Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; }
if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } }
dispatch_rpc(); break; } }
Any comments are highly appreciated, thanks!
Samuel.
Does have ser permissions to read the cert files?
klaus
samuel wrote:
Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; } if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } } dispatch_rpc(); break;} }
Any comments are highly appreciated, thanks!
Samuel.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote:
Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; } if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } } dispatch_rpc(); break;} }
Any comments are highly appreciated, thanks!
Samuel.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
Vaclav
On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote:
Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; } if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } } dispatch_rpc(); break;} }
Any comments are highly appreciated, thanks!
Samuel.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote:
Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; } if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } } dispatch_rpc(); break;} }
Any comments are highly appreciated, thanks!
Samuel.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote:
Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; } if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } } dispatch_rpc(); break;} }
Any comments are highly appreciated, thanks!
Samuel.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote:
Hi folks!!
Finally I had time to test the new TLS module and faced lots of problems...probably due to my lack of security knowledge. If somebody can point me few links where I can gain some knowledge I'll appreciate it..
The problem:
I create the cert,key and ca-list using the scripts present in openser's TLS module. I am using the latest CVS version and SER does not start giving the next error:
ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/user-cert.pem' ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line
Probably I did something wrong in the key creation or configure something wrong in ser.cfg....The config is taken from a thread present in serdev about the status of the SER TLS module and it's really simple so I don't think it's wrong but anyway, here it is:
loadmodule "/usr/local/lib/ser/modules/tls.so" loadmodule "/usr/local/lib/ser/modules/sl.so" loadmodule "/usr/local/lib/ser/modules/xmlrpc.so"
listen=tls:a.b.c.d:5061 listen=tcp:a.b.c.d:5060 listen=udp:a.b.c.d:5060
alias=mydomain.com
#modparam("tls", "tls_method", "TLSv1") modparam("tls", "tls_method", "SSLv23") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 0) modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") #modparam("tls", "config", "tls.cfg")
route { if (proto == TLS && (method == "POST" || method == "GET")) { create_via(); # XMLRPC requests do not contain via, create it
if (!@tls.peer.verified) { # Client did not provide certificate or it is not valid xmlrpc_reply("400", "Unauthorized"); break; } if (@xmlrpc.method == "core.kill") { # Make sure the client has the permission to execute the command if (@tls.peer != "SER-Killer") { xmlrpc_reply("400", "Access to core.kill denied"); break; } } dispatch_rpc(); break;} }
Any comments are highly appreciated, thanks!
Samuel.
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at:
Does have ser permissions to read the cert files?
klaus
samuel wrote: > Hi folks!! > > Finally I had time to test the new TLS module and faced lots of > problems...probably due to my lack of security knowledge. If somebody > can point me few links where I can gain some knowledge I'll appreciate > it.. > > The problem: > > I create the cert,key and ca-list using the scripts present in > openser's TLS module. I am using the latest CVS version and SER does > not start giving the next error: > > ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load > certificate file '/usr/local/etc/ser/certs/user-cert.pem' > ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM > routines:PEM_read_bio:no start line > > Probably I did something wrong in the key creation or configure > something wrong in ser.cfg....The config is taken from a thread > present in serdev about the status of the SER TLS module and it's > really simple so I don't think it's wrong but anyway, here it is: > > > > loadmodule "/usr/local/lib/ser/modules/tls.so" > loadmodule "/usr/local/lib/ser/modules/sl.so" > loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" > > listen=tls:a.b.c.d:5061 > listen=tcp:a.b.c.d:5060 > listen=udp:a.b.c.d:5060 > > alias=mydomain.com > > #modparam("tls", "tls_method", "TLSv1") > modparam("tls", "tls_method", "SSLv23") > modparam("tls", "verify_certificate", 1) > modparam("tls", "require_certificate", 0) > modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") > modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") > modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") > #modparam("tls", "config", "tls.cfg") > > route { > if (proto == TLS && (method == "POST" || method == "GET")) { > create_via(); # XMLRPC requests do not contain via, create it > > if (!@tls.peer.verified) { > # Client did not provide certificate or it is not valid > xmlrpc_reply("400", "Unauthorized"); > break; > } > > if (@xmlrpc.method == "core.kill") { > # Make sure the client has the permission to execute the command > if (@tls.peer != "SER-Killer") { > xmlrpc_reply("400", "Access to core.kill denied"); > break; > } > } > > dispatch_rpc(); > break; > } > } > > > Any comments are highly appreciated, thanks! > > Samuel. > > _______________________________________________ > Serusers mailing list > serusers@lists.iptel.org > http://lists.iptel.org/mailman/listinfo/serusers
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
Are you using the simple configuration (in ser.cfg) or the advanced version (in a separate configuration file)?
Maybe there are bugs in the configuration part of TLS.
