<div dir="ltr"><div><div><div><div>Hi All.<br><br></div>Francisco, according to your tls configuration your kamailio must request and validate SfB client certificate, as SfB acting as client in your case with OPTIONS.<br><br><span class="gmail-im"><span style="color:rgb(31,73,125)">ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14089086:SSL routines:ssl3_get_client_<wbr>certificate:certificate verify failed </span></span><br></div>This line means that kamailio fails to verify client certificate which provides to it by SfB.<br><br></div>Do you sure that in "ca_list = /usr/local/etc/kamailio/tls/<wbr>myca_and_sfbca.pem" present all necessary certificates to verify SfB client certificate?<br></div><div><div><div><br></div></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature">--<br>Best regards,<br>Sergey Basov e-mail: <a href="mailto:sergey.v.basov@gmail.com" target="_blank">sergey.v.basov@gmail.com</a><br></div></div>
<br><div class="gmail_quote">2017-10-26 12:51 GMT+03:00 Daniel-Constantin Mierla <span dir="ltr"><<a href="mailto:miconda@gmail.com" target="_blank">miconda@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hello,<br>
</p><span class="">
<br>
<div class="m_1328597007067765309moz-cite-prefix">On 26.10.17 09:41, Francisco Valentin
Vinagrero wrote:<br>
</div>
<blockquote type="cite">
<div class="m_1328597007067765309WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hi
Frank,<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Yes,
I have tried s_client with a special ca_file (the same I’m
using in my tls.cfg). I obtain for both the UM and Skype
hosts/ alias : “Verify return code: 0 (ok)”.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I
have also tried to download the public certificate first and
then verify it offline with:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">openssl
verify -verbose -CAfile myCAfile.pem remote.pem<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">It
all looks ok…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">One
weird thing is that when checking the tls.options through
kamcmd, I always get an empty ca_list:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">kamcmd
tls.options<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">{<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">
…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> ca_list:<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">
…<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">}</span></p>
</div>
</blockquote>
<br></span>
I think this is printing only the values for the structure set with
modparam. At startup should be some info messages printing what is
read from tls.cfg.<br>
<br>
Eventually you can try setting ca_list via modparam and see how it
goes, maybe it is not used properly from tls.cfg and this will help
to figure out better if there is an issue...<br>
<br>
Cheers,<br>
Daniel<div><div class="h5"><br>
<blockquote type="cite">
<div class="m_1328597007067765309WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Cheers,
Francisco.<u></u><u></u></span></p>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">
sr-users [<a class="m_1328597007067765309moz-txt-link-freetext" href="mailto:sr-users-bounces@lists.kamailio.org" target="_blank">mailto:sr-users-bounces@<wbr>lists.kamailio.org</a>]
<b>On Behalf Of </b>Frank Carmickle<br>
<b>Sent:</b> Wednesday, October 25, 2017 17:01<br>
<b>To:</b> Kamailio (SER) - Users Mailing List
<a class="m_1328597007067765309moz-txt-link-rfc2396E" href="mailto:sr-users@lists.kamailio.org" target="_blank"><sr-users@lists.kamailio.org></a><br>
<b>Subject:</b> Re: [SR-Users] Mutual TLS with Skype for
Business 2015<u></u><u></u></span></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Oct 25, 2017, at 9:27 AM,
Francisco Valentin Vinagrero <<a href="mailto:francisco.valentin.vinagrero@cern.ch" target="_blank">francisco.valentin.vinagrero@<wbr>cern.ch</a>>
wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Hello
Daniel,</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thanks
for your answer.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">I
don’t see much in the debug logs. Except the SSL
verification error, the rest looks like the normal
SSL handshake and the TCP connection setup:</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [io_wait.h:598]: io_watch_del(): DBG:
io_watch_del (0xa7edc0, 8, -1, 0x10) fd_no=2
called <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_read.c:1490]: release_tcpconn():
releasing con 0x7f9191b1ade0, state -2, fd=8, id=8
([<SfB IP1>]:56267 -> [<SfB
IP1>]:5061)</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_read.c:1491]: release_tcpconn():
extra_data
0x7f9191b39318 <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:3243]: handle_tcp_child():
reader response= 7f9191b1ade0, -2 from
0 <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
tls [tls_server.c:663]: tls_h_close(): Closing SSL
connection
0x7f9191b39318 <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [ip_addr.c:229]: print_ip():
tcpconn_new: new tcp connection: <SfB
IP1> <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:985]: tcpconn_new(): on
port 56269, type
3 <wbr>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:1295]: tcpconn_add():
hashes: 3769:3996:3198,
9 <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [io_wait.h:376]: io_watch_add(): DBG:
io_watch_add(0xa25be0, 30, 2, 0x7f9191b1ade0),
fd_no=20 <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [io_wait.h:598]: io_watch_del(): DBG:
io_watch_del (0xa25be0, 30, -1, 0x0) fd_no=21
called <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:4131]: handle_tcpconn_ev():
sending to child, events
1 <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:3813]: send2child():
selected tcp worker 1 12(4808) for activity on
