18 Dec
2019
18 Dec
'19
7:32 p.m.
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
18 Dec
18 Dec
9:29 p.m.
Hi Sebastian, this is off topic for the Kamailio mailing list.
You can use Voip_patrol :
https://github.com/jchavanton/voip_patrol
Once you have your certificate, key and ca_list in default location
./voip_patrol -c ./xml/tls.xml
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list :tls/ca_list.pem
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile
:tls/certificate.pem
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem
tls.xml
<?xml version="1.0"?>
<config>
<actions>
<action type="register" transport="tls"
expected_cause_code="200"
username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD"
realm="domain.com"
registrar="ep.domain.com"/>
<action type="wait" complete/>
<action type="accept" account="VP_ENV_USERNAME"
max_duration="20"
hangup="5"/>
<action type="call" transport="tls"
wait_until="3" expected_cause_code="200"
caller="12062349971(a)1.1.1.1"
callee="12012343238(a)ep.domain.com"
max_duration="15" hangup="5"
username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD"
realm="
domain.com"
/>
<action type="wait" complete/>
</actions>
</config>
On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <damm(a)sipgate.de> wrote:
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
19 Dec
19 Dec
5:19 p.m.
Hi Julien,
I had been thinking quite a while before posting it here, and maybe I
shouldn't have mentioned the sipp SSL error. But I thought, end2end
testing of kamailio setups could be of general interest from a
Kamailio user point of view. And I hoped to get suggestions on how to
do it.
Thanks for the link to voip_patrol. I'm already playing with it. Still
stuck with needing a client certificate, though. I shouldn't need that
for a client, I'd think. But I'll try my best.
Regards,
Sebastian
On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton <jchavanton(a)gmail.com> wrote:
Hi Sebastian, this is off topic for the Kamailio mailing list.
You can use Voip_patrol :
https://github.com/jchavanton/voip_patrol
Once you have your certificate, key and ca_list in default location
./voip_patrol -c ./xml/tls.xml
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list :tls/ca_list.pem
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile :tls/certificate.pem
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem
tls.xml
<?xml version="1.0"?>
<config>
<actions>
<action type="register" transport="tls"
expected_cause_code="200" username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD" realm="domain.com"
registrar="ep.domain.com"/>
<action type="wait" complete/>
<action type="accept" account="VP_ENV_USERNAME"
max_duration="20" hangup="5"/>
<action type="call" transport="tls"
wait_until="3" expected_cause_code="200"
caller="12062349971(a)1.1.1.1"
callee="12012343238(a)ep.domain.com" max_duration="15"
hangup="5"
username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD"
realm="domain.com"
/>
<action type="wait" complete/>
</actions>
</config>
On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <damm(a)sipgate.de> wrote:
--
Sebastian Damm
Voice Engineer
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
6:49 p.m.
Hi Sebastian,
well end to end tests are quite useful.
Personally I used scripting with freeswitch and python to call endpoints
and check if billing seconds are in an correct range that I assume before.
That script can be run from monitoring like icinga or whatever.
I also used Asterisk for testing end to end. But that are all big b2buas.
Voip_patrol was new for me. Always happy to subscribe this list.
Cheers
Karsten Horsmann
Sebastian Damm <damm(a)sipgate.de> schrieb am Do., 19. Dez. 2019, 15:20:
Hi Julien,
I had been thinking quite a while before posting it here, and maybe I
shouldn't have mentioned the sipp SSL error. But I thought, end2end
testing of kamailio setups could be of general interest from a
Kamailio user point of view. And I hoped to get suggestions on how to
do it.
Thanks for the link to voip_patrol. I'm already playing with it. Still
stuck with needing a client certificate, though. I shouldn't need that
for a client, I'd think. But I'll try my best.
Regards,
Sebastian
On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton <jchavanton(a)gmail.com>
wrote:
Hi Sebastian, this is off topic for the Kamailio mailing list.
