14 Jul
2021
14 Jul
'21
9:04 p.m.
Dear,
I am trying to make a test to see how can webrtc work in kamailio and tls.
I was try some link :
1 <https://github.com/havfo/WEBRTC-to-SIP>. https://github.com/havfo/WEBRTC-to-SIP
<https://github.com/havfo/WEBRTC-to-SIP>
2. https://telecom.altanai.com/2018/09/04/kamailio-webrtc-sip-server/
<https://telecom.altanai.com/2018/09/04/kamailio-webrtc-sip-server/>
And Generate CA from the link:
https://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
<https://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates>
Then, I tried to login with simpl5 and i got the message back
Disconnected: Failed to connet to the server
I do not know how can i fix that issue, look like TLS configure has issue with that. the
log is showing something like
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f4233c60fc0 r: 0x7f4233c610e8 (-1)
My tls.cfg is :
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/my.domain/key.pem
certificate = /etc/certs/my.domain/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
Please help me to register sipml5 or how can i create CA for TLS in kamailio to use with
webrtc.
Thank all.
14 Jul
14 Jul
9:06 p.m.
Dear,
I am trying to make a test to see how can webrtc work in kamailio and tls.
I was try some link :
1 <https://github.com/havfo/WEBRTC-to-SIP>. https://github.com/havfo/WEBRTC-to-SIP
<https://github.com/havfo/WEBRTC-to-SIP>
2. https://telecom.altanai.com/2018/09/04/kamailio-webrtc-sip-server/
<https://telecom.altanai.com/2018/09/04/kamailio-webrtc-sip-server/>
And Generate CA from the link:
https://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates
<https://www.kamailio.org/dokuwiki/doku.php/tls:create-certificates>
Then, I tried to login with simpl5 and i got the message back
Disconnected: Failed to connet to the server
I do not know how can i fix that issue, look like TLS configure has issue with that. the
log is showing something like
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 14 17:56:16 ip-172-31-44-170 sbin/kamailio[13813]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f4233c60fc0 r: 0x7f4233c610e8 (-1)
My tls.cfg is :
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/my.domain/key.pem
certificate = /etc/certs/my.domain/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
Please help me to register sipml5 or how can i create CA for TLS in kamailio to use with
webrtc.
Thank all.
9:10 p.m.
On 7/14/21 2:04 PM, ThanhTruong wrote:
verify_certificate =yes
require_certificate =yes
Change both of those to no in your case.
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
15 Jul
15 Jul
6:09 a.m.
Hello Fred and all,
I tried some changes, and result bellow.
with :
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
~
error log:
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
With settings:
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
~
and error log:
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
and tried:
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and error log:
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
Then, i try with TLSv1+
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and log is:
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
I am sorry to border you and all, but i dont know how to get it works, please suggest.
thank you so much.
On Jul 15, 2021, at 01:10, Fred Posner
<fred(a)palner.com> wrote:
On 7/14/21 2:04 PM, ThanhTruong wrote:
verify_certificate =yes
require_certificate =yes
Change both of those to no in your case.
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
11:33 a.m.
Hello,
please format your e-mail only with black - its really hard to read (it might be related
to my client, though).
Have you already checked the file system access rights to the certs if kamailio can
actually read them?
Cheers,
Henning
--
Henning Westerholt - https://skalatan.de/blog/
Kamailio services - https://gilawa.com<https://gilawa.com/>
From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of ThanhTruong
Sent: Thursday, July 15, 2021 5:09 AM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like
simpl5
Hello Fred and all,
I tried some changes, and result bellow.
with :
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
~
error log:
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
With settings:
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
~
and error log:
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
and tried:
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and error log:
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
Then, i try with TLSv1+
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/webrtc.killermobile.mobi/key.pem
certificate = /etc/certs/webrtc.killermobile.mobi/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and log is:
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
I am sorry to border you and all, but i dont know how to get it works, please suggest.
thank you so much.
On Jul 15, 2021, at 01:10, Fred Posner
<fred@palner.com<mailto:fred@palner.com>> wrote:
On 7/14/21 2:04 PM, ThanhTruong wrote:
verify_certificate =yes
require_certificate =yes
Change both of those to no in your case.
