<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,<br>
</p>
<br>
<div class="moz-cite-prefix">On 26.10.17 09:41, Francisco Valentin
Vinagrero wrote:<br>
</div>
<blockquote type="cite"
cite="mid:D344618A4B7B0F4ABA8047A07E92D47401F66BB371@CERNXCHG51.cern.ch">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hi
Frank,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Yes,
I have tried s_client with a special ca_file (the same I’m
using in my tls.cfg). I obtain for both the UM and Skype
hosts/ alias : “Verify return code: 0 (ok)”.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
have also tried to download the public certificate first and
then verify it offline with:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">openssl
verify -verbose -CAfile myCAfile.pem remote.pem<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">It
all looks ok…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">One
weird thing is that when checking the tls.options through
kamcmd, I always get an empty ca_list:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">kamcmd
tls.options<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">{<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> ca_list:<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">
…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">}</span></p>
</div>
</blockquote>
<br>
I think this is printing only the values for the structure set with
modparam. At startup should be some info messages printing what is
read from tls.cfg.<br>
<br>
Eventually you can try setting ca_list via modparam and see how it
goes, maybe it is not used properly from tls.cfg and this will help
to figure out better if there is an issue...<br>
<br>
Cheers,<br>
Daniel<br>
<blockquote type="cite"
cite="mid:D344618A4B7B0F4ABA8047A07E92D47401F66BB371@CERNXCHG51.cern.ch">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Cheers,
Francisco.<o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
sr-users [<a class="moz-txt-link-freetext" href="mailto:sr-users-bounces@lists.kamailio.org">mailto:sr-users-bounces@lists.kamailio.org</a>]
<b>On Behalf Of </b>Frank Carmickle<br>
<b>Sent:</b> Wednesday, October 25, 2017 17:01<br>
<b>To:</b> Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-rfc2396E" href="mailto:sr-users@lists.kamailio.org"><sr-users@lists.kamailio.org></a><br>
<b>Subject:</b> Re: [SR-Users] Mutual TLS with Skype for
Business 2015<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Oct 25, 2017, at 9:27 AM,
Francisco Valentin Vinagrero <<a
href="mailto:francisco.valentin.vinagrero@cern.ch"
moz-do-not-send="true">francisco.valentin.vinagrero@cern.ch</a>>
wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Hello
Daniel,</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Thanks
for your answer.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">I
don’t see much in the debug logs. Except the SSL
verification error, the rest looks like the normal
SSL handshake and the TCP connection setup:</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [io_wait.h:598]: io_watch_del(): DBG:
io_watch_del (0xa7edc0, 8, -1, 0x10) fd_no=2
called </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_read.c:1490]: release_tcpconn():
releasing con 0x7f9191b1ade0, state -2, fd=8, id=8
([<SfB IP1>]:56267 -> [<SfB
IP1>]:5061)</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_read.c:1491]: release_tcpconn():
extra_data
0x7f9191b39318 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:3243]: handle_tcp_child():
reader response= 7f9191b1ade0, -2 from
0 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
tls [tls_server.c:663]: tls_h_close(): Closing SSL
connection
0x7f9191b39318 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [ip_addr.c:229]: print_ip():
tcpconn_new: new tcp connection: <SfB
IP1> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:985]: tcpconn_new(): on
port 56269, type
3
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:1295]: tcpconn_add():
hashes: 3769:3996:3198,
9 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [io_wait.h:376]: io_watch_add(): DBG:
io_watch_add(0xa25be0, 30, 2, 0x7f9191b1ade0),
fd_no=20 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [io_wait.h:598]: io_watch_del(): DBG:
io_watch_del (0xa25be0, 30, -1, 0x0) fd_no=21
called </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:4131]: handle_tcpconn_ev():
sending to child, events
1 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:3813]: send2child():
selected tcp worker 1 12(4808) for activity on
[tls:<LOCAL IP>:5061],
0x7f9191b1ade0 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_read.c:1566]: handle_io():
received n=8 con=0x7f9191b1ade0,
fd=8
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
tls [tls_server.c:197]: tls_complete_init():
completing tls connection
initialization </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
tls [tls_server.c:226]: tls_complete_init(): Using
initial TLS domain TLSs<default> (dom
0x7f9191861e98 ctx 0x7f9191887a10 sn
[]) </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
tls [tls_domain.c:703]: sr_ssl_ctx_info_callback():
SSL handshake
started </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:2430]: tcpconn_do_send():
sending... </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:2464]: tcpconn_do_send():
after real write: c= 0x7f9191b1ade0 n=6692
fd=8
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:2465]: tcpconn_do_send():
buf=#012#026#003#003 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [io_wait.h:376]: io_watch_add(): DBG:
io_watch_add(0xa7edc0, 8, 2, 0x7f9191b1ade0),
fd_no=1 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:2430]: tcpconn_do_send():
sending... </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:2464]: tcpconn_do_send():
after real write: c= 0x7f9191b1ade0 n=7
fd=8 </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">DEBUG:
<core> [tcp_main.c:2465]: tcpconn_do_send():
buf=#012#025#003#003
</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">ERROR:
tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:14089086:SSL
routines:ssl3_get_client_certificate:certificate
verify failed </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">ERROR:
<core> [tcp_read.c:1330]: tcp_read_req():
ERROR: tcp_read_req: error reading </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Maybe
you can see some hint there that I don’t see?</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D">Cheers,
Francisco.</span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D"> </span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal" style="background:white"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
class="apple-converted-space"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Daniel-Constantin
Mierla [</span><a
href="mailto:miconda@gmail.com"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#954F72">mailto:miconda@gmail.com</span></a><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">]<span
