Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled openSER. Currently I am just working on my local machine with the client UAs on the same subnet,(so there is only one domain, but its not named). Below is my configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate = "/usr/local/etc/openser/tls/user/user- cert.pem" tls_private_key = "/usr/local/etc/openser/tls/user/user- privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot register and I got 408 Request Time out Message. Is there any field that is missing to make this simple scenario work? What should be the values of "tls_client_domain" and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more openSER processes running than if I start openSER with TLS support in which case I see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with openssl.
Please have a look at the following link that describes the TLS support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled openSER. Currently I am just working on my local machine with the client UAs on the same subnet,(so there is only one domain, but its not named). Below is my configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate = "/usr/local/etc/openser/tls/user/user- cert.pem" tls_private_key = "/usr/local/etc/openser/tls/user/user- privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot register and I got 408 Request Time out Message. Is there any field that is missing to make this simple scenario work? What should be the values of "tls_client_domain" and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more openSER processes running than if I start openSER with TLS support in which case I see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Thanks a lot Steffen. Adding the new listen = udp:10.30.100.41:5060 indeed worked. How can I check the TLS handshake using openssl at the server? Thanks a lot..
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with openssl.
Please have a look at the following link that describes the TLS support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled
openSER.
Currently I am just working on my local machine with the client UAs on
the
same subnet,(so there is only one domain, but its not named). Below is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate = "/usr/local/etc/openser/tls/user/user- cert.pem" tls_private_key = "/usr/local/etc/openser/tls/user/user- privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot register
and I
got 408 Request Time out Message. Is there any field that is missing to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more openSER processes running than if I start openSER with TLS support in which case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hello Ncheeku,
change to the directory with your ".pem" files: /usr/local/etc/openser/tls/user
Then you can test your TLS handshake with the following command:
openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept 5061
Openssl simulates a TLS server with your certificate/private key files and it accepts only requests at port 5061.
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks a lot Steffen. Adding the new listen = udp:10.30.100.41:5060 indeed worked. How can I check the TLS handshake using openssl at the server? Thanks a lot..
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with openssl.
Please have a look at the following link that describes the TLS support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled
openSER.
Currently I am just working on my local machine with the client UAs on
the
same subnet,(so there is only one domain, but its not named). Below is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate =
"/usr/local/etc/openser/tls/user/user-
cert.pem" tls_private_key =
"/usr/local/etc/openser/tls/user/user-
privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot register
and I
got 408 Request Time out Message. Is there any field that is missing to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more openSER processes running than if I start openSER with TLS support in which case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Thanks Steffen. Is there any freely available tls client which can be used to check this settings and the handshake? That will be really helpful..
Best regards, NCheeku
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello Ncheeku,
change to the directory with your ".pem" files: /usr/local/etc/openser/tls/user
Then you can test your TLS handshake with the following command:
openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept 5061
Openssl simulates a TLS server with your certificate/private key files and it accepts only requests at port 5061.
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks a lot Steffen. Adding the new listen = udp:10.30.100.41:5060indeed worked. How can I check the TLS handshake using openssl at the server? Thanks a lot..
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with
openssl.
Please have a look at the following link that describes the TLS
support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled
openSER.
Currently I am just working on my local machine with the client UAs
on
the
same subnet,(so there is only one domain, but its not named). Below
is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate =
"/usr/local/etc/openser/tls/user/user-
cert.pem" tls_private_key =
"/usr/local/etc/openser/tls/user/user-
privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot
register
and I
got 408 Request Time out Message. Is there any field that is missing
to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more openSER processes running than if I start openSER with TLS support in which
case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hello,
openssl can play client and/or server role.
Best regards, Steffen
2006/12/29, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks Steffen. Is there any freely available tls client which can be used to check this settings and the handshake? That will be really helpful..
Best regards, NCheeku
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello Ncheeku,
change to the directory with your ".pem" files:
/usr/local/etc/openser/tls/user
Then you can test your TLS handshake with the following command:
openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept
5061
Openssl simulates a TLS server with your certificate/private key files and it accepts only requests at port 5061.
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks a lot Steffen. Adding the new listen = udp: 10.30.100.41:5060
indeed
worked. How can I check the TLS handshake using openssl at the server? Thanks a lot..
On 12/28/06, Steffen Witt < witt.steffen@googlemail.com> wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with
openssl.