--
Fred Posner -- www.palner.com<http://www.palner.com>
Matrix: @fred:matrix.lod.com<http://matrix.lod.com>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users@lists.kamailio.org<mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
11:56 a.m.
Hi Henning and all,
I can restart kamailio without error so i think kamailio can access the certs file, am i
right?
Next, i can check the tls configuration via some command and result like:
openssl s_client -connect mydomain.com:4443
result is:
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com,
emailAddress = thanhtruong217(a)gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0
s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=t…
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
1
s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/ema…
---
No client certificate CA names sent
---
SSL handshake has read 2890 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
Session-ID-ctx:
Master-Key:
98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0 ....^..&........
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88 hS....#.w.kt!^..
0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85 Pu?.*z.cZ.X.....
0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96 .s=M_'.77....<b.
0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f P".,....>...e.5?
0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72 .-7J...B.cjt..pr
0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5 ..=......1.%.*".
0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15 8.....L.....8...
0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70 .p.?..^^....m).p
00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7 .......H)..ie...
Start Time: 1626338959
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
or normal tls port 5061:
openssl s_client -connect mydomain.com:5061 -tls1
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com,
emailAddress = thanhtruong217(a)gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0
s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=t…
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
1
s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
xxxxxxxxxx...
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/ema…
---
No client certificate CA names sent
---
SSL handshake has read 2896 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
Session-ID-ctx:
Master-Key:
61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20 E.DvF...9..NS"\
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f .iNz>#.AbT.q...?
0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9 ..\.q...~....Uj.
0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95 .....5T0n`o...l.
0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32 ~*H{.QW-}iz.F4.2
0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63 ..K.a.:.=...".Pc
0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0 .A>..78.....c...
0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb Z..5....$|.%....
0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80 ...A.........v..
00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a D.:.../...".X..*
Start Time: 1626339048
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
So, I am not sure what is my issue/wrong here. or can you help me to check more?
Thanks,
ThanhTruon
On Jul 15, 2021, at 15:33, Henning Westerholt
<hw(a)skalatan.de> wrote:
Hello,
please format your e-mail only with black – its really hard to read (it might be related
to my client, though).
Have you already checked the file system access rights to the certs if kamailio can
actually read them?
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
Kamailio services – https://gilawa.com <https://gilawa.com/>
From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of ThanhTruong
Sent: Thursday, July 15, 2021 5:09 AM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like
simpl5
Hello Fred and all,
I tried some changes, and result bellow.
with :
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
~
error log:
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
With settings:
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
~
and error log:
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
and tried:
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and error log:
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
Then, i try with TLSv1+
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and log is:
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
I am sorry to border you and all, but i dont know how to get it works, please suggest.
thank you so much.
On Jul 15, 2021, at 01:10, Fred Posner <fred(a)palner.com
<mailto:fred@palner.com>> wrote:
On 7/14/21 2:04 PM, ThanhTruong wrote:
verify_certificate =yes
require_certificate =yes
Change both of those to no in your case.
--
Fred Posner -- www.palner.com <http://www.palner.com/>
Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
12:33 p.m.
Back when I did my first TLS, I did it with
https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
It worked for me on the first try.
Maybe give it a try.
David
On Thu, 15 Jul 2021 at 11:02, ThanhTruong <thanhtruong217(a)gmail.com> wrote:
Hi Henning and all,
I can restart kamailio without error so i think kamailio can access the
certs file, am i right?
Next, i can check the tls configuration via some command and result like:
openssl s_client -connect mydomain.com:4443
result is:
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN
= mydomain.com, emailAddress = thanhtruong217(a)gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/
C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=than…
i:/
C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddres…
1 s:/
C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddres…
i:/
C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddres…
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/ema…
---
No client certificate CA names sent
---
SSL handshake has read 2890 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
Session-ID-ctx:
Master-Key:
98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0
....^..&........
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52
...t.J}...S....R
0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88
hS....#.w.kt!^..
0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85
Pu?.*z.cZ.X.....
0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96
.s=M_'.77....<b.
0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f
P".,....>...e.5?
