[Users] TLS problem - sr-users

14 Jun 2006

hi guys,

happy OpenSER's 1st Anniversary and happy world cup!

I configure the TLS on OpenSER-1.0.1 release, but it doesn't work well.
i searched on the web and found the discussion (attach it below) which posted monthes ago,

my problem is very similar to it.
but i can't find any conclusion about this discussion.
Does anyone has resolved the similar problem, can you share the experiences?
thanks in advance.

my openssl's version is 0.9.8a
when used snom360 to connect openser via tls, it blocked and freezed after receive
ServerHelloDone.
windows messenger 5.1 can go further, but still popup the "There was a problem
verifying the certificate..." msg.
and openser print the error are SSL_ERROR_WANT_READ and SSL_ERROR_SYSCALL...

my certificate should be right, i have checked and regenerated it heaps of times...

----------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       voipsec
Subject:    Re: [VOIPSEC] Snom Softphone with TLS and Openser
From:       dennis <m8939605 () yahoo ! com ! tw>
Date:       2006-02-24 13:44:01
Message-ID: 20060224134401.62975.qmail () web17506 ! mail ! tpe ! yahoo ! com
[Download message RAW]

Hi Martin,

I folllow your method, but I still have somme problem.

1.After receive ClientHello, openser will be
terminated.
  my openser is 1.0.0
1 1  0.0023 (0.0023)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_NULL_MD5
        TLS_RSA_WITH_NULL_SHA
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_DH_anon_WITH_RC4_128_MD5
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DH_anon_WITH_DES_CBC_SHA
        compression methods
                  NULL
1    0.2734 (0.2710)  S>C  TCP FIN
 ///////////////////////////////////
2. Add the tls_ciphers_list="NULL-SHA:NULL-MD5",
openser was ok, but snom soft phone was stuck
immediately after starting and did not accept any
input via the user interface.

1 1  0.0894 (0.0894)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_NULL_MD5
        TLS_RSA_WITH_NULL_SHA
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_DH_anon_WITH_RC4_128_MD5
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_DH_anon_WITH_DES_CBC_SHA
        compression methods
                  NULL
1 2  0.0913 (0.0018)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          86 63 02 13 cd 51 12 d8 02 61 aa cc 66 63 84
d8
          21 42 01 8e c1 d6 8e b0 c3 b6 d1 26 68 73 0d
02
        cipherSuite         TLS_RSA_WITH_NULL_MD5
        compressionMethod                   NULL
1 3  0.0913 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0913 (0.0000)  S>C  Handshake
      ServerHelloDone
1    131.0737 (130.9823)  S>C  TCP FIN

When you re-executed the program, the ceritificate
will be clean away. I thought that the soft phone lost
it's certificate, so it hang on.
Another root causer may be openssl (0.97f), I will try
to upgrade or reinstall it.
///////////////////////////////////////
In my environment, Windows Messenger always has some
problems with Openser, when openser sent certificate,
WM  always pop up a error messange. 

3 1  0.8193 (0.8193)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        compression methods
                  NULL
3 2  0.8199 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
          1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
        cipherSuite        
TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
3 3  0.8199 (0.0000)  S>C  Handshake
      Certificate
3 4  0.8199 (0.0000)  S>C  Handshake
      ServerHelloDone
////////////////////////////////////
But after replaced key size from 2048 to 1024, there
was improvement in Windows Messenger, although it
still pop up the same error.

3 1  0.8193 (0.8193)  C>S  Handshake
      ClientHello
        Version 3.1
        cipher suites
        TLS_RSA_WITH_RC4_128_MD5
        TLS_RSA_WITH_RC4_128_SHA
        TLS_RSA_WITH_3DES_EDE_CBC_SHA
        TLS_RSA_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
        TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
        TLS_RSA_EXPORT_WITH_RC4_40_MD5
        TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
        TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        TLS_DHE_DSS_WITH_DES_CBC_SHA
        TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
        compression methods
                  NULL
3 2  0.8199 (0.0006)  S>C  Handshake
      ServerHello
        Version 3.1
        session_id[32]=
          c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
          1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
        cipherSuite        
TLS_RSA_WITH_3DES_EDE_CBC_SHA
        compressionMethod                   NULL
3 3  0.8199 (0.0000)  S>C  Handshake
      Certificate
3 4  0.8199 (0.0000)  S>C  Handshake
      ServerHelloDone
3 5  0.8701 (0.0501)  C>S  Handshake
      ClientKeyExchange
3 6  0.8701 (0.0000)  C>S  ChangeCipherSpec
3 7  0.8701 (0.0000)  C>S  Handshake
3 8  0.8736 (0.0035)  S>C  ChangeCipherSpec
3 9  0.8738 (0.0001)  S>C  Handshake
3    1.6979 (0.8241)  C>S  TCP FIN
3 10 1.6985 (0.0006)  S>C  Alert
3    1.6986 (0.0000)  S>C  TCP FIN