I tried once the external configuration file and it worked as long as I only used the default domains. Specifying dedicated TLS domain failed due to parser bugs.
regards klaus
samuel wrote:
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote:
Yes....I even increased permissions up to the next level:
-rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey.
2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at: > Does have ser permissions to read the cert files? > > klaus > > samuel wrote: >> Hi folks!! >> >> Finally I had time to test the new TLS module and faced lots of >> problems...probably due to my lack of security knowledge. If somebody >> can point me few links where I can gain some knowledge I'll appreciate >> it.. >> >> The problem: >> >> I create the cert,key and ca-list using the scripts present in >> openser's TLS module. I am using the latest CVS version and SER does >> not start giving the next error: >> >> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load >> certificate file '/usr/local/etc/ser/certs/user-cert.pem' >> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM >> routines:PEM_read_bio:no start line >> >> Probably I did something wrong in the key creation or configure >> something wrong in ser.cfg....The config is taken from a thread >> present in serdev about the status of the SER TLS module and it's >> really simple so I don't think it's wrong but anyway, here it is: >> >> >> >> loadmodule "/usr/local/lib/ser/modules/tls.so" >> loadmodule "/usr/local/lib/ser/modules/sl.so" >> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" >> >> listen=tls:a.b.c.d:5061 >> listen=tcp:a.b.c.d:5060 >> listen=udp:a.b.c.d:5060 >> >> alias=mydomain.com >> >> #modparam("tls", "tls_method", "TLSv1") >> modparam("tls", "tls_method", "SSLv23") >> modparam("tls", "verify_certificate", 1) >> modparam("tls", "require_certificate", 0) >> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") >> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") >> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") >> #modparam("tls", "config", "tls.cfg") >> >> route { >> if (proto == TLS && (method == "POST" || method == "GET")) { >> create_via(); # XMLRPC requests do not contain via, create it >> >> if (!@tls.peer.verified) { >> # Client did not provide certificate or it is not valid >> xmlrpc_reply("400", "Unauthorized"); >> break; >> } >> >> if (@xmlrpc.method == "core.kill") { >> # Make sure the client has the permission to execute the command >> if (@tls.peer != "SER-Killer") { >> xmlrpc_reply("400", "Access to core.kill denied"); >> break; >> } >> } >> >> dispatch_rpc(); >> break; >> } >> } >> >> >> Any comments are highly appreciated, thanks! >> >> Samuel. >> >> _______________________________________________ >> Serusers mailing list >> serusers@lists.iptel.org >> http://lists.iptel.org/mailman/listinfo/serusers > _______________________________________________ Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
I first tried the external configuration file and indeed i had problems. I afterwards used the modparam operation and tried to set different keys and certs created in different ways (openser script, openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no success...
If I write a wrong path in the SER config file, the error that appears is "file not found" so I guess the location of certs/keys is properly set. Even in the log the path is right....
I would say is a parsing problem because if I modify the cert itself the error that appear in the SER log is different (I have really tried lots of "strange" things...). If I modify the data, base64 error, if I add a blank line between CERTIFICATE BEGIN and the cert itself it complains about "no end line found"....that is why I deducted there is a problem in the parsing but I ran out of time to continue with debuging :(
Can you please send me a working testing cert/key to try in my setup?
Than you,
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
Are you using the simple configuration (in ser.cfg) or the advanced version (in a separate configuration file)?
Maybe there are bugs in the configuration part of TLS.
I tried once the external configuration file and it worked as long as I only used the default domains. Specifying dedicated TLS domain failed due to parser bugs.
regards klaus
samuel wrote:
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org:
Is the certificate really in PEM format? Try to look on it with openssl or try look into the file if starts with something like "-----BEGIN CERTIFICATE-----".
If it is not in PEM format you can use openssl to convert it...
