I first tried the external configuration file and
indeed i had
problems. I afterwards used the modparam operation and tried to set
different keys and certs created in different ways (openser script,
openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no
success...
If I write a wrong path in the SER config file, the error that appears
is "file not found" so I guess the location of certs/keys is properly
set. Even in the log the path is right....
I would say is a parsing problem because if I modify the cert itself
the error that appear in the SER log is different (I have really tried
lots of "strange" things...). If I modify the data, base64 error, if I
add a blank line between CERTIFICATE BEGIN and the cert itself it
complains about "no end line found"....that is why I deducted there is
a problem in the parsing but I ran out of time to continue with
debuging :(
Can you please send me a working testing cert/key to try in my setup?
If your certs work with openser I think they should be fine.
Try to rename the certs and put them into the default location. (To find
out the default location and name for the certs just start TLS withouth
cert configuration and watch the logs.
regards
klaus
Than you,
Samuel.
2006/4/11, Klaus Darilion <klaus.mailinglists(a)pernau.at>at>:
> Are you using the simple configuration (in ser.cfg) or the advanced
> version (in a separate configuration file)?
>
> Maybe there are bugs in the configuration part of TLS.
>
> I tried once the external configuration file and it worked as long as I
> only used the default domains. Specifying dedicated TLS domain failed
> due to parser bugs.
>
> regards
> klaus
>
> samuel wrote:
>> Last check I made was to verify my own generated CA and server
>> certs/keys with latest openser-1.0.1.-tls and it properly reads the
>> files. I deducted therefore that there must be something wrong in the
>> cert reading process in the SER's tls module.
>> I can not debug further due to lack of time but I hope to read some
>> mail providing some feedback... it might also been some
>> misconfiguration in my config but I took it from the latest mails Jan
>> sent to the mailing list regarding TLS configuration (see the first
>> mail on this thread for the config file).
>>
>>
>> Thanks,
>> Samuel.
>>
>>
>> 2006/4/10, samuel <samu60(a)gmail.com>om>:
>>> Last call for help....I'll detail steps to see if some guru finds what
>>> I am not doing right:
>>>
>>> I have created the cert/key in the PEM format with the next commands:
>>> Create self CA:
>>> #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365
>>> -out CA98cert.pem -outform PEM
>>> Create the request for our domain:
>>> #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out
>>> ser98req.pem -outform PEM
>>> Sing&issue cert
>>> #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req
>>> -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
>>>
>>> The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after
>>> several "lost" hours...)
>>>
>>> I can check with openssl tools the cert and key and both are OK and
>>> can create connections using the s_server and s_client tools included
>>> in the openssl package. They have the appropriate format, certificate
>>> file:
>>>
>>> -----BEGIN CERTIFICATE-----
>>> askjdfl
>>> -----END CERTIFICATE-----
>>>
>>> and the key:
>>> -----BEGIN RSA PRIVATE KEY-----
>>> Proc-Type: 4,ENCRYPTED
>>> DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
>>>
>>> -----END RSA PRIVATE KEY-----
>>>
>>> I have checked for "strange" characters but everything seems ok
except
>>> that when I start SER, it gives me:
>>>
>>>
>>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200:
>>> TLSc<default>: Unable to load certificate file
>>> '/usr/local/etc/ser/certs/ser98cert.pem'
>>> Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201:
>>> load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
>>> Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing
>>> module tls
>>>
>>>
>>> Any feedback is highly appreciated...I never thought it would so
>>> difficult to use TLS.....
>>>
>>> Samuel.
>>>
>>> 2006/4/10, samuel <samu60(a)gmail.com>om>:
>>>> I have been able to create a TLS connection with openssl tools
>>>> (s_server and s_client) using the certificates that SER is unable to
>>>> open.
>>>> Can anyone tell me how can I debug this problem and find where the
problem is?
>>>>
>>>> Thanks again,
>>>> samuell.
>>>>
>>>>
>>>> 2006/4/7, samuel <samu60(a)gmail.com>om>:
>>>>> It starts with Certificate and the corresponding fields. After this
>>>>> information, the cert itself begins with the BEGIN statement.
>>>>>
>>>>> As I said, I am just starting with TLS and probably I did not create
>>>>> the cert properly. I'll try to read more information meanwhile.
>>>>>
>>>>> Thanks,
>>>>> Samuel.
>>>>>
>>>>>
>>>>> 2006/4/7, Vaclav Kubart <vaclav.kubart(a)iptel.org>rg>:
>>>>>> Is the certificate really in PEM format? Try to look on it with
openssl
>>>>>> or try look into the file if starts with something like
>>>>>> "-----BEGIN CERTIFICATE-----".
>>>>>>
>>>>>> If it is not in PEM format you can use openssl to convert it...