Please have a look at the following link that describes the TLS
support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov < opensersubscribe@gmail.com>:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled
openSER.
Currently I am just working on my local machine with the client UAs
on
the
same subnet,(so there is only one domain, but its not named). Below
is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate =
"/usr/local/etc/openser/tls/user/user-
cert.pem" tls_private_key =
"/usr/local/etc/openser/tls/user/user-
privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot
register
and I
got 408 Request Time out Message. Is there any field that is missing
to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more openSER processes running than if I start openSER with TLS support in which
case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
You are correct, so just for the trial purposes if I want the TLS handshake to be successful what credentials for the client should I use? i.e. can I do something like:
openssl s_client -cert user-cert.pem -key user-privkey.pem -state -connect 10.30.00.41:5061
on doing this it comes back with an error saying Verify Return Code: 21 (Unable to verify the first certificate), Should I be using new certificates or with the same set of certificates I can achive a successful handshake?
Thanks a lot.. Ncheeku
On 12/29/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello,
openssl can play client and/or server role.
Best regards, Steffen
2006/12/29, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks Steffen. Is there any freely available tls client which can be
used
to check this settings and the handshake? That will be really helpful..
Best regards, NCheeku
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello Ncheeku,
change to the directory with your ".pem" files:
/usr/local/etc/openser/tls/user
Then you can test your TLS handshake with the following command:
openssl s_server -cert user-cert.pem -key user-privkey.pem -state
-accept
5061
Openssl simulates a TLS server with your certificate/private key files and it accepts only requests at port 5061.
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks a lot Steffen. Adding the new listen = udp: 10.30.100.41:5060
indeed
worked. How can I check the TLS handshake using openssl at the
server?
Thanks a lot..
On 12/28/06, Steffen Witt < witt.steffen@googlemail.com> wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with
openssl.
Please have a look at the following link that describes the TLS
support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov < opensersubscribe@gmail.com>:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS
enabled
openSER.
Currently I am just working on my local machine with the client
UAs
on
the
same subnet,(so there is only one domain, but its not named).
Below
is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate =
"/usr/local/etc/openser/tls/user/user-
cert.pem" tls_private_key =
"/usr/local/etc/openser/tls/user/user-
privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot
register
and I
got 408 Request Time out Message. Is there any field that is
missing
to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support
using
"openserctl start" and do "ps -e" after that, there are more
openSER
processes running than if I start openSER with TLS support in
which
case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
OK, the certificate authority (CA) is missing in your client command:
openssl s_client ... -CAfile name_of_cafile.pem
In my opinion a client should use a different certificate/private key pair but signed by the same CA.
Best regards, Steffen
2006/12/29, Ncheeku Baranov opensersubscribe@gmail.com:
You are correct, so just for the trial purposes if I want the TLS handshake to be successful what credentials for the client should I use? i.e. can I do something like:
openssl s_client -cert user-cert.pem -key user-privkey.pem -state -connect 10.30.00.41:5061
on doing this it comes back with an error saying Verify Return Code: 21 (Unable to verify the first certificate), Should I be using new certificates or with the same set of certificates I can achive a successful handshake?
Thanks a lot.. Ncheeku
Yes, it worked. It came back saying that the certificate has expired, verify return code: 10. Probably the certificate has expired and I need to generate the new certificates..
Thanks a lot.... NCheeku
On 12/29/06, Steffen Witt witt.steffen@googlemail.com wrote:
OK, the certificate authority (CA) is missing in your client command:
openssl s_client ... -CAfile name_of_cafile.pem
In my opinion a client should use a different certificate/private key pair but signed by the same CA.
Best regards, Steffen
2006/12/29, Ncheeku Baranov opensersubscribe@gmail.com:
You are correct, so just for the trial purposes if I want the TLS
handshake
to be successful what credentials for the client should I use? i.e. can
I do
something like:
openssl s_client -cert user-cert.pem -key user-privkey.pem -state
-connect
10.30.00.41:5061
on doing this it comes back with an error saying Verify Return Code: 21 (Unable to verify the first certificate), Should I be using new
certificates
or with the same set of certificates I can achive a successful
handshake?
Thanks a lot.. Ncheeku
The only free TLS-capeable client is minisip.
Commercial phones with TLs support are eyebeam (IMO the best client available and IMO worth the 60$) and the SNOM hardphones.