VaclavOn Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote: > Yes....I even increased permissions up to the next level: > > -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem > -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem > -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem > -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem > -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem > -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey. > > > 2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at: >> Does have ser permissions to read the cert files? >> >> klaus >> >> samuel wrote: >>> Hi folks!! >>> >>> Finally I had time to test the new TLS module and faced lots of >>> problems...probably due to my lack of security knowledge. If somebody >>> can point me few links where I can gain some knowledge I'll appreciate >>> it.. >>> >>> The problem: >>> >>> I create the cert,key and ca-list using the scripts present in >>> openser's TLS module. I am using the latest CVS version and SER does >>> not start giving the next error: >>> >>> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load >>> certificate file '/usr/local/etc/ser/certs/user-cert.pem' >>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM >>> routines:PEM_read_bio:no start line >>> >>> Probably I did something wrong in the key creation or configure >>> something wrong in ser.cfg....The config is taken from a thread >>> present in serdev about the status of the SER TLS module and it's >>> really simple so I don't think it's wrong but anyway, here it is: >>> >>> >>> >>> loadmodule "/usr/local/lib/ser/modules/tls.so" >>> loadmodule "/usr/local/lib/ser/modules/sl.so" >>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" >>> >>> listen=tls:a.b.c.d:5061 >>> listen=tcp:a.b.c.d:5060 >>> listen=udp:a.b.c.d:5060 >>> >>> alias=mydomain.com >>> >>> #modparam("tls", "tls_method", "TLSv1") >>> modparam("tls", "tls_method", "SSLv23") >>> modparam("tls", "verify_certificate", 1) >>> modparam("tls", "require_certificate", 0) >>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") >>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") >>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") >>> #modparam("tls", "config", "tls.cfg") >>> >>> route { >>> if (proto == TLS && (method == "POST" || method == "GET")) { >>> create_via(); # XMLRPC requests do not contain via, create it >>> >>> if (!@tls.peer.verified) { >>> # Client did not provide certificate or it is not valid >>> xmlrpc_reply("400", "Unauthorized"); >>> break; >>> } >>> >>> if (@xmlrpc.method == "core.kill") { >>> # Make sure the client has the permission to execute the command >>> if (@tls.peer != "SER-Killer") { >>> xmlrpc_reply("400", "Access to core.kill denied"); >>> break; >>> } >>> } >>> >>> dispatch_rpc(); >>> break; >>> } >>> } >>> >>> >>> Any comments are highly appreciated, thanks! >>> >>> Samuel. >>> >>> _______________________________________________ >>> Serusers mailing list >>> serusers@lists.iptel.org >>> http://lists.iptel.org/mailman/listinfo/serusers >> > _______________________________________________ > Serusers mailing list > serusers@lists.iptel.org > http://lists.iptel.org/mailman/listinfo/serusers
samuel wrote:
I first tried the external configuration file and indeed i had problems. I afterwards used the modparam operation and tried to set different keys and certs created in different ways (openser script, openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no success...
If I write a wrong path in the SER config file, the error that appears is "file not found" so I guess the location of certs/keys is properly set. Even in the log the path is right....
I would say is a parsing problem because if I modify the cert itself the error that appear in the SER log is different (I have really tried lots of "strange" things...). If I modify the data, base64 error, if I add a blank line between CERTIFICATE BEGIN and the cert itself it complains about "no end line found"....that is why I deducted there is a problem in the parsing but I ran out of time to continue with debuging :(
Can you please send me a working testing cert/key to try in my setup?
If your certs work with openser I think they should be fine.
Try to rename the certs and put them into the default location. (To find out the default location and name for the certs just start TLS withouth cert configuration and watch the logs.
regards klaus
Than you,
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
Are you using the simple configuration (in ser.cfg) or the advanced version (in a separate configuration file)?
Maybe there are bugs in the configuration part of TLS.
I tried once the external configuration file and it worked as long as I only used the default domains. Specifying dedicated TLS domain failed due to parser bugs.
regards klaus
samuel wrote:
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com:
It starts with Certificate and the corresponding fields. After this information, the cert itself begins with the BEGIN statement.
As I said, I am just starting with TLS and probably I did not create the cert properly. I'll try to read more information meanwhile.
Thanks, Samuel.
2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org: > Is the certificate really in PEM format? Try to look on it with openssl > or try look into the file if starts with something like > "-----BEGIN CERTIFICATE-----". > > If it is not in PEM format you can use openssl to convert it... > > Vaclav > > On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote: >> Yes....I even increased permissions up to the next level: >> >> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem >> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem >> -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem >> -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem >> -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem >> -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey. >> >> >> 2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at: >>> Does have ser permissions to read the cert files? >>> >>> klaus >>> >>> samuel wrote: >>>> Hi folks!! >>>> >>>> Finally I had time to test the new TLS module and faced lots of >>>> problems...probably due to my lack of security knowledge. If somebody >>>> can point me few links where I can gain some knowledge I'll appreciate >>>> it.. >>>> >>>> The problem: >>>> >>>> I create the cert,key and ca-list using the scripts present in >>>> openser's TLS module. I am using the latest CVS version and SER does >>>> not start giving the next error: >>>> >>>> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load >>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem' >>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM >>>> routines:PEM_read_bio:no start line >>>> >>>> Probably I did something wrong in the key creation or configure >>>> something wrong in ser.cfg....The config is taken from a thread >>>> present in serdev about the status of the SER TLS module and it's >>>> really simple so I don't think it's wrong but anyway, here it is: >>>> >>>> >>>> >>>> loadmodule "/usr/local/lib/ser/modules/tls.so" >>>> loadmodule "/usr/local/lib/ser/modules/sl.so" >>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" >>>> >>>> listen=tls:a.b.c.d:5061 >>>> listen=tcp:a.b.c.d:5060 >>>> listen=udp:a.b.c.d:5060 >>>> >>>> alias=mydomain.com >>>> >>>> #modparam("tls", "tls_method", "TLSv1") >>>> modparam("tls", "tls_method", "SSLv23") >>>> modparam("tls", "verify_certificate", 1) >>>> modparam("tls", "require_certificate", 0) >>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") >>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") >>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") >>>> #modparam("tls", "config", "tls.cfg") >>>> >>>> route { >>>> if (proto == TLS && (method == "POST" || method == "GET")) { >>>> create_via(); # XMLRPC requests do not contain via, create it >>>> >>>> if (!@tls.peer.verified) { >>>> # Client did not provide certificate or it is not valid >>>> xmlrpc_reply("400", "Unauthorized"); >>>> break; >>>> } >>>> >>>> if (@xmlrpc.method == "core.kill") { >>>> # Make sure the client has the permission to execute the command >>>> if (@tls.peer != "SER-Killer") { >>>> xmlrpc_reply("400", "Access to core.kill denied"); >>>> break; >>>> } >>>> } >>>> >>>> dispatch_rpc(); >>>> break; >>>> } >>>> } >>>> >>>> >>>> Any comments are highly appreciated, thanks! >>>> >>>> Samuel. >>>> >>>> _______________________________________________ >>>> Serusers mailing list >>>> serusers@lists.iptel.org >>>> http://lists.iptel.org/mailman/listinfo/serusers >> _______________________________________________ >> Serusers mailing list >> serusers@lists.iptel.org >> http://lists.iptel.org/mailman/listinfo/serusers
Realy weird staff going on in my host....I copied the cert to the default value ($PREFIX/etc/ser/cert.pem) and it worked. The best thing is that after this successful load, SER can read the cert in another path...and I did not change anything!!!!!!
Thanks a lot to everyone (and specially Klaus)!!!
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
samuel wrote:
I first tried the external configuration file and indeed i had problems. I afterwards used the modparam operation and tried to set different keys and certs created in different ways (openser script, openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no success...
If I write a wrong path in the SER config file, the error that appears is "file not found" so I guess the location of certs/keys is properly set. Even in the log the path is right....
I would say is a parsing problem because if I modify the cert itself the error that appear in the SER log is different (I have really tried lots of "strange" things...). If I modify the data, base64 error, if I add a blank line between CERTIFICATE BEGIN and the cert itself it complains about "no end line found"....that is why I deducted there is a problem in the parsing but I ran out of time to continue with debuging :(
Can you please send me a working testing cert/key to try in my setup?
If your certs work with openser I think they should be fine.
Try to rename the certs and put them into the default location. (To find out the default location and name for the certs just start TLS withouth cert configuration and watch the logs.
regards klaus
Than you,
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
Are you using the simple configuration (in ser.cfg) or the advanced version (in a separate configuration file)?
Maybe there are bugs in the configuration part of TLS.
I tried once the external configuration file and it worked as long as I only used the default domains. Specifying dedicated TLS domain failed due to parser bugs.
regards klaus
samuel wrote:
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com:
I have been able to create a TLS connection with openssl tools (s_server and s_client) using the certificates that SER is unable to open. Can anyone tell me how can I debug this problem and find where the problem is?
Thanks again, samuell.
2006/4/7, samuel samu60@gmail.com: > It starts with Certificate and the corresponding fields. After this > information, the cert itself begins with the BEGIN statement. > > As I said, I am just starting with TLS and probably I did not create > the cert properly. I'll try to read more information meanwhile. > > Thanks, > Samuel. > > > 2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org: >> Is the certificate really in PEM format? Try to look on it with openssl >> or try look into the file if starts with something like >> "-----BEGIN CERTIFICATE-----". >> >> If it is not in PEM format you can use openssl to convert it... >> >> Vaclav >> >> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote: >>> Yes....I even increased permissions up to the next level: >>> >>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem >>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem >>> -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem >>> -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem >>> -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem >>> -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey. >>> >>> >>> 2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at: >>>> Does have ser permissions to read the cert files? >>>> >>>> klaus >>>> >>>> samuel wrote: >>>>> Hi folks!! >>>>> >>>>> Finally I had time to test the new TLS module and faced lots