0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72
.-7J...B.cjt..pr
0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5
..=......1.%.*".
0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15
8.....L.....8...
0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70
.p.?..^^....m).p
00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7
.......H)..ie...
Start Time: 1626338959
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
or normal tls port 5061:
openssl s_client -connect mydomain.com:5061 -tls1
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN
= mydomain.com, emailAddress = thanhtruong217(a)gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/
C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=than…
i:/
C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddres…
1 s:/
C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddres…
i:/
C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddres…
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
xxxxxxxxxx...
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/ema…
---
No client certificate CA names sent
---
SSL handshake has read 2896 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
Session-ID-ctx:
Master-Key:
61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20
E.DvF...9..NS"\
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52
...t.J}...S....R
0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f
.iNz>#.AbT.q...?
0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9
..\.q...~....Uj.
0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95
.....5T0n`o...l.
0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32
~*H{.QW-}iz.F4.2
0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63
..K.a.:.=...".Pc
0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0
.A>..78.....c...
0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb
Z..5....$|.%....
0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80
...A.........v..
00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a
D.:.../...".X..*
Start Time: 1626339048
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
So, I am not sure what is my issue/wrong here. or can you help me to check
more?
Thanks,
ThanhTruon
On Jul 15, 2021, at 15:33, Henning Westerholt <hw(a)skalatan.de> wrote:
Hello,
please format your e-mail only with black – its really hard to read (it
might be related to my client, though).
Have you already checked the file system access rights to the certs if
kamailio can actually read them?
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
*From:* sr-users <sr-users-bounces(a)lists.kamailio.org> *On Behalf Of *
ThanhTruong
*Sent:* Thursday, July 15, 2021 5:09 AM
*To:* Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
*Subject:* Re: [SR-Users] please help to configure tls in kamailio for
webrtc client like simpl5
Hello Fred and all,
I tried some changes, and result bellow.
with :
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
~
error log:
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
With settings:
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
~
and error log:
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
and tried:
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and error log:
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
Then, i try with TLSv1+
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and log is:
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
[tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
[tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls
[tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
I am sorry to border you and all, but i dont know how to get it works,
please suggest.
thank you so much.
On Jul 15, 2021, at 01:10, Fred Posner <fred(a)palner.com> wrote:
On 7/14/21 2:04 PM, ThanhTruong wrote:
verify_certificate =yes
require_certificate =yes
Change both of those to no in your case.
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to
the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com
phone: +34669448337
5:51 p.m.
Hello Henning, and David, all
I tried to change to letsencrypt and configure as bellow
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem
[client:default]
verify_certificate = yes
require_certificate = yes
I have same issue, could not log with webrtc client. the log is like
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/tcp_main.c:1174]: tcpconn_new(): on port 54961, type 3, socket 40
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/tcp_main.c:1493]: tcpconn_add(): hashes: 2860:2307:2170, 10
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x559d7996eaa0, 40, 2,
0x7f660ad93258), fd_no=32
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x559d7996eaa0, 40, -1, 0x0)
fd_no=33 called
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:23172 for
activity on [tls:172.31.44.170:4443], 0x7f660ad93258
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7f660ad93258, fd=9
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7f660ac140a8 ctx
0x7f660ac662e8 sn [])
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f660ac662e8: (nil)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:948]:
tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com'
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:967]:
tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com]:
socket [:0] server name='' - switching SSL CTX to 0x7f660ac662e8 dom
0x7f660ac140a8 (default)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7f660ad93258 n=4593
fd=9
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x559d799da740, 9, 2,
0x7f660ad93258), fd_no=1
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7f660ac662e8: (nil)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:424]:
tls_accept(): TLS accept successful
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from 27.65.214.194:54961 using TLSv1.3
TLS_AES_256_GCM_SHA384 256
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a certificate
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: tls [tls_server.c:1199]:
tls_h_read_f(): Reading on a renegotiation of connection (n:-1) (2)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x559d799da740, 9, -1, 0x10)
fd_no=2 called
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_read.c:1884]: handle_io(): removing from list 0x7f660ad93258 id 10 fd 9, state
2, flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:54961 -> [27.65.214.194]:4443)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7f660ad93258, state -1, fd=9,
id=10 ([27.65.214.194]:54961 -> [27.65.214.194]:4443)
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23172]: DEBUG: <core>
[core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7f660adb5a58
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: <core>
[core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7f660ad93258, -1 from 0
Jul 15 14:49:00 ip-172-31-44-170 sbin/kamailio[23182]: DEBUG: tls [tls_server.c:683]:
tls_h_tcpconn_close_f(): Closing SSL connection 0x7f660adb5a58
I did not see any error now, but could not register my webrtc client.
