As written in the previous reply I just sent, the error is not related
to crl handling, but to the fact that the client doesn't sent its own
certificate.
Cheers,
Daniel
On 26/10/15 19:37, Vladimer Gabunia wrote:
problem is urgent
this is my CRL list file content:
-----BEGIN X509 CRL-----
MIICVTCCAT0CAQEwDQYJKoZIhvcNAQELBQAwJTEjMCEGA1UEAxMaQ29tcGFueS1M
ZXZlbDItU3ViQ0EtUHViTkQXDTE1MTAyMzEzMTcwNloXDTE1MTAzMTAxMzcwNlow
JjAkAhMVAAAABvVGc+kRhlSIAAAAAAAGFw0xNTEwMjAxNDQxMDBaoIG7MIG4MB8G
A1UdIwQYMBaAFB9sqtM9CJaeyFNqNCP3lEMAB70AMBAGCSsGAQQBgjcVAQQDAgEA
MAoGA1UdFAQDAgEFMBwGCSsGAQQBgjcVBAQPFw0xNTEwMzAxMzI3MDZaMFkGA1Ud
LgRSMFAwTqBMoEqGSGh0dHA6Ly9HSVMtU3ViQ0EtUHViTkQuZ2lzLmdlL0NlcnRF
bnJvbGwvQ29tcGFueS1MZXZlbDItU3ViQ0EtUHViTkQrLmNybDANBgkqhkiG9w0B
AQsFAAOCAQEAnYROMIC6SdrkESoe07sLrE6KodBBIjSxYlCk4yVomdbyRZoZay+d
adFf1l6ouJuPhmMFj0iIWZw7GI4CGt+ObvqdkfntSzfDDocVkXtJKwjNbLVWfQaV
UVaehJp20n4tKZuF/rv5vldNZeFGBrJk8+K7pyFxvbQcdHpfXdYaFaCK1pclUib4
JSJHN+b7fVTV+PFpjqYE81JtO5yluGqz2wl4gRBSd12jpFXPpZkxWeMPQdBq4jRs
Xp4qvIPyam764IYJGxmdip75oQ/O3ArisDyuxEs2/KjYgkigs2TfAi3b4YJSAUpe
B/u8NCXwzT/lt8sm6s+uWYZvfio6ERRcFA==
-----END X509 CRL-----
when i enable
modparam("tls", "crl", "/etc/kamailio/tls/Server/crl.pem")
Here is Part of Debug Log:
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[ip_addr.c:243]: print_ip(): tcpconn_new: new tcp connection:
192.168.88.149
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[tcp_main.c:1096]: tcpconn_new(): tcpconn_new: on port 56215, type 3
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[tcp_main.c:1408]: tcpconn_add(): tcpconn_add: hashes: 2440:3999:3197, 5
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[io_wait.h:390]: io_watch_add(): DBG: io_watch_add(0x89bf60, 47, 2,
0x7fb643de6698), fd_no=33
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[io_wait.h:617]: io_watch_del(): DBG: io_watch_del (0x89bf60, 47, -1,
0x0) fd_no=34 called
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[tcp_main.c:4302]: handle_tcpconn_ev(): tcp: DBG: sending to child,
events 1
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[tcp_main.c:3973]: send2child(): selected tcp worker 0 20(23474) for
activity on [tls:192.168.240.254:5061], 0x7fb643de6698
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_read.c:1510]: handle_io(): received n=8 con=0x7fb643de6698, fd=13
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls
[tls_server.c:178]: tls_complete_init(): Using TLS domain TLSs<default>
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: tls
[tls_domain.c:700]: sr_ssl_ctx_info_callback(): SSL handshake started
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_main.c:2556]: tcpconn_do_send(): tcp_send: sending...
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_main.c:2590]: tcpconn_do_send(): tcp_send: after real write: c=
0x7fb643de6698 n=1576 fd=13
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_main.c:2591]: tcpconn_do_send(): tcp_send: buf=#012#026#003#003
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[io_wait.h:390]: io_watch_add(): DBG: io_watch_add(0x8e0200, 13, 2,
0x7fb643de6698), fd_no=1
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_main.c:2556]: tcpconn_do_send(): tcp_send: sending...