of >>>>> problems...probably due to my lack of security knowledge. If somebody >>>>> can point me few links where I can gain some knowledge I'll appreciate >>>>> it.. >>>>> >>>>> The problem: >>>>> >>>>> I create the cert,key and ca-list using the scripts present in >>>>> openser's TLS module. I am using the latest CVS version and SER does >>>>> not start giving the next error: >>>>> >>>>> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load >>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem' >>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM >>>>> routines:PEM_read_bio:no start line >>>>> >>>>> Probably I did something wrong in the key creation or configure >>>>> something wrong in ser.cfg....The config is taken from a thread >>>>> present in serdev about the status of the SER TLS module and it's >>>>> really simple so I don't think it's wrong but anyway, here it is: >>>>> >>>>> >>>>> >>>>> loadmodule "/usr/local/lib/ser/modules/tls.so" >>>>> loadmodule "/usr/local/lib/ser/modules/sl.so" >>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" >>>>> >>>>> listen=tls:a.b.c.d:5061 >>>>> listen=tcp:a.b.c.d:5060 >>>>> listen=udp:a.b.c.d:5060 >>>>> >>>>> alias=mydomain.com >>>>> >>>>> #modparam("tls", "tls_method", "TLSv1") >>>>> modparam("tls", "tls_method", "SSLv23") >>>>> modparam("tls", "verify_certificate", 1) >>>>> modparam("tls", "require_certificate", 0) >>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") >>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") >>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") >>>>> #modparam("tls", "config", "tls.cfg") >>>>> >>>>> route { >>>>> if (proto == TLS && (method == "POST" || method == "GET")) { >>>>> create_via(); # XMLRPC requests do not contain via, create it >>>>> >>>>> if (!@tls.peer.verified) { >>>>> # Client did not provide certificate or it is not valid >>>>> xmlrpc_reply("400", "Unauthorized"); >>>>> break; >>>>> } >>>>> >>>>> if (@xmlrpc.method == "core.kill") { >>>>> # Make sure the client has the permission to execute the command >>>>> if (@tls.peer != "SER-Killer") { >>>>> xmlrpc_reply("400", "Access to core.kill denied"); >>>>> break; >>>>> } >>>>> } >>>>> >>>>> dispatch_rpc(); >>>>> break; >>>>> } >>>>> } >>>>> >>>>> >>>>> Any comments are highly appreciated, thanks! >>>>> >>>>> Samuel. >>>>> >>>>> _______________________________________________ >>>>> Serusers mailing list >>>>> serusers@lists.iptel.org >>>>> http://lists.iptel.org/mailman/listinfo/serusers >>> _______________________________________________ >>> Serusers mailing list >>> serusers@lists.iptel.org >>> http://lists.iptel.org/mailman/listinfo/serusers
The problem was in the ca_list. If I left it unset the cert/key is properly set and if I set it, SER gives start line error....probably I did not create/configure ca_list properly...
Thanks again! samuel.
2006/4/11, samuel samu60@gmail.com:
Realy weird staff going on in my host....I copied the cert to the default value ($PREFIX/etc/ser/cert.pem) and it worked. The best thing is that after this successful load, SER can read the cert in another path...and I did not change anything!!!!!!
Thanks a lot to everyone (and specially Klaus)!!!
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
samuel wrote:
I first tried the external configuration file and indeed i had problems. I afterwards used the modparam operation and tried to set different keys and certs created in different ways (openser script, openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no success...
If I write a wrong path in the SER config file, the error that appears is "file not found" so I guess the location of certs/keys is properly set. Even in the log the path is right....
I would say is a parsing problem because if I modify the cert itself the error that appear in the SER log is different (I have really tried lots of "strange" things...). If I modify the data, base64 error, if I add a blank line between CERTIFICATE BEGIN and the cert itself it complains about "no end line found"....that is why I deducted there is a problem in the parsing but I ran out of time to continue with debuging :(
Can you please send me a working testing cert/key to try in my setup?
If your certs work with openser I think they should be fine.
Try to rename the certs and put them into the default location. (To find out the default location and name for the certs just start TLS withouth cert configuration and watch the logs.
regards klaus
Than you,
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
Are you using the simple configuration (in ser.cfg) or the advanced version (in a separate configuration file)?
Maybe there are bugs in the configuration part of TLS.
I tried once the external configuration file and it worked as long as I only used the default domains. Specifying dedicated TLS domain failed due to parser bugs.
regards klaus
samuel wrote:
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com:
Last call for help....I'll detail steps to see if some guru finds what I am not doing right:
I have created the cert/key in the PEM format with the next commands: Create self CA: #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 -out CA98cert.pem -outform PEM Create the request for our domain: #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out ser98req.pem -outform PEM Sing&issue cert #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem
The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after several "lost" hours...)
I can check with openssl tools the cert and key and both are OK and can create connections using the s_server and s_client tools included in the openssl package. They have the appropriate format, certificate file:
-----BEGIN CERTIFICATE----- askjdfl -----END CERTIFICATE-----
and the key: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF
-----END RSA PRIVATE KEY-----
I have checked for "strange" characters but everything seems ok except that when I start SER, it gives me:
Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load certificate file '/usr/local/etc/ser/certs/ser98cert.pem' Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing module tls
Any feedback is highly appreciated...I never thought it would so difficult to use TLS.....
Samuel.