>>>>>>
>>>>>> Vaclav
>>>>>>
>>>>>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
>>>>>>> Yes....I even increased permissions up to the next level:
>>>>>>>
>>>>>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem
>>>>>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem
>>>>>>> -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26
user-calist.pem
>>>>>>> -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem
>>>>>>> -rwxrwxrwx 1 root ser 530 2006-04-07 12:26
user-cert_req.pem
>>>>>>> -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
>>>>>>>
>>>>>>>
>>>>>>> 2006/4/7, Klaus Darilion
<klaus.mailinglists(a)pernau.at>at>:
>>>>>>>> Does have ser permissions to read the cert files?
>>>>>>>>
>>>>>>>> klaus
>>>>>>>>
>>>>>>>> samuel wrote:
>>>>>>>>> Hi folks!!
>>>>>>>>>
>>>>>>>>> Finally I had time to test the new TLS module and
faced lots of
>>>>>>>>> problems...probably due to my lack of security
knowledge. If somebody
>>>>>>>>> can point me few links where I can gain some
knowledge I'll appreciate
>>>>>>>>> it..
>>>>>>>>>
>>>>>>>>> The problem:
>>>>>>>>>
>>>>>>>>> I create the cert,key and ca-list using the scripts
present in
>>>>>>>>> openser's TLS module. I am using the latest CVS
version and SER does
>>>>>>>>> not start giving the next error:
>>>>>>>>>
>>>>>>>>> ERROR: tls/tls_domain.c:200: TLSc<default>:
Unable to load
>>>>>>>>> certificate file
'/usr/local/etc/ser/certs/user-cert.pem'
>>>>>>>>> ERROR: tls/tls_domain.c:201:
load_cert:error:0906D06C:PEM
>>>>>>>>> routines:PEM_read_bio:no start line
>>>>>>>>>
>>>>>>>>> Probably I did something wrong in the key creation or
configure
>>>>>>>>> something wrong in ser.cfg....The config is taken
from a thread
>>>>>>>>> present in serdev about the status of the SER TLS
module and it's
>>>>>>>>> really simple so I don't think it's wrong but
anyway, here it is:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> loadmodule
"/usr/local/lib/ser/modules/tls.so"
>>>>>>>>> loadmodule
"/usr/local/lib/ser/modules/sl.so"
>>>>>>>>> loadmodule
"/usr/local/lib/ser/modules/xmlrpc.so"
>>>>>>>>>
>>>>>>>>> listen=tls:a.b.c.d:5061
>>>>>>>>> listen=tcp:a.b.c.d:5060
>>>>>>>>> listen=udp:a.b.c.d:5060
>>>>>>>>>
>>>>>>>>>
alias=mydomain.com
>>>>>>>>>
>>>>>>>>> #modparam("tls", "tls_method",
"TLSv1")
>>>>>>>>> modparam("tls", "tls_method",
"SSLv23")
>>>>>>>>> modparam("tls",
"verify_certificate", 1)
>>>>>>>>> modparam("tls",
"require_certificate", 0)
>>>>>>>>> modparam("tls", "private_key",
"/usr/local/etc/ser/certs/user-privkey.pem")
>>>>>>>>> modparam("tls", "certificate",
"/usr/local/etc/ser/certs/user-cert.pem")
>>>>>>>>> modparam("tls", "ca_list",
"/usr/local/etc/ser/certs/user-calist.pem")
>>>>>>>>> #modparam("tls", "config",
"tls.cfg")
>>>>>>>>>
>>>>>>>>> route {
>>>>>>>>> if (proto == TLS && (method ==
"POST" || method == "GET")) {
>>>>>>>>> create_via(); # XMLRPC requests do not contain
via, create it
>>>>>>>>>
>>>>>>>>> if (!(a)tls.peer.verified) {
>>>>>>>>> # Client did not provide certificate or it
is not valid
>>>>>>>>> xmlrpc_reply("400",
"Unauthorized");
>>>>>>>>> break;
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> if (@xmlrpc.method == "core.kill")
{
>>>>>>>>> # Make sure the client has the permission
to execute the command
>>>>>>>>> if (@tls.peer != "SER-Killer")
{
>>>>>>>>> xmlrpc_reply("400",
"Access to core.kill denied");
>>>>>>>>> break;
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>> dispatch_rpc();
>>>>>>>>> break;
>>>>>>>>> }
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Any comments are highly appreciated, thanks!
>>>>>>>>>
>>>>>>>>> Samuel.
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Serusers mailing list
>>>>>>>>> serusers(a)lists.iptel.org
>>>>>>>>>
http://lists.iptel.org/mailman/listinfo/serusers
>>>>>>> _______________________________________________
>>>>>>> Serusers mailing list
>>>>>>> serusers(a)lists.iptel.org
>>>>>>>
http://lists.iptel.org/mailman/listinfo/serusers
>