hi guys,
happy OpenSER's 1st Anniversary and happy world cup!
I configure the TLS on OpenSER-1.0.1 release, but it doesn't work well.
i searched on the web and found the discussion (attach it below) which posted monthes ago,
my problem is very similar to it.
but i can't find any conclusion about this discussion.
Does anyone has resolved the similar problem, can you share the experiences?
thanks in advance.
my openssl's version is 0.9.8a
when used snom360 to connect openser via tls, it blocked and freezed after receive
ServerHelloDone.
windows messenger 5.1 can go further, but still popup the "There was a problem
verifying the certificate..." msg.
and openser print the error are SSL_ERROR_WANT_READ and SSL_ERROR_SYSCALL...
my certificate should be right, i have checked and regenerated it heaps of times...
----------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
List: voipsec
Subject: Re: [VOIPSEC] Snom Softphone with TLS and Openser
From: dennis <m8939605 () yahoo ! com ! tw>
Date: 2006-02-24 13:44:01
Message-ID: 20060224134401.62975.qmail () web17506 ! mail ! tpe ! yahoo ! com
[Download message RAW]
Hi Martin,
I folllow your method, but I still have somme problem.
1.After receive ClientHello, openser will be
terminated.
my openser is 1.0.0
1 1 0.0023 (0.0023) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
compression methods
NULL
1 0.2734 (0.2710) S>C TCP FIN
///////////////////////////////////
2. Add the tls_ciphers_list="NULL-SHA:NULL-MD5",
openser was ok, but snom soft phone was stuck
immediately after starting and did not accept any
input via the user interface.
1 1 0.0894 (0.0894) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0913 (0.0018) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
86 63 02 13 cd 51 12 d8 02 61 aa cc 66 63 84
d8
21 42 01 8e c1 d6 8e b0 c3 b6 d1 26 68 73 0d
02
cipherSuite TLS_RSA_WITH_NULL_MD5
compressionMethod NULL
1 3 0.0913 (0.0000) S>C Handshake
Certificate
1 4 0.0913 (0.0000) S>C Handshake
ServerHelloDone
1 131.0737 (130.9823) S>C TCP FIN
When you re-executed the program, the ceritificate
will be clean away. I thought that the soft phone lost
it's certificate, so it hang on.
Another root causer may be openssl (0.97f), I will try
to upgrade or reinstall it.
///////////////////////////////////////
In my environment, Windows Messenger always has some
problems with Openser, when openser sent certificate,
WM always pop up a error messange.
3 1 0.8193 (0.8193) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
3 2 0.8199 (0.0006) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
cipherSuite
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
3 3 0.8199 (0.0000) S>C Handshake
Certificate
3 4 0.8199 (0.0000) S>C Handshake
ServerHelloDone
////////////////////////////////////
But after replaced key size from 2048 to 1024, there
was improvement in Windows Messenger, although it
still pop up the same error.
3 1 0.8193 (0.8193) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
3 2 0.8199 (0.0006) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
c3 b3 f1 16 de e4 76 d6 97 e3 ae ba 68 06 31
92
1a 5c 62 c7 f5 8c 7d 2c 2e 2b 87 47 32 a6 04
32
cipherSuite
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
3 3 0.8199 (0.0000) S>C Handshake
Certificate
3 4 0.8199 (0.0000) S>C Handshake
ServerHelloDone
3 5 0.8701 (0.0501) C>S Handshake
ClientKeyExchange
3 6 0.8701 (0.0000) C>S ChangeCipherSpec
3 7 0.8701 (0.0000) C>S Handshake
3 8 0.8736 (0.0035) S>C ChangeCipherSpec
3 9 0.8738 (0.0001) S>C Handshake
3 1.6979 (0.8241) C>S TCP FIN
3 10 1.6985 (0.0006) S>C Alert
3 1.6986 (0.0000) S>C TCP FIN
The Alert was not a standard TLS alert description, so
I can't analyze it.