Please help me on that
thank you
On Jul 15, 2021, at 16:33, David Villasmil
<david.villasmil.work(a)gmail.com> wrote:
Back when I did my first TLS, I did it with
https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/
<https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/>
It worked for me on the first try.
Maybe give it a try.
David
On Thu, 15 Jul 2021 at 11:02, ThanhTruong <thanhtruong217(a)gmail.com
<mailto:thanhtruong217@gmail.com>> wrote:
Hi Henning and all,
I can restart kamailio without error so i think kamailio can access the certs file, am i
right?
Next, i can check the tls configuration via some command and result like:
openssl s_client -connect mydomain.com:4443 <http://mydomain.com:4443/>
result is:
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com <http://mydomain.com/>, OU =
mydomain.com <http://mydomain.com/>, CN = mydomain.com <http://mydomain.com/>,
emailAddress = thanhtruong217(a)gmail.com <mailto:thanhtruong217@gmail.com>
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0
s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=t…
<mailto:C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
1
s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/ema…
<mailto:issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
---
No client certificate CA names sent
---
SSL handshake has read 2890 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
Session-ID-ctx:
Master-Key:
98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0 ....^..&........
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88 hS....#.w.kt!^..
0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85 Pu?.*z.cZ.X.....
0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96 .s=M_'.77....<b.
0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f P".,....>...e.5?
0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72 .-7J...B.cjt..pr
0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5 ..=......1.%.*".
0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15 8.....L.....8...
0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70 .p.?..^^....m).p
00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7 .......H)..ie...
Start Time: 1626338959
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
or normal tls port 5061:
openssl s_client -connect mydomain.com:5061 <http://mydomain.com:5061/> -tls1
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com <http://mydomain.com/>, OU =
mydomain.com <http://mydomain.com/>, CN = mydomain.com <http://mydomain.com/>,
emailAddress = thanhtruong217(a)gmail.com <mailto:thanhtruong217@gmail.com>
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0
s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=t…
<mailto:C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
1
s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
xxxxxxxxxx...
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAdd…
<mailto:subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/ema…
<mailto:issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com>
---
No client certificate CA names sent
---
SSL handshake has read 2896 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
Session-ID-ctx:
Master-Key:
61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20 E.DvF...9..NS"\
0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52 ...t.J}...S....R
0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f .iNz>#.AbT.q...?
0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9 ..\.q...~....Uj.
0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95 .....5T0n`o...l.
0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32 ~*H{.QW-}iz.F4.2
0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63 ..K.a.:.=...".Pc
0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0 .A>..78.....c...
0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb Z..5....$|.%....
0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80 ...A.........v..
00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a D.:.../...".X..*
Start Time: 1626339048
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
So, I am not sure what is my issue/wrong here. or can you help me to check more?
Thanks,
ThanhTruon
On Jul 15, 2021, at 15:33, Henning Westerholt
<hw(a)skalatan.de <mailto:hw@skalatan.de>> wrote:
Hello,
please format your e-mail only with black – its really hard to read (it might be related
to my client, though).
Have you already checked the file system access rights to the certs if kamailio can
actually read them?