You can use Voip_patrol :
https://github.com/jchavanton/voip_patrol
Once you have your certificate, key and ca_list in default location
./voip_patrol -c ./xml/tls.xml
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list
:tls/ca_list.pem
[18:24:51.800][INFO] main: TLS
tcfg.tlsConfig.certFile
:tls/certificate.pem
[18:24:51.800][INFO] main: TLS
tcfg.tlsConfig.privKeyFile :tls/key.pem
tls.xml
<?xml version="1.0"?>
<config>
<actions>
<action type="register" transport="tls"
expected_cause_code="200" username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD" realm="domain.com"
registrar="ep.domain.com"/>
<action type="wait"
complete/>
<action type="accept" account="VP_ENV_USERNAME"
max_duration="20" hangup="5"/>
<action type="call"
transport="tls"
wait_until="3" expected_cause_code="200"
caller="12062349971(a)1.1.1.1" callee="
12012343238(a)ep.domain.com" max_duration="15" hangup="5"
username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD" realm="
domain.com"
/>
<action type="wait" complete/>
</actions>
</config>
On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <damm(a)sipgate.de> wrote:
--
Sebastian Damm
Voice Engineer
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
7:06 p.m.
Hi, I guess I was the one stretching it :)
If you need to generate a cert, check EFF let's encrypt, here is one
example to get a cert with HTTP validation
#!/bin/bash
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo docker run -it --rm --name certbot \
--net=host \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly --eff-email --agree-tos -m use(a)domain.com
--standalone --preferred-challenges http -d $1
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
if [ "$2" == "copy" ]
then
cp /etc/letsencrypt/live/$1/fullchain.pem tls/certificate.pem
cp /etc/letsencrypt/live/$1/privkey.pem tls/key.pem
fi
On Thu, Dec 19, 2019 at 6:20 AM Sebastian Damm <damm(a)sipgate.de> wrote:
Hi Julien,
I had been thinking quite a while before posting it here, and maybe I
shouldn't have mentioned the sipp SSL error. But I thought, end2end
testing of kamailio setups could be of general interest from a
Kamailio user point of view. And I hoped to get suggestions on how to
do it.
Thanks for the link to voip_patrol. I'm already playing with it. Still
stuck with needing a client certificate, though. I shouldn't need that
for a client, I'd think. But I'll try my best.
Regards,
Sebastian
On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton <jchavanton(a)gmail.com>
wrote:
Hi Sebastian, this is off topic for the Kamailio mailing list.
You can use Voip_patrol :
https://github.com/jchavanton/voip_patrol
Once you have your certificate, key and ca_list in default location
./voip_patrol -c ./xml/tls.xml
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list
:tls/ca_list.pem
[18:24:51.800][INFO] main: TLS
tcfg.tlsConfig.certFile
:tls/certificate.pem
[18:24:51.800][INFO] main: TLS
tcfg.tlsConfig.privKeyFile :tls/key.pem
tls.xml
<?xml version="1.0"?>
<config>
<actions>
<action type="register" transport="tls"
expected_cause_code="200" username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD" realm="domain.com"
registrar="ep.domain.com"/>
<action type="wait"
complete/>
<action type="accept" account="VP_ENV_USERNAME"
max_duration="20" hangup="5"/>
<action type="call"
transport="tls"
wait_until="3" expected_cause_code="200"
caller="12062349971(a)1.1.1.1" callee="
12012343238(a)ep.domain.com" max_duration="15" hangup="5"
username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD" realm="
domain.com"
/>
<action type="wait" complete/>
</actions>
</config>
On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <damm(a)sipgate.de> wrote:
--
Sebastian Damm
Voice Engineer
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
8:59 p.m.
Hi Julien,
Thanks for this hint. A bit off topic the cert part but security should be
forced :)
Many ways to get an letsencryt certificate, I prefer the go-lang lego tool
docker run -v $(pwd)/.lego:/.lego goacme/lego -d fqdn --email your@email -a
--tls --pem run
Saved stuff in dot lego folder.