class="apple-converted-space"> </span><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Wednesday,
October 25, 2017 14:50<br>
<b>To:</b><span class="apple-converted-space"> </span>Kamailio
(SER) - Users Mailing List <</span><a
href="mailto:sr-users@lists.kamailio.org"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#954F72">sr-users@lists.kamailio.org</span></a><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">>;
Francisco Valentin Vinagrero <</span><a
href="mailto:francisco.valentin.vinagrero@cern.ch"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#954F72">francisco.valentin.vinagrero@cern.ch</span></a><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">><br>
<b>Subject:</b><span
class="apple-converted-space"> </span>Re:
[SR-Users] Mutual TLS with Skype for Business
2015<o:p></o:p></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hello,<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">On
25.10.17 11:32, Francisco Valentin Vinagrero
wrote:<o:p></o:p></span></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hello,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">I’m
trying to replace two old Audiocodes gateways
(used to interconnect our Skype for Business
infrastructure to the PSTN) with a new Kamailio
cluster.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">I
am having some trouble to get the TLS mutual
authentication working with Kamailio. For the
moment, I’m just trying to receive the incoming
OPTIONS from SfB, but I get all the time
certificate verification errors:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ERROR:
tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:14089086:SSL
routines:ssl3_get_client_certificate:certificate
verify failed<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ERROR:
<core> [tcp_read.c:1330]: tcp_read_req():
ERROR: tcp_read_req: error reading<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">My
tls.cfg is quite simple, with the same config for
client and server (and one single
listen=tls:<my IP>:5061 in the Kamailio.cfg
file)<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">[server:default]<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">method
= TLSv1+<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">verify_certificate
= yes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">require_certificate
= yes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">private_key
= /usr/local/etc/kamailio/tls/key_gw_sfb.pem<span
class="apple-converted-space"> </span><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">certificate
= /usr/local/etc/kamailio/tls/cert_gw_sfb.pem #
=> This certificate’s Subject is the DNS alias
for the cluster, with all the kamailios in the
cluster as Subject Alternative Names<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ca_list
= /usr/local/etc/kamailio/tls/myca_and_sfbca.pem
# => Kamailio and Skype for Business are
signed by different CAs, so here I concatenated
all intermediate and root CAs<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">[client:default]<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">method
= TLSv1+<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">verify_certificate
= yes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">require_certificate
= yes<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">private_key
= /usr/local/etc/kamailio/tls/key_gw_sfb.pem<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="FR">certificate =
/usr/local/etc/kamailio/tls/cert_gw_sfb.pem<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">ca_list
= /usr/local/etc/kamailio/tls/myca_and_sfbca.pem<o:p></o:p></span></p>
</div>
</blockquote>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">When
I run Kamailio, I can see incoming OPTIONS from
Microsoft Exchange Unified Messaging (UM), whose
certificate I verify without any issues. UM
presents a certificate issued for a single
machine, so no Subject Alternative Names (SANs)
are involved.<o:p></o:p></span></p>
</div>
</blockquote>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">You’ve verified this by using
s_client? Getting a TLS session established with
s_client first will likely shed light on a possible
misconfiguration.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">--FC<o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
problem comes with the TLS handshake for the Skype
Mediation pool. They have a certificate with
Subject = DNS alias and all the physical machines
that are behind the alias appear listed as Subject
Alternative Names (SANs) in the certificate.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">As
the only difference between UM and Skype’s
Mediation is the certificate’s Subject, I think I
am missing something on my configuration to
validate the SANs instead of the subject. Is the
TLS module doing any reverse DNS lookup to verify
this?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal" style="background:white">afaik, the
certificate validation is done by the libssl, kamailio
is not doing much in this respect and no dns query
inside kamailio tls module. Maybe some parameters must
be set when asking for validation.<br>
<br>
If you run with debug=3 inside kamailio.cfg, do you
see any log messages that can help in identifying why
it fails?<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<br>
<span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p></o:p></span></p>
</div>
<pre style="background:white">-- <o:p></o:p></pre>
<pre style="background:white">Daniel-Constantin Mierla<o:p></o:p></pre>
<pre style="background:white"><a href="http://www.twitter.com/miconda" moz-do-not-send="true"><span style="color:#954F72">www.twitter.com/miconda</span></a> -- <a href="http://www.linkedin.com/in/miconda" moz-do-not-send="true"><span style="color:#954F72">www.linkedin.com/in/miconda</span></a><o:p></o:p></pre>
<pre style="background:white">Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - <a href="http://www.asipto.com/" moz-do-not-send="true"><span style="color:#954F72">www.asipto.com</span></a><o:p></o:p></pre>
<pre style="background:white">Kamailio World Conference - <a href="http://www.kamailioworld.com/" moz-do-not-send="true"><span style="color:#954F72">www.kamailioworld.com</span></a><o:p></o:p></pre>
<p class="MsoNormal"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white">_______________________________________________</span><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<span style="background:white">Kamailio (SER) - Users
Mailing List</span><br>
</span><a href="mailto:sr-users@lists.kamailio.org"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72;background:white">sr-users@lists.kamailio.org</span></a><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
moz-do-not-send="true"><span
style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954F72;background:white">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
Kamailio World Conference - <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>