MAybe the free snom softphone also supports TLS - but I do not know.
regards klaus
On Fri, December 29, 2006 15:21, Ncheeku Baranov said:
Thanks Steffen. Is there any freely available tls client which can be used to check this settings and the handshake? That will be really helpful..
Best regards, NCheeku
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello Ncheeku,
change to the directory with your ".pem" files: /usr/local/etc/openser/tls/user
Then you can test your TLS handshake with the following command:
openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept 5061
Openssl simulates a TLS server with your certificate/private key files and it accepts only requests at port 5061.
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks a lot Steffen. Adding the new listen =
udp:10.30.100.41:5060indeed
worked. How can I check the TLS handshake using openssl at the server? Thanks a lot..
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with
openssl.
Please have a look at the following link that describes the TLS
support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS enabled
openSER.
Currently I am just working on my local machine with the client
UAs on
the
same subnet,(so there is only one domain, but its not named).
Below is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate =
"/usr/local/etc/openser/tls/user/user-
cert.pem" tls_private_key =
"/usr/local/etc/openser/tls/user/user-
privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot
register
and I
got 408 Request Time out Message. Is there any field that is
missing to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more
openSER
processes running than if I start openSER with TLS support in
which case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Thanks Klaus.
On 12/29/06, Klaus Darilion klaus.mailinglists@pernau.at wrote:
The only free TLS-capeable client is minisip.
Commercial phones with TLs support are eyebeam (IMO the best client available and IMO worth the 60$) and the SNOM hardphones.
MAybe the free snom softphone also supports TLS - but I do not know.
regards klaus
On Fri, December 29, 2006 15:21, Ncheeku Baranov said:
Thanks Steffen. Is there any freely available tls client which can be
used
to check this settings and the handshake? That will be really helpful..
Best regards, NCheeku
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello Ncheeku,
change to the directory with your ".pem" files: /usr/local/etc/openser/tls/user
Then you can test your TLS handshake with the following command:
openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept 5061
Openssl simulates a TLS server with your certificate/private key files and it accepts only requests at port 5061.
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Thanks a lot Steffen. Adding the new listen =
udp:10.30.100.41:5060indeed
worked. How can I check the TLS handshake using openssl at the
server?
Thanks a lot..
On 12/28/06, Steffen Witt witt.steffen@googlemail.com wrote:
Hello again,
maybe you should add the following line to test your non-TLS UAs:
disable_tls = 0 listen = udp:10.30.100.41:5060 <--- listen = tls:10.30.100.41:5061
You can check your TLS handshake by simulating your server with
openssl.
Please have a look at the following link that describes the TLS
support:
http://www.openser.org/docs/tls.html
Best regards, Steffen
2006/12/28, Ncheeku Baranov opensersubscribe@gmail.com:
Hi,
I am trying to make my non-TLS/TLS UA register with my TLS
enabled
openSER.
Currently I am just working on my local machine with the client
UAs on
the
same subnet,(so there is only one domain, but its not named).
Below is
my
configuration file:
disable_tls = 0 listen = tls:10.30.100.41:5061 tls_verify_server = 1 tls_verify_client = 0 tls_require_client_certificate = 0 tls_method = TLSv1 tls_certificate =
"/usr/local/etc/openser/tls/user/user-
cert.pem" tls_private_key =
"/usr/local/etc/openser/tls/user/user-
privkey.pem" tls_ca_list = "usr/local/etc/openser/tls/user/user-calist.pem"
However, with the above configuration the client UAs couldnot
register
and I
got 408 Request Time out Message. Is there any field that is
missing to
make
this simple scenario work? What should be the values of
"tls_client_domain"
and "tls_server_domain" fields in this case?
I noticed that when I start the openSER without TLS support using "openserctl start" and do "ps -e" after that, there are more
openSER
processes running than if I start openSER with TLS support in
which case
I
see very few of these processes running.
Your help is much appreciated....
Best regards, NCheeku
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Hi!
I've just read the pjsip news - there is now also TLS support. You can use the included command line client for testing:
Merry Christmas and happy new year for all. I just checked in experimental TLS support in pjsip, just in case anyone is interested.
pjsua manual also has been updated: http://www.pjsip.org/pjsua.htm
I've also updated the getting started page with the instructions on how to enable TLS support during build. You can find it here: http://www.pjsip.org/using.htm
cheers, -benny
regards klaus
-
Klaus Darilion -
Ncheeku Baranov -
Steffen Witt