>
> my configure in kamailio.cfg as :
>
> modparam("tls", "tls_method", "TLSv1")
> modparam("tls", "tls_method", "SSLv23")
> modparam("tls", "certificate",
> "/usr/local/etc/kamailio//tls/user/user-cert.pem")
> modparam("tls", "private_key",
> "/usr/local/etc/kamailio//tls/user/user-privkey.pem")
> modparam("tls", "ca_list",
> "/usr/local/etc/kamailio//tls/user/user-calist.pem")
> modparam("tls", "verify_certificate",0 )
> modparam("tls", "require_certificate",0 )
>
>
> please suggest to fix this error.
> thanks and regards.
> Peter Green.
>
>
>
> _ ______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
so how do i make it correct ?
Hope this ends this endless conversation
http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
regards
klaus
2:06 p.m.
Date: Thu, 9 Sep 2010 16:17:18 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 12:00, schrieb peter_green lion:
Yes. It is either expired or not yet valid!
hi Klaus,
I hope i could close this question, but i cannot make it work.
i did as the document which you send me.
and when i test certificate with command as:
[root@appliance kamailio]# openssl s_client -connect localhost:5061 -tls1 -CAfile
/etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com
verify return:1
2962:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1086:SSL alert number 40
2962:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
[root@appliance kamailio]# openssl s_client -connect localhost:5061 -ssl2 -CAfile
/etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com
verify return:1
2963:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:s2_pkt.c:428:
[root@appliance kamailio]# openssl s_client -connect localhost:5061 -ssl3 -CAfile
/etc/certs/demoCA/cert.pem
CONNECTED(00000003)
depth=1 /C=AT/ST=Vienna/L=Vienna/O=My private CA/CN=My private CA
verify return:1
depth=0 /C=AT/ST=Berkshire/L=Berlin/O=berlin-calling.com/CN=berlin-calling.com
verify return:1
2964:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1086:SSL alert number 40
2964:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
and i have the same error as last email.
please help me to handle this error.
thanks for help me.
regards,
Peter Green.
Date: Thu, 9 Sep 2010 11:13:19 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 09.09.2010 10:17, schrieb peter_green lion:
hi Klaus,
i add certificate to internet explorer, but it fail:
when i view this certificate i see that error:
"this certificate has expired or is not yet valid"
is mean this certificate is wrong ? hi all,
i have configure tls support as this link:
http://www.kamailio.org/docs/tls-devel.html#id2451496
and i add certificate to 3CX sip phone is "cacert.pem" but when i
register sip phone, the log file in kamailio server is :
Sep 9 15:13:36 appliance /usr/local/sbin/kamailio[2146]: ERROR: tls
[tls_server.c:392]: SSL error:error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
I think the means that the SIP phone sends the ALERT because the it does
not accept the certificate of the server. So you h ave to debug why the
SIP phone does not accept the certificate.
You really should test with another SIP client first.
regards
Klaus
>
> my configure in kamailio.cfg as :
>
> modparam("tls", "tls_method", "TLSv1")
> modparam("tls", "tls_method", "SSLv23")
> modparam("tls", "certificate",
> "/usr/local/etc/kamailio//tls/user/user-cert.pem")
> modparam("tls", "private_key",
> "/usr/local/etc/kamailio//tls/user/user-privkey.pem")
> modparam("tls", "ca_list",
> "/usr/local/etc/kamailio//tls/user/user-calist.pem")
> modparam("tls", "verify_certificate",0 )
> modparam("tls", "require_certificate",0 )
>
>
> please suggest to fix this error.
> thanks and regards.
> Peter Green.
>
>
>
> _ ______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users(a)lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
so how do i make it correct ?
Hope this ends this endless conversation
http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
regards
klaus
5:10 a.m.