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/ <https://skalatan.de/blog/>
Kamailio services – https://gilawa.com <https://gilawa.com/>
From: sr-users <sr-users-bounces(a)lists.kamailio.org
<mailto:sr-users-bounces@lists.kamailio.org>> On Behalf Of ThanhTruong
Sent: Thursday, July 15, 2021 5:09 AM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org
<mailto:sr-users@lists.kamailio.org>>
Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like
simpl5
Hello Fred and all,
I tried some changes, and result bellow.
with :
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = yes
require_certificate = yes
~
error log:
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
With settings:
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
~
and error log:
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
and tried:
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and error log:
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
Then, i try with TLSv1+
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem <http://mydomain.com/key.pem>
certificate = /etc/certs/mydomain.com/cert.pem <http://mydomain.com/cert.pem>
ca_list = /etc/certs/demoCA/cert.pem
[client:default]
verify_certificate = no
require_certificate = no
and log is:
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core>
[core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c:
0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
I am sorry to border you and all, but i dont know how to get it works, please suggest.
thank you so much.
On Jul 15, 2021, at 01:10, Fred Posner <fred(a)palner.com
<mailto:fred@palner.com>> wrote:
On 7/14/21 2:04 PM, ThanhTruong wrote:
verify_certificate =yes
require_certificate =yes
Change both of those to no in your case.
--
Fred Posner -- www.palner.com <http://www.palner.com/>
Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
--
Regards,
David Villasmil
email: david.villasmil.work(a)gmail.com <mailto:david.villasmil.work@gmail.com>
phone: +34669448337
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
6:05 p.m.
On 7/15/21 10:51 AM, ThanhTruong wrote:
[client:default]
verify_certificate =yes
require_certificate =yes
tls_accept: client did not present a certificate
Did you mean to require client certificates?
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
6:12 p.m.
I pasted all the log return, i am not sure what is the issue. TLS configure is in that
email too.
i could not open the page http://mydomain.com:4443 as some thread suggestion too. but when
i use ngrep to catch message on 4443, i got message request came to that port. and log in
kamailio like that.
On Jul 15, 2021, at 22:05, Fred Posner
<fred(a)palner.com> wrote:
On 7/15/21 10:51 AM, ThanhTruong wrote:
[client:default]
verify_certificate =yes
require_certificate =yes
tls_accept: client did not present a certificate
Did you mean to require client certificates?
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
* sr-users(a)lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
* https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
6:17 p.m.
On 7/15/21 11:12 AM, ThanhTruong wrote:
i am not sure what is the issue.
Well, you are currently requiring a client certificate. If you are not
meaning to do this, set that to no.
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
6:28 p.m.
Hello Fred and all,
I set to no and try again, same issue.
this is tls.cfg
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem
[client:default]
verify_certificate = no
require_certificate = no
and log is same
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1174]: tcpconn_new(): on port 64742, type 3, socket 40
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1493]: tcpconn_add(): hashes: 303:768:633, 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e300aa0, 40, 2,
0x7fb1a8451258), fd_no=32
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e300aa0, 40, -1, 0x0)
fd_no=33 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:24060 for
activity on [tls:172.31.44.170:4443], 0x7fb1a8451258
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7fb1a8451258, fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fb1a82d20a8 ctx
0x7fb1a83242e8 sn [])
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:948]:
tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com'
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:967]:
tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com]:
socket [:0] server name='' - switching SSL CTX to 0x7fb1a83242e8 dom
0x7fb1a82d20a8 (default)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7fb1a8451258 n=4593
fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e36c740, 9, 2,
0x7fb1a8451258), fd_no=1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:424]:
tls_accept(): TLS accept successful
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from 27.65.214.194:64742 using TLSv1.3
TLS_AES_256_GCM_SHA384 256
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a certificate
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:1199]:
tls_h_read_f(): Reading on a renegotiation of connection (n:569) (0)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e36c740, 9, -1, 0x10)
fd_no=2 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1884]: handle_io(): removing from list 0x7fb1a8451258 id 1 fd 9, state 2,
flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7fb1a8451258, state -1, fd=9,
id=1 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7fb1a8431bc8
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7fb1a8451258, -1 from 0
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: tls [tls_server.c:683]:
tls_h_tcpconn_close_f(): Closing SSL connection 0x7fb1a8431bc8
:)
Thanks,
Thanhtruong
On Jul 15, 2021, at 22:17, Fred Posner
<fred(a)palner.com> wrote:
On 7/15/21 11:12 AM, ThanhTruong wrote:
i am not sure what is the issue.
Well, you are currently requiring a client certificate. If you are not
meaning to do this, set that to no.