2006/4/10, samuel samu60@gmail.com: > I have been able to create a TLS connection with openssl tools > (s_server and s_client) using the certificates that SER is unable to > open. > Can anyone tell me how can I debug this problem and find where the problem is? > > Thanks again, > samuell. > > > 2006/4/7, samuel samu60@gmail.com: >> It starts with Certificate and the corresponding fields. After this >> information, the cert itself begins with the BEGIN statement. >> >> As I said, I am just starting with TLS and probably I did not create >> the cert properly. I'll try to read more information meanwhile. >> >> Thanks, >> Samuel. >> >> >> 2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org: >>> Is the certificate really in PEM format? Try to look on it with openssl >>> or try look into the file if starts with something like >>> "-----BEGIN CERTIFICATE-----". >>> >>> If it is not in PEM format you can use openssl to convert it... >>> >>> Vaclav >>> >>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote: >>>> Yes....I even increased permissions up to the next level: >>>> >>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem >>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem >>>> -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem >>>> -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem >>>> -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem >>>> -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey. >>>> >>>> >>>> 2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at: >>>>> Does have ser permissions to read the cert files? >>>>> >>>>> klaus >>>>> >>>>> samuel wrote: >>>>>> Hi folks!! >>>>>> >>>>>> Finally I had time to test the new TLS module and faced lots of >>>>>> problems...probably due to my lack of security knowledge. If somebody >>>>>> can point me few links where I can gain some knowledge I'll appreciate >>>>>> it.. >>>>>> >>>>>> The problem: >>>>>> >>>>>> I create the cert,key and ca-list using the scripts present in >>>>>> openser's TLS module. I am using the latest CVS version and SER does >>>>>> not start giving the next error: >>>>>> >>>>>> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load >>>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem' >>>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM >>>>>> routines:PEM_read_bio:no start line >>>>>> >>>>>> Probably I did something wrong in the key creation or configure >>>>>> something wrong in ser.cfg....The config is taken from a thread >>>>>> present in serdev about the status of the SER TLS module and it's >>>>>> really simple so I don't think it's wrong but anyway, here it is: >>>>>> >>>>>> >>>>>> >>>>>> loadmodule "/usr/local/lib/ser/modules/tls.so" >>>>>> loadmodule "/usr/local/lib/ser/modules/sl.so" >>>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" >>>>>> >>>>>> listen=tls:a.b.c.d:5061 >>>>>> listen=tcp:a.b.c.d:5060 >>>>>> listen=udp:a.b.c.d:5060 >>>>>> >>>>>> alias=mydomain.com >>>>>> >>>>>> #modparam("tls", "tls_method", "TLSv1") >>>>>> modparam("tls", "tls_method", "SSLv23") >>>>>> modparam("tls", "verify_certificate", 1) >>>>>> modparam("tls", "require_certificate", 0) >>>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") >>>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") >>>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") >>>>>> #modparam("tls", "config", "tls.cfg") >>>>>> >>>>>> route { >>>>>> if (proto == TLS && (method == "POST" || method == "GET")) { >>>>>> create_via(); # XMLRPC requests do not contain via, create it >>>>>> >>>>>> if (!@tls.peer.verified) { >>>>>> # Client did not provide certificate or it is not valid >>>>>> xmlrpc_reply("400", "Unauthorized"); >>>>>> break; >>>>>> } >>>>>> >>>>>> if (@xmlrpc.method == "core.kill") { >>>>>> # Make sure the client has the permission to execute the command >>>>>> if (@tls.peer != "SER-Killer") { >>>>>> xmlrpc_reply("400", "Access to core.kill denied"); >>>>>> break; >>>>>> } >>>>>> } >>>>>> >>>>>> dispatch_rpc(); >>>>>> break; >>>>>> } >>>>>> } >>>>>> >>>>>> >>>>>> Any comments are highly appreciated, thanks! >>>>>> >>>>>> Samuel. >>>>>> >>>>>> _______________________________________________ >>>>>> Serusers mailing list >>>>>> serusers@lists.iptel.org >>>>>> http://lists.iptel.org/mailman/listinfo/serusers >>>> _______________________________________________ >>>> Serusers mailing list >>>> serusers@lists.iptel.org >>>> http://lists.iptel.org/mailman/listinfo/serusers
Hi folks!
I am trying to set the calist using an own-generated CA cert but I could not set it. As soon as I try to set the ca_list parameter in the ser config file, SER does not start and gives "no start line" error when reading the certificate.
If I use the external configuration file, I can not set any parameter containing path, it looks for ^T which gives "no such file" error.
I am using the latest CVS code.
Thanks! Samuel.
2006/4/11, samuel samu60@gmail.com:
The problem was in the ca_list. If I left it unset the cert/key is properly set and if I set it, SER gives start line error....probably I did not create/configure ca_list properly...
Thanks again! samuel.