The Alter messange is below:
15 03 01 00 18 fe ef bc 84 a3 c7 8c 8c a5 91 e7 da e1
7c
^^^^^^^^ (there are some problems.....)
06 ee 35 9d 32 21 ec ef 8c 79
--- Christian Stredicke <Christian.Stredicke(a)snom.de>
���G
Instead of using DNS SRV you can also use a
transport parameter in the
outbound proxy. E.g.
server.example.at:5061;transport=tls
Christian
-----Original Message-----
From: Voipsec-bounces(a)voipsa.org
[mailto:Voipsec-bounces@voipsa.org] On Behalf Of
Martin Petraschek
Sent: Thursday, February 23, 2006 5:01 AM
To: Voipsec(a)voipsa.org
Subject: [VOIPSEC] Snom Softphone with TLS and
Openser
Hi all,
I just wanted to share the experiences I made when
trying to
get the Snom 360 Softphone to work with TLS
support together
with Openser. Maybe my findings can be of use
for
other
people having similar problems.
The Snom Softphone is one of the few Softphones I
am aware of
that support TLS as well as RTP encryption.
Unfortunately it
is not Open Source, but the binary is freely
available at
http://www.snom.com/download/snom360-5.3.exe
When trying to use TLS, one might be disappointed
that the
configuration menus do not offer any setting
like
"enable
TLS". This is because the Snom phone uses
DNS SRV
queries in
order to find out which connection method to
use.
The first
task is therefore to configure SRV records of
the
DNS server.
For bind, the following lines did the trick:
example.at. IN NAPTR 10 50 "s" "SIPS+D2T" ""
_sips._tcp.example.at.
example.at. IN NAPTR 20 50 "s"
"SIP+D2U" ""
_sip._udp.example.at.
example.at. IN NAPTR 30 50 "s"
"SIP+D2T" ""
_sip._tcp.example.at.
; ----- SRV records -----
_sip._udp IN SRV 0 0 5060
server.example.at.
_sip._tcp IN SRV 0 0 5060
server.example.at.
_sips._tcp IN SRV 0 0 5061
server.example.at.
After that, the Snom phone tried to contact the
SIP server via TLS.
However, the program was stuck immediately after
starting and
did not accept any input via the user interface.
I
inspected
the network traffic it generated with the help
of
the tool
ssldump, which showed the following:
server:/etc/openser/tools# ssldump -i eth0 port
5061 New TCP
connection #1: user.example.at(3695) <->
server.example.at(5061)
1 1 0.0124 (0.0124) C>S Handshake
ClientHello
Version 3.1
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_NULL_MD5
TLS_RSA_WITH_NULL_SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
TLS_DH_anon_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_DH_anon_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0145 (0.0021) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
5d a6 8d 61 58 ed c6 08 ae 76 d1 eb 24
82 6a c3
2e 12 4c 29 17 7b 80 bf 1d 98 82 2c 67
53 ab f0
cipherSuite
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
compressionMethod NULL
1 3 0.0146 (0.0000) S>C Handshake
Certificate
1 4 0.0146 (0.0000) S>C Handshake
CertificateRequest
certificate_types
rsa_sign
certificate_types
dss_sign
ServerHelloDone
1 9.5153 (9.5006) C>S TCP RST
I noticed that the chosen ciphersuite was 1024 bit
RSA.
Checking the certificate file
/etc/openser/tls/user/user-cert.pem, I found that
the
certificate configured for openser is 2048 bit!
To
overcome
this problem, I changed the configuration files
ca.conf and
user.conf as well as gen_rootCA.sh (just
replaced
2048 with
1024 at every occurence).
After re-generating the certificates and restaring
openser,
the TLS connection finally worked like a charm.
Cheers,
Martin
_______________________________________________
Voipsec mailing list
Voipsec(a)voipsa.org
_______________________________________________
Voipsec mailing list
Voipsec(a)voipsa.org