--
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com
8:04 p.m.
Hi Fred,
i do not need client to present cert as well. i think that is your last question.
BTW, my kamailio is in NAT and has advertise on public IP.
So, does it effect on websocket and tls configuration ?
I have something in kamailio.cfg like:
#!substdef "!LOCALHOST_WSS4_ADDR!tls:IP4_LOCALHOST:MY_WSS_PORT advertise
mydomain.com:MY_WSS_PORT!g"
Thanks
ThanhTruong
On Jul 15, 2021, at 22:28, ThanhTruong
<thanhtruong217(a)gmail.com> wrote:
Hello Fred and all,
I set to no and try again, same issue.
this is tls.cfg
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem
<http://mydomain.com/privkey.pem>
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem
<http://mydomain.com/fullchain.pem>
[client:default]
verify_certificate = no
require_certificate = no
and log is same
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1174]: tcpconn_new(): on port 64742, type 3, socket 40
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1493]: tcpconn_add(): hashes: 303:768:633, 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e300aa0, 40, 2,
0x7fb1a8451258), fd_no=32
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e300aa0, 40, -1, 0x0)
fd_no=33 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:24060 for
activity on [tls:172.31.44.170:4443], 0x7fb1a8451258
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7fb1a8451258, fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fb1a82d20a8 ctx
0x7fb1a83242e8 sn [])
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:948]:
tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com
<http://mydomain.com/>'
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:967]:
tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com
<http://mydomain.com/>]: socket [:0] server name='' - switching SSL CTX to
0x7fb1a83242e8 dom 0x7fb1a82d20a8 (default)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7fb1a8451258 n=4593
fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e36c740, 9, 2,
0x7fb1a8451258), fd_no=1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:424]:
tls_accept(): TLS accept successful
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from 27.65.214.194:64742 using TLSv1.3
TLS_AES_256_GCM_SHA384 256
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a certificate
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:1199]:
tls_h_read_f(): Reading on a renegotiation of connection (n:569) (0)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e36c740, 9, -1, 0x10)
fd_no=2 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1884]: handle_io(): removing from list 0x7fb1a8451258 id 1 fd 9, state 2,
flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7fb1a8451258, state -1, fd=9,
id=1 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7fb1a8431bc8
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7fb1a8451258, -1 from 0
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: tls [tls_server.c:683]:
tls_h_tcpconn_close_f(): Closing SSL connection 0x7fb1a8431bc8
:)
Thanks,
Thanhtruong
On Jul 15, 2021, at 22:17, Fred Posner
<fred(a)palner.com <mailto:fred@palner.com>> wrote:
On 7/15/21 11:12 AM, ThanhTruong wrote:
i am not sure what is the issue.
Well, you are currently requiring a client certificate. If you are not
meaning to do this, set that to no.
--
Fred Posner -- www.palner.com <http://www.palner.com/>
Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
17 Jul
17 Jul
7:57 p.m.
Hello everyone,
Could a good SSL work on my case ? Like if i got it from Comodo or something like that.
Could it work ?
I really need it work, if someone can help me, ping me on skype : voipmanvn
Thank you in advance.
ThanhTruong
On Jul 16, 2021, at 00:04, ThanhTruong
<thanhtruong217(a)gmail.com> wrote:
Hi Fred,
i do not need client to present cert as well. i think that is your last question.
BTW, my kamailio is in NAT and has advertise on public IP.
So, does it effect on websocket and tls configuration ?
I have something in kamailio.cfg like:
#!substdef "!LOCALHOST_WSS4_ADDR!tls:IP4_LOCALHOST:MY_WSS_PORT advertise
mydomain.com <http://mydomain.com/>:MY_WSS_PORT!g"
Thanks
ThanhTruong
On Jul 15, 2021, at 22:28, ThanhTruong
<thanhtruong217(a)gmail.com <mailto:thanhtruong217@gmail.com>> wrote:
Hello Fred and all,
I set to no and try again, same issue.