Date: Mon, 13 Sep 2010 10:38:34 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Show us your complete TLS configuration
regards
Klaus
Am 09.09.2010 20:06, schrieb peter_green lion:
> SSL alert number 40
hi Klaus and all,
my configure as:
first i install kamailio with mysql, db mysql and tls.
i configure kamailio to use mysql database , it work ok. i add 2 sip account :101/101 ,
102/102.
i follow document tls module
:http://www.kamailio.org/docs/modules/3.0.x/modules/tls.html#tls.overview
i make cert as :
Creating CA certificate
-----------------------
1. create CA dir
mkdir ca
cd ca
2. create ca dir structure and files (see ca(1))
mkdir demoCA #default CA name, edit /etc/ss/openssl.cnf
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo 01 >demoCA/serial
2. create CA private key
openssl genrsa -out demoCA/private/cakey.pem 2048
chmod 600 demoCA/private/cakey.pem
3. create CA self-signed certificate
openssl req -out demoCA/cacert.pem -x509 -new -key demoCA/private/cakey.pem
Creating a server/client certificate
------------------------------------
1. create a certificate request (and its private key in privkey.pem)
openssl req -out ser1_cert_req.pem -new -nodes
WARNING: the organization name should be the same as in the ca certificate.
2. sign it with the ca certificate
openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
3. copy ser1_cert.pem to your ser config. dir
Setting ser to use the certificate
----------------------------------
1. create the ca list file:
for each of your ca certificates that you intend to use do:
cat cacert.pem >>calist.pem
2. copy your ser certificate, private key and ca list file to your
intended machine (preferably in your ser cfg. directory, this is the
default place ser searches for)
3. set up ser.cfg to use the certificate
if your ser certificate name is different from cert.pem or it is not
placed in ser cfg. directory, add to your ser.cfg:
modparam("tls", "certificate", "/path/cert_file_name")
4. set up ser to use the private key
if your private key is not contained in the certificate (or the
certificate name is not the default cert.pem), add to your ser.cfg:
modparam("tls", "private_key", "/path/private_key_file")
5. set up ser to use the ca list (optional)
add to your ser.cfg:
modparam("tls", "ca_list", "/path/ca_list_file")
6. set up tls authentication options:
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
(for more information see the module parameters documentation)
as follow your link :http://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
i copy ser1_cert.pem, privkey.pem, cacert.pem to /usr/local/etc/kamailio
i transfer cacert.pem to another pc to add to sip certificate.
i add some line in kamailio.cfg as bellow:
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
modparam("tls", "certificate", "ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 1)
i start kamailio ok. the log have line :
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]:
TLSc<default>: tls_method=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]:
TLSc<default>:
certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]:
TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]:
TLSc<default>: require_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]:
TLSc<default>: cipher_list='(null)'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]:
TLSc<default>:
private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem'
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]:
TLSc<default>: verify_certificate=1
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]:
TLSc<default>: verify_depth=9
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]:
TLSc<default>: Server MUST present valid certificate
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]:
tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl
version 90802f)
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]:
io_listen_loop: using epoll_lt io watch method (config)
when i add certificate to 3CX phone, i register, the log in server is :
SSL error:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate.
so i thing my problem is the certificate,or the bug in opnessl, my openssl version is
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008i used QJsimple is have the same problem.
please help me to check it again or suggest what i do to fix it.
thanks and regards,
Peter Green.
5:40 a.m.
Am 13.09.2010 11:10, schrieb peter_green lion:
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is
standardized with TLSv1. Thus you should remove SSLv23 unless you
explicitely know that the client can not handle TLSv1 (then the client
would be buggy)
modparam("tls", "certificate",
"ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls",
"require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client
certificate. Usually the SIP client does not have a TLS client
certificate, thus Kamailio will terminate the TLS connection with
handshake error. Set
modparam("tls", "require_certificate", 0)
and at least it should work with the "openssl s_client" tool.
regards
Klaus
6:03 a.m.
Date: Mon, 13 Sep 2010 11:40:33 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
hi Klaus and all,
i have changed all thing as you advice,
but it cannot work,
when i run command to check :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1
CONNECTED(00000003)
depth=1 /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
verify error:num=19:self signed certificate in certificate chain
verify return:0
....................
subject=/C=vn/ST=hcm/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
issuer=/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
---
Acceptable client certificate CA names
/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
---
SSL handshake has read 2256 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
08F56E61E88ADF353D6EB77126706E4364F31FB31437153ABAB1A20090F8D77CE0BEA0E0B218DB6E7653FBD873E91735
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1284411539
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
and :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 -CAfile
cacert.pem
CONNECTED(00000003)
2223:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
so what is the prolem ?
thanks and regards,
Peter Green.