Cheers
Karsten Horsmann
Julien Chavanton <jchavanton(a)gmail.com> schrieb am Do., 19. Dez. 2019,
17:08:
Hi, I guess I was the one stretching it :)
If you need to generate a cert, check EFF let's encrypt, here is one
example to get a cert with HTTP validation
#!/bin/bash
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo docker run -it --rm --name certbot \
--net=host \
-v "/etc/letsencrypt:/etc/letsencrypt" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
certbot/certbot certonly --eff-email --agree-tos -m use(a)domain.com
--standalone --preferred-challenges http -d $1
iptables -D INPUT -p tcp --dport 80 -j ACCEPT
if [ "$2" == "copy" ]
then
cp /etc/letsencrypt/live/$1/fullchain.pem tls/certificate.pem
cp /etc/letsencrypt/live/$1/privkey.pem tls/key.pem
fi
On Thu, Dec 19, 2019 at 6:20 AM Sebastian Damm <damm(a)sipgate.de> wrote:
Hi Julien,
I had been thinking quite a while before posting it here, and maybe I
shouldn't have mentioned the sipp SSL error. But I thought, end2end
testing of kamailio setups could be of general interest from a
Kamailio user point of view. And I hoped to get suggestions on how to
do it.
Thanks for the link to voip_patrol. I'm already playing with it. Still
stuck with needing a client certificate, though. I shouldn't need that
for a client, I'd think. But I'll try my best.
Regards,
Sebastian
On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton <jchavanton(a)gmail.com>
wrote:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Sebastian, this is off topic for the Kamailio mailing list.
You can use Voip_patrol :
https://github.com/jchavanton/voip_patrol
Once you have your certificate, key and ca_list in default location
./voip_patrol -c ./xml/tls.xml
[18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list
:tls/ca_list.pem
[18:24:51.800][INFO] main: TLS
tcfg.tlsConfig.certFile
:tls/certificate.pem
[18:24:51.800][INFO] main: TLS
tcfg.tlsConfig.privKeyFile :tls/key.pem
tls.xml
<?xml version="1.0"?>
<config>
<actions>
<action type="register" transport="tls"
expected_cause_code="200" username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD" realm="domain.com"
registrar="ep.domain.com"/>
<action type="wait"
complete/>
<action type="accept" account="VP_ENV_USERNAME"
max_duration="20" hangup="5"/>
<action type="call"
transport="tls"
wait_until="3" expected_cause_code="200"
caller="12062349971(a)1.1.1.1" callee="
12012343238(a)ep.domain.com" max_duration="15" hangup="5"
username="VP_ENV_USERNAME"
password="VP_ENV_PASSWORD"
realm="domain.com"
/>
<action type="wait" complete/>
</actions>
</config>
On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <damm(a)sipgate.de> wrote:
--
Sebastian Damm
Voice Engineer
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users 
2:21 a.m.
You just need to inform the certificate and key. It is informed in the docs
(http://sipp.sourceforge.net/doc/reference.html#TLS+mono+socket)
Use sipp options: t -l1 -tls_cert user-cert.pem -tls_key user-privkey.pem
On Thu, 19 Dec 2019 at 03:33, Sebastian Damm <damm(a)sipgate.de> wrote:
Hi,
I'm trying to construct an end-to-end encrypted signalling test
through our setup. I thought I could use sipp for that, as it supports
TLS according to the man page. However, when I try to run it, I get
this error:
FI_init_ssl_context: SSL_CTX_use_certificate_file failed.
I searched the web; however, all similar questions end up without
answers. I tried specifying a local key and cert without success. I'd
think I should not need a cert for my client, though.
Has anyone ever successfully conducted an automated TLS test? I'm open
to using a different tool if necessary.
Thanks for all hints or examples.
Regards,
Sebastian
--
Sebastian Damm
Voice Engineer
__________________________________________
sipgate GmbH
Gladbacher Straße 74 | 40219 Düsseldorf
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
1803
days inactive
1804
days old
6 comments
4 participants
participants (4)
-
Julien Chavanton -
Karsten Horsmann -
Patrick Wakano -
Sebastian Damm