this is tls.cfg
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/mydomain.com/privkey.pem
<http://mydomain.com/privkey.pem>
certificate = /etc/letsencrypt/live/mydomain.com/fullchain.pem
<http://mydomain.com/fullchain.pem>
[client:default]
verify_certificate = no
require_certificate = no
and log is same
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1174]: tcpconn_new(): on port 64742, type 3, socket 40
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1493]: tcpconn_add(): hashes: 303:768:633, 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e300aa0, 40, 2,
0x7fb1a8451258), fd_no=32
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e300aa0, 40, -1, 0x0)
fd_no=33 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:24060 for
activity on [tls:172.31.44.170:4443], 0x7fb1a8451258
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7fb1a8451258, fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fb1a82d20a8 ctx
0x7fb1a83242e8 sn [])
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:948]:
tls_server_name_cb(): received server_name (TLS extension): 'mydomain.com
<http://mydomain.com/>'
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:967]:
tls_server_name_cb(): TLS cfg domain selected for received server name [mydomain.com
<http://mydomain.com/>]: socket [:0] server name='' - switching SSL CTX to
0x7fb1a83242e8 dom 0x7fb1a82d20a8 (default)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7fb1a8451258 n=4593
fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e36c740, 9, 2,
0x7fb1a8451258), fd_no=1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:424]:
tls_accept(): TLS accept successful
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from 27.65.214.194:64742 using TLSv1.3
TLS_AES_256_GCM_SHA384 256
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a certificate
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:1199]:
tls_h_read_f(): Reading on a renegotiation of connection (n:569) (0)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e36c740, 9, -1, 0x10)
fd_no=2 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1884]: handle_io(): removing from list 0x7fb1a8451258 id 1 fd 9, state 2,
flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7fb1a8451258, state -1, fd=9,
id=1 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7fb1a8431bc8
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7fb1a8451258, -1 from 0
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: tls [tls_server.c:683]:
tls_h_tcpconn_close_f(): Closing SSL connection 0x7fb1a8431bc8
:)
Thanks,
Thanhtruong
On Jul 15, 2021, at 22:17, Fred Posner
<fred(a)palner.com <mailto:fred@palner.com>> wrote:
On 7/15/21 11:12 AM, ThanhTruong wrote:
i am not sure what is the issue.
Well, you are currently requiring a client certificate. If you are not
meaning to do this, set that to no.
--
Fred Posner -- www.palner.com <http://www.palner.com/>
Matrix: @fred:matrix.lod.com <http://matrix.lod.com/>
19 Jul
19 Jul
5:28 p.m.
Hello,
your problems are probably not related to the certificate authority. Many people use
letsencrypt with Kamailio without problems. But other vendors of course works as well.
Cheers,
Henning
--
Henning Westerholt - https://skalatan.de/blog/
Kamailio services - https://gilawa.com<https://gilawa.com/>
From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of ThanhTruong
Sent: Saturday, July 17, 2021 6:57 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like
simpl5
Hello everyone,
Could a good SSL work on my case ? Like if i got it from Comodo or something like that.
Could it work ?
I really need it work, if someone can help me, ping me on skype : voipmanvn
Thank you in advance.
ThanhTruong
On Jul 16, 2021, at 00:04, ThanhTruong
<thanhtruong217@gmail.com<mailto:thanhtruong217@gmail.com>> wrote:
Hi Fred,
i do not need client to present cert as well. i think that is your last question.
BTW, my kamailio is in NAT and has advertise on public IP.
So, does it effect on websocket and tls configuration ?
I have something in kamailio.cfg like:
#!substdef "!LOCALHOST_WSS4_ADDR!tls:IP4_LOCALHOST:MY_WSS_PORT advertise
mydomain.com<http://mydomain.com/>:MY_WSS_PORT!g"
Thanks
ThanhTruong
On Jul 15, 2021, at 22:28, ThanhTruong
<thanhtruong217@gmail.com<mailto:thanhtruong217@gmail.com>> wrote:
Hello Fred and all,
I set to no and try again, same issue.