2006/4/11, samuel samu60@gmail.com:
Realy weird staff going on in my host....I copied the cert to the default value ($PREFIX/etc/ser/cert.pem) and it worked. The best thing is that after this successful load, SER can read the cert in another path...and I did not change anything!!!!!!
Thanks a lot to everyone (and specially Klaus)!!!
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
samuel wrote:
I first tried the external configuration file and indeed i had problems. I afterwards used the modparam operation and tried to set different keys and certs created in different ways (openser script, openssl 0.9.7e, openssl 0.9.8a, w/o cyphering the keys....) and no success...
If I write a wrong path in the SER config file, the error that appears is "file not found" so I guess the location of certs/keys is properly set. Even in the log the path is right....
I would say is a parsing problem because if I modify the cert itself the error that appear in the SER log is different (I have really tried lots of "strange" things...). If I modify the data, base64 error, if I add a blank line between CERTIFICATE BEGIN and the cert itself it complains about "no end line found"....that is why I deducted there is a problem in the parsing but I ran out of time to continue with debuging :(
Can you please send me a working testing cert/key to try in my setup?
If your certs work with openser I think they should be fine.
Try to rename the certs and put them into the default location. (To find out the default location and name for the certs just start TLS withouth cert configuration and watch the logs.
regards klaus
Than you,
Samuel.
2006/4/11, Klaus Darilion klaus.mailinglists@pernau.at:
Are you using the simple configuration (in ser.cfg) or the advanced version (in a separate configuration file)?
Maybe there are bugs in the configuration part of TLS.
I tried once the external configuration file and it worked as long as I only used the default domains. Specifying dedicated TLS domain failed due to parser bugs.
regards klaus
samuel wrote:
Last check I made was to verify my own generated CA and server certs/keys with latest openser-1.0.1.-tls and it properly reads the files. I deducted therefore that there must be something wrong in the cert reading process in the SER's tls module. I can not debug further due to lack of time but I hope to read some mail providing some feedback... it might also been some misconfiguration in my config but I took it from the latest mails Jan sent to the mailing list regarding TLS configuration (see the first mail on this thread for the config file).
Thanks, Samuel.
2006/4/10, samuel samu60@gmail.com: > Last call for help....I'll detail steps to see if some guru finds what > I am not doing right: > > I have created the cert/key in the PEM format with the next commands: > Create self CA: > #openssl req -newkey rsa:2048 -keyout CA98key.pem -new -x509 -days 365 > -out CA98cert.pem -outform PEM > Create the request for our domain: > #openssl req -newkey rsa:2048 -keyout ser98key.pem -new -days 365 -out > ser98req.pem -outform PEM > Sing&issue cert > #openssl x509 -days 180 -CA CA98cert.pem -CAkey CA98key.pem -req > -CAcreateserial -CAserial ca.stl -in ser98req.pem -out ser98cert.pem > > The 98 comes from the openssl 0.9.8a (I upgraded from 0.9.7e after > several "lost" hours...) > > I can check with openssl tools the cert and key and both are OK and > can create connections using the s_server and s_client tools included > in the openssl package. They have the appropriate format, certificate > file: > > -----BEGIN CERTIFICATE----- > askjdfl > -----END CERTIFICATE----- > > and the key: > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: DES-EDE3-CBC,8B980883B8F1BADF > > -----END RSA PRIVATE KEY----- > > I have checked for "strange" characters but everything seems ok except > that when I start SER, it gives me: > > > Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:200: > TLSc<default>: Unable to load certificate file > '/usr/local/etc/ser/certs/ser98cert.pem' > Apr 10 17:55:47 serTLS ser[6741]: ERROR: tls/tls_domain.c:201: > load_cert:error:0906D06C:PEM routines:PEM_read_bio:no start line > Apr 10 17:55:47 serTLS ser[6741]: init_mod(): Error while initializing > module tls > > > Any feedback is highly appreciated...I never thought it would so > difficult to use TLS..... > > Samuel. > > 2006/4/10, samuel samu60@gmail.com: >> I have been able to create a TLS connection with openssl tools >> (s_server and s_client) using the certificates that SER is