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is
standardized with TLSv1. Thus you should remove SSLv23 unless you
explicitely know that the client can not handle TLSv1 (then the client
would be buggy)
modparam("tls",
"certificate", "ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls",
"require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client
certificate. Usually the SIP client does not have a TLS client
certificate, thus Kamailio will terminate the TLS connection with
handshake error. Set
modparam("tls", "require_certificate", 0)
and at least it should work with the "openssl s_client" tool.
regards
Klaus
6:44 a.m.
Date: Mon, 13 Sep 2010 11:40:33 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
hi Klaus and all,
i thing this is bug in openssl, becau i have just install kamailio with tls support in
ubuntu server which OS have openssl version 0.9.8k,
and i have result as:
sip client can register with server via tls support(sometime it work and some time it
cannot work, or it can register when i restart kamailio)
if it can register, i can make call but when callee answer, caller change to connect , but
callee continue ringring.
if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ?
thanks and regards
Peter Green.
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is
standardized with TLSv1. Thus you should remove SSLv23 unless you
explicitely know that the client can not handle TLSv1 (then the client
would be buggy)
modparam("tls",
"certificate", "ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls",
"require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client
certificate. Usually the SIP client does not have a TLS client
certificate, thus Kamailio will terminate the TLS connection with
handshake error. Set
modparam("tls", "require_certificate", 0)
and at least it should work with the "openssl s_client" tool.
regards
Klaus
11 a.m.
Am 13.09.2010 12:44, schrieb peter_green lion:
hi Klaus and all,
i thing this is bug in openssl, becau i have just install kamailio with
tls support in ubuntu server which OS have openssl version 0.9.8k,
and i have result as:
sip client can register with server via tls support(sometime it work and
some time it cannot work, or it can register when i restart kamail io)
if it can register, i can make call but when callee answer, caller
change to connect , but callee continue ringring.
if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ?
I think this are normal NAT/TCP problems.
First you should try with TCP. Unless TCP works fine you SHOULD NOT test
with TLS as TLS will not work too.
Make sure SIP over TCP works fine - e.g call fix_nated_contact() in your
config just as you would do NAT traversal (even if you do not have NATs)
regards
klaus
11:27 a.m.
Date: Mon, 13 Sep 2010 17:00:16 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 12:44, schrieb peter_green lion:
Dear Klaus,
i have do that first, i try with TCP and it works very good, my server and client in the
same net work. But i change it to TLS, the problem was found.
so i wonder why it is. and i mail to you who have more experience to fix it.
and when caller call callee, i use ngrep to catch package through port 5060/5061 I see the
TLS package, it is not a sip message. so I thing the problem is futher.and only 3CX phone
can register with my server.
thanks for help me.
best regards.
Peter Green.
hi Klaus and all,
i thing this is bug in openssl, becau i have just install kamailio with
tls support in ubuntu server which OS have openssl version 0.9.8k,
and i have result as:
sip client can register with server via tls support(sometime it work and
some time it cannot work, or it can register when i restart kamail io)
if it can register, i can make call but when callee answer, caller
change to connect , but callee continue ringring.
if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ?
I think this are normal NAT/TCP problems.
First you should try with TCP. Unless TCP works fine you SHOULD NOT test
with TLS as TLS will not work too.
Make sure SIP over TCP works fine - e.g call fix_nated_contact() in your
config just as you would do NAT traversal (even if you do not have NATs)
regards
klaus
11:48 a.m.
Am 13.09.2010 17:27, schrieb peter_green lion:
and when caller call callee, i use ngrep to catch
package through port
5060/5061 I see the TLS package, it is not a sip message. so I thing the
problem is futher.and only 3CX phone can register with my server.
Instead of ngrep you should use tcpdump to capture the whole SIP traffic
to a file. Later open the pcap file in Wireshark and use the
TLS-decrypting feature of Wireshark to analyze the decrypted SIP signaling.
http://wiki.wireshark.org/SSL
Note: make sure to disable all Diffie-Hellman ciphers
regards
Klaus
5118
days inactive
5122
days old
12 comments
2 participants
participants (2)
-
Klaus Darilion -
peter_green lion