this is tls.cfg
[server:default]
method = TLSv1+
verify_certificate = no
require_certificate = no
private_key =
/etc/letsencrypt/live/mydomain.com/privkey.pem<http://mydomain.com/privkey.pem>
certificate =
/etc/letsencrypt/live/mydomain.com/fullchain.pem<http://mydomain.com/fullchain.pem>
[client:default]
verify_certificate = no
require_certificate = no
and log is same
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 27.65.214.194
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1174]: tcpconn_new(): on port 64742, type 3, socket 40
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:1493]: tcpconn_add(): hashes: 303:768:633, 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e300aa0, 40, 2,
0x7fb1a8451258), fd_no=32
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e300aa0, 40, -1, 0x0)
fd_no=33 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4456]: handle_tcpconn_ev(): sending to child, events 1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:4126]: send2child(): selected tcp worker idx:0 proc:10 pid:24060 for
activity on [tls:172.31.44.170:4443], 0x7fb1a8451258
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1749]: handle_io(): received n=8 con=0x7fb1a8451258, fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:199]:
tls_complete_init(): completing tls connection initialization
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:228]:
tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7fb1a82d20a8 ctx
0x7fb1a83242e8 sn [])
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:948]:
tls_server_name_cb(): received server_name (TLS extension):
'mydomain.com<http://mydomain.com/>'
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:967]:
tls_server_name_cb(): TLS cfg domain selected for received server name
[mydomain.com<http://mydomain.com/>]/>]: socket [:0] server name='' - switching
SSL CTX to 0x7fb1a83242e8 dom 0x7fb1a82d20a8 (default)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2705]: tcpconn_do_send(): sending...
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2738]: tcpconn_do_send(): after real write: c= 0x7fb1a8451258 n=4593
fd=9
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_main.c:2739]: tcpconn_do_send(): buf=#012#026#003#003
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:375]: io_watch_add(): DBG: io_watch_add(0x558c2e36c740, 9, 2,
0x7fb1a8451258), fd_no=1
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:1177]:
tls_lookup_private_key(): Private key lookup for SSL_CTX-0x7fb1a83242e8: (nil)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:747]:
sr_ssl_ctx_info_callback(): SSL handshake started
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:751]:
sr_ssl_ctx_info_callback(): SSL renegotiation initiated by client
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_domain.c:759]:
sr_ssl_ctx_info_callback(): SSL handshake done
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:424]:
tls_accept(): TLS accept successful
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from 27.65.214.194:64742 using TLSv1.3
TLS_AES_256_GCM_SHA384 256
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 172.31.44.170:4443
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a certificate
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: tls [tls_server.c:1199]:
tls_h_read_f(): Reading on a renegotiation of connection (n:569) (0)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1515]: tcp_read_req(): EOF
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/io_wait.h:600]: io_watch_del(): DBG: io_watch_del (0x558c2e36c740, 9, -1, 0x10)
fd_no=2 called
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1884]: handle_io(): removing from list 0x7fb1a8451258 id 1 fd 9, state 2,
flags 4018, main fd 40, refcnt 2 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1668]: release_tcpconn(): releasing con 0x7fb1a8451258, state -1, fd=9,
id=1 ([27.65.214.194]:64742 -> [27.65.214.194]:4443)
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24060]: DEBUG: <core>
[core/tcp_read.c:1672]: release_tcpconn(): extra_data 0x7fb1a8431bc8
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: <core>
[core/tcp_main.c:3558]: handle_tcp_child(): reader response= 7fb1a8451258, -1 from 0
Jul 15 15:27:51 ip-172-31-44-170 sbin/kamailio[24072]: DEBUG: tls [tls_server.c:683]:
tls_h_tcpconn_close_f(): Closing SSL connection 0x7fb1a8431bc8
:)
Thanks,
Thanhtruong
On Jul 15, 2021, at 22:17, Fred Posner
<fred@palner.com<mailto:fred@palner.com>> wrote:
On 7/15/21 11:12 AM, ThanhTruong wrote:
i am not sure what is the issue.
Well, you are currently requiring a client certificate. If you are not
meaning to do this, set that to no.
--
Fred Posner -- www.palner.com<http://www.palner.com/>
Matrix: @fred:matrix.lod.com<http://matrix.lod.com/>
1222
days inactive
1227
days old
14 comments
4 participants
participants (4)
-
David Villasmil -
Fred Posner -
Henning Westerholt -
ThanhTruong