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_main.c:2590]: tcpconn_do_send(): tcp_send: after real write: c=
0x7fb643de6698 n=7 fd=13
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_main.c:2591]: tcpconn_do_send(): tcp_send: buf=#012#025#003#003
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: tls
[tls_server.c:1186]: tls_read_f(): TLS accept:error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: ERROR: <core>
[tcp_read.c:1281]: tcp_read_req(): ERROR: tcp_read_req: error reading
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[io_wait.h:617]: io_watch_del(): DBG: io_watch_del (0x8e0200, 13, -1,
0x10) fd_no=2 called
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_read.c:1437]: release_tcpconn(): releasing con 0x7fb643de6698,
state -2, fd=13, id=5
Oct 26 22:34:38 lip /usr/sbin/kamailio[23474]: DEBUG: <core>
[tcp_read.c:1438]: release_tcpconn(): extra_data 0x7fb643ddf4f8
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: <core>
[tcp_main.c:3385]: handle_tcp_child(): handle_tcp_child: reader
response= 7fb643de6698, -2 from 0
Oct 26 22:34:38 lip /usr/sbin/kamailio[23479]: DEBUG: tls
[tls_server.c:597]: tls_h_close(): Closing SSL connection 0x7fb643ddf4f8
Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
[ws_conn.c:459]: wsconn_get_list(): wsconn_get_list
Oct 26 22:34:38 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
[ws_conn.c:502]: wsconn_get_list(): wsconn_get_list returns list
[(nil)] with [0] members
Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
[ws_conn.c:459]: wsconn_get_list(): wsconn_get_list
Oct 26 22:34:39 lip /usr/sbin/kamailio[23473]: DEBUG: websocket
[ws_conn.c:502]: wsconn_get_list(): wsconn_get_list returns list
[(nil)] with [0] members
------------------------------------------------------------------------
*From:* sr-users [sr-users-bounces(a)lists.sip-router.org] on behalf of
Daniel-Constantin Mierla [miconda(a)gmail.com]
*Sent:* Monday, October 26, 2015 12:05 PM
*To:* Kamailio (SER) - Users Mailing List
*Subject:* Re: [SR-Users] Q: about CRL list (TLS)
Hello,
On 25/10/15 13:10, Vladimer Gabunia wrote:
hello all.
we compiled kamailio with TLS Support. but have next problem when
using CRL Lits.
Our Certificate issuing scheme is follow:
Offline Root CA -> Enterprise SubCA -> Server and Phone Certificate
CRL list is signed by SubCA.
option "require client certificate is enables (1) "
When we enable CRL list, phones are not registered.
CA file is offline RootCA certificate in pem format.
We think that the reason is that СRL was signed by Subca or incorrect
CRL format.
CRL is converted from MS CRL to PEM. (What is the format for the CRL)
maybe someone have experiance with similar scenarios?
the readme file of the tls
module has some documentation about crl:
http://www.kamailio.org/docs/modules/stable/modules/tls.html#tls.p.crl
You can also try to run with debug=3 in kmailio.cfg and see more debug
messages about what happens internally.
Cheers,
Daniel
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda -
http://www.linkedin.com/in/miconda
Book: SIP Routing With Kamailio -
http://www.asipto.com
Kamailio Advanced Training, Nov 30-Dec 2, Berlin -
http://asipto.com/kat
------------------------------------------------------------------------
gh.ge
*ვლადიმერ გაბუნია*
IT სამსახურის უფროსი
ტელ: (+995) 32 2505222 +8183
მობ: (995) 577 095333
შპს "ჯეო ჰოსპიტალს"
სათავო ოფისი
თბილისი 0160, ვაჟა-ფშაველას გამზ. № 16;
http://www.gh.ge <http://gh.ge>