The Alert was not a standard TLS alert description, so
I can't analyze it.
The Alter messange is below:
15 03 01 00 18 fe ef bc 84 a3 c7 8c 8c a5 91 e7 da e1
7c
            ^^^^^^^^ (there are some problems.....)
06 ee 35 9d 32 21 ec ef 8c 79 

--- Christian Stredicke &lt;Christian.Stredicke(a)snom.de&gt;
���G

...
  Instead of using DNS SRV you can also use a
 transport parameter in the
 outbound proxy. E.g.

 server.example.at:5061;transport=tls

 Christian

  -----Original Message-----
 From: Voipsec-bounces(a)voipsa.org 
 [mailto:Voipsec-bounces@voipsa.org] On Behalf Of
  Martin Petraschek
  Sent: Thursday, February 23, 2006 5:01 AM
 To: Voipsec(a)voipsa.org
 Subject: [VOIPSEC] Snom Softphone with TLS and
  Openser

 Hi all,

 I just wanted to share the experiences I made when
  trying to 
  get the Snom 360 Softphone to work with TLS
  support together 
  with Openser. Maybe my findings can be of use
for
  other 
  people having similar problems.

 The Snom Softphone is one of the few Softphones I
  am aware of 
  that support TLS as well as RTP encryption.
  Unfortunately it 
  is not Open Source, but the binary is freely
  available at 
  http://www.snom.com/download/snom360-5.3.exe

 When trying to use TLS, one might be disappointed
  that the 
  configuration menus do not offer any setting
like
  "enable 
  TLS". This is because the Snom phone uses
DNS SRV
  queries in 
  order to find out which connection method to
use.
  The first 
  task is therefore to configure SRV records of
the
  DNS server. 
  For bind, the following lines did the trick:

 example.at.   IN NAPTR 10 50 "s" "SIPS+D2T" ""
  _sips._tcp.example.at.
  example.at.   IN NAPTR 20 50 "s"
"SIP+D2U" ""
  _sip._udp.example.at.
  example.at.   IN NAPTR 30 50 "s"
"SIP+D2T" ""
  _sip._tcp.example.at.

 ; ----- SRV records -----
 _sip._udp               IN SRV 0 0 5060
  server.example.at.
  _sip._tcp               IN SRV 0 0 5060
  server.example.at.
  _sips._tcp              IN SRV 0 0 5061
  server.example.at.

 After that, the Snom phone tried to contact the
  SIP server via TLS. 
  However, the program was stuck immediately after
  starting and 
  did not accept any input via the user interface.
I
  inspected 
  the network traffic it generated with the help
of
  the tool 
  ssldump, which showed the following:

 server:/etc/openser/tools# ssldump -i eth0 port
  5061 New TCP 
  connection #1: user.example.at(3695) <->
  server.example.at(5061)
  1 1  0.0124 (0.0124)  C>S  Handshake
 ClientHello
 Version 3.1
 cipher suites
 TLS_RSA_WITH_RC4_128_MD5
 TLS_RSA_WITH_RC4_128_SHA
 TLS_RSA_WITH_NULL_MD5
 TLS_RSA_WITH_NULL_SHA
 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
 TLS_DH_anon_WITH_RC4_128_MD5
 TLS_RSA_WITH_DES_CBC_SHA
 TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
 TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
 TLS_DH_anon_WITH_DES_CBC_SHA
 compression methods
 NULL
 1 2  0.0145 (0.0021)  S>C  Handshake
 ServerHello
 Version 3.1
 session_id[32]=
 5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24
  82 6a c3
  2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67
  53 ab f0
  cipherSuite        
  TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  compressionMethod                   NULL
 1 3  0.0146 (0.0000)  S>C  Handshake
 Certificate
 1 4  0.0146 (0.0000)  S>C  Handshake
 CertificateRequest
 certificate_types                  
  rsa_sign
  certificate_types                  
  dss_sign
  ServerHelloDone
 1    9.5153 (9.5006)  C>S  TCP RST

 I noticed that the chosen ciphersuite was 1024 bit
  RSA. 
  Checking the certificate file 
 /etc/openser/tls/user/user-cert.pem, I found that
  the 
  certificate configured for openser is 2048 bit!
To
  overcome 
  this problem, I changed the configuration files
  ca.conf and 
  user.conf as well as gen_rootCA.sh (just
replaced
  2048 with 
  1024 at every occurence). 
 After re-generating the certificates and restaring
  openser, 
  the TLS connection finally worked like a charm.

 Cheers,

 Martin

 _______________________________________________
 Voipsec mailing list
 Voipsec(a)voipsa.org

http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
...

 _______________________________________________
 Voipsec mailing list
 Voipsec(a)voipsa.org

http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
...