unable to >> open. >> Can anyone tell me how can I debug this problem and find where the problem is? >> >> Thanks again, >> samuell. >> >> >> 2006/4/7, samuel samu60@gmail.com: >>> It starts with Certificate and the corresponding fields. After this >>> information, the cert itself begins with the BEGIN statement. >>> >>> As I said, I am just starting with TLS and probably I did not create >>> the cert properly. I'll try to read more information meanwhile. >>> >>> Thanks, >>> Samuel. >>> >>> >>> 2006/4/7, Vaclav Kubart vaclav.kubart@iptel.org: >>>> Is the certificate really in PEM format? Try to look on it with openssl >>>> or try look into the file if starts with something like >>>> "-----BEGIN CERTIFICATE-----". >>>> >>>> If it is not in PEM format you can use openssl to convert it... >>>> >>>> Vaclav >>>> >>>> On Fri, Apr 07, 2006 at 01:59:53PM +0200, samuel wrote: >>>>> Yes....I even increased permissions up to the next level: >>>>> >>>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 cert.pem >>>>> -rwxrwxrwx 1 root ser 1.7K 2006-04-07 12:51 key.pem >>>>> -rwxrwxrwx 1 root ser 1.4K 2006-04-07 12:26 user-calist.pem >>>>> -rwxrwxrwx 1 root ser 3.0K 2006-04-07 12:26 user-cert.pem >>>>> -rwxrwxrwx 1 root ser 530 2006-04-07 12:26 user-cert_req.pem >>>>> -rwxrwxrwx 1 root ser 493 2006-04-07 12:26 user-privkey. >>>>> >>>>> >>>>> 2006/4/7, Klaus Darilion klaus.mailinglists@pernau.at: >>>>>> Does have ser permissions to read the cert files? >>>>>> >>>>>> klaus >>>>>> >>>>>> samuel wrote: >>>>>>> Hi folks!! >>>>>>> >>>>>>> Finally I had time to test the new TLS module and faced lots of >>>>>>> problems...probably due to my lack of security knowledge. If somebody >>>>>>> can point me few links where I can gain some knowledge I'll appreciate >>>>>>> it.. >>>>>>> >>>>>>> The problem: >>>>>>> >>>>>>> I create the cert,key and ca-list using the scripts present in >>>>>>> openser's TLS module. I am using the latest CVS version and SER does >>>>>>> not start giving the next error: >>>>>>> >>>>>>> ERROR: tls/tls_domain.c:200: TLSc<default>: Unable to load >>>>>>> certificate file '/usr/local/etc/ser/certs/user-cert.pem' >>>>>>> ERROR: tls/tls_domain.c:201: load_cert:error:0906D06C:PEM >>>>>>> routines:PEM_read_bio:no start line >>>>>>> >>>>>>> Probably I did something wrong in the key creation or configure >>>>>>> something wrong in ser.cfg....The config is taken from a thread >>>>>>> present in serdev about the status of the SER TLS module and it's >>>>>>> really simple so I don't think it's wrong but anyway, here it is: >>>>>>> >>>>>>> >>>>>>> >>>>>>> loadmodule "/usr/local/lib/ser/modules/tls.so" >>>>>>> loadmodule "/usr/local/lib/ser/modules/sl.so" >>>>>>> loadmodule "/usr/local/lib/ser/modules/xmlrpc.so" >>>>>>> >>>>>>> listen=tls:a.b.c.d:5061 >>>>>>> listen=tcp:a.b.c.d:5060 >>>>>>> listen=udp:a.b.c.d:5060 >>>>>>> >>>>>>> alias=mydomain.com >>>>>>> >>>>>>> #modparam("tls", "tls_method", "TLSv1") >>>>>>> modparam("tls", "tls_method", "SSLv23") >>>>>>> modparam("tls", "verify_certificate", 1) >>>>>>> modparam("tls", "require_certificate", 0) >>>>>>> modparam("tls", "private_key", "/usr/local/etc/ser/certs/user-privkey.pem") >>>>>>> modparam("tls", "certificate", "/usr/local/etc/ser/certs/user-cert.pem") >>>>>>> modparam("tls", "ca_list", "/usr/local/etc/ser/certs/user-calist.pem") >>>>>>> #modparam("tls", "config", "tls.cfg") >>>>>>> >>>>>>> route { >>>>>>> if (proto == TLS && (method == "POST" || method == "GET")) { >>>>>>> create_via(); # XMLRPC requests do not contain via, create it >>>>>>> >>>>>>> if (!@tls.peer.verified) { >>>>>>> # Client did not provide certificate or it is not valid >>>>>>> xmlrpc_reply("400", "Unauthorized"); >>>>>>> break; >>>>>>> } >>>>>>> >>>>>>> if (@xmlrpc.method == "core.kill") { >>>>>>> # Make sure the client has the permission to execute the command >>>>>>> if (@tls.peer != "SER-Killer") { >>>>>>> xmlrpc_reply("400", "Access to core.kill denied"); >>>>>>> break; >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> dispatch_rpc(); >>>>>>> break; >>>>>>> } >>>>>>> } >>>>>>> >>>>>>> >>>>>>> Any comments are highly appreciated, thanks! >>>>>>> >>>>>>> Samuel. >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Serusers mailing list >>>>>>> serusers@lists.iptel.org >>>>>>> http://lists.iptel.org/mailman/listinfo/serusers >>>>> _______________________________________________ >>>>> Serusers mailing list >>>>> serusers@lists.iptel.org >>>>> http://lists.iptel.org/mailman/listinfo/serusers
-
Klaus Darilion -
samuel -
Vaclav Kubart