[tls:<LOCAL IP>:5061],
0x7f9191b1ade0 <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_read.c:1566]: handle_io():
received n=8 con=0x7f9191b1ade0,
fd=8 <wbr> <wbr>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
tls [tls_server.c:197]: tls_complete_init():
completing tls connection
initialization <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
tls [tls_server.c:226]: tls_complete_init(): Using
initial TLS domain TLSs<default> (dom
0x7f9191861e98 ctx 0x7f9191887a10 sn
[]) </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
tls [tls_domain.c:703]: sr_ssl_ctx_info_callback():
SSL handshake
started <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:2430]: tcpconn_do_send():
sending... <wbr> <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:2464]: tcpconn_do_send():
after real write: c= 0x7f9191b1ade0 n=6692
fd=8 <wbr>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:2465]: tcpconn_do_send():
buf=#012#026#003#003 <wbr> <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [io_wait.h:376]: io_watch_add(): DBG:
io_watch_add(0xa7edc0, 8, 2, 0x7f9191b1ade0),
fd_no=1 <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:2430]: tcpconn_do_send():
sending... <wbr> <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:2464]: tcpconn_do_send():
after real write: c= 0x7f9191b1ade0 n=7
fd=8 <wbr> <wbr> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">DEBUG:
<core> [tcp_main.c:2465]: tcpconn_do_send():
buf=#012#025#003#003 <wbr> <wbr>
</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">ERROR:
tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:14089086:SSL
routines:ssl3_get_client_<wbr>certificate:certificate
verify failed </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">ERROR:
<core> [tcp_read.c:1330]: tcp_read_req():
ERROR: tcp_read_req: error reading </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Maybe
you can see some hint there that I don’t see?</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Cheers,
Francisco.</span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<div>
<div style="border:none;border-top:solid #e1e1e1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal" style="background:white"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span class="m_1328597007067765309apple-converted-space"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> </span></span><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Daniel-Constantin
Mierla [</span><a href="mailto:miconda@gmail.com" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#954f72">mailto:miconda@gmail.com</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">]<span class="m_1328597007067765309apple-converted-space"> </span><br>
<b>Sent:</b><span class="m_1328597007067765309apple-converted-space"> </span>Wednesday,
October 25, 2017 14:50<br>
<b>To:</b><span class="m_1328597007067765309apple-converted-space"> </span>Kamailio
(SER) - Users Mailing List <</span><a href="mailto:sr-users@lists.kamailio.org" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#954f72">sr-users@lists.kamailio.org</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">>;
Francisco Valentin Vinagrero <</span><a href="mailto:francisco.valentin.vinagrero@cern.ch" target="_blank"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#954f72">francisco.valentin.vinagrero@<wbr>cern.ch</span></a><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">><br>
<b>Subject:</b><span class="m_1328597007067765309apple-converted-space"> </span>Re:
[SR-Users] Mutual TLS with Skype for Business
2015<u></u><u></u></span></p>
</div>
</div>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hello,<u></u><u></u></span></p>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">On
25.10.17 11:32, Francisco Valentin Vinagrero
wrote:<u></u><u></u></span></p>
</div>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hello,<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I’m
trying to replace two old Audiocodes gateways
(used to interconnect our Skype for Business
infrastructure to the PSTN) with a new Kamailio
cluster.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I
am having some trouble to get the TLS mutual
authentication working with Kamailio. For the
moment, I’m just trying to receive the incoming
OPTIONS from SfB, but I get all the time
certificate verification errors:<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ERROR:
tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:14089086:SSL
routines:ssl3_get_client_<wbr>certificate:certificate
verify failed<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ERROR:
<core> [tcp_read.c:1330]: tcp_read_req():
ERROR: tcp_read_req: error reading<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">My
tls.cfg is quite simple, with the same config for
client and server (and one single
listen=tls:<my IP>:5061 in the Kamailio.cfg
file)<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">[server:default]<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">method
= TLSv1+<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">verify_certificate
= yes<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">require_certificate
= yes<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">private_key
= /usr/local/etc/kamailio/tls/<wbr>key_gw_sfb.pem<span class="m_1328597007067765309apple-converted-space"> </span><u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">certificate
= /usr/local/etc/kamailio/tls/<wbr>cert_gw_sfb.pem #
=> This certificate’s Subject is the DNS alias
for the cluster, with all the kamailios in the
cluster as Subject Alternative Names<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ca_list
= /usr/local/etc/kamailio/tls/<wbr>myca_and_sfbca.pem
# => Kamailio and Skype for Business are
signed by different CAs, so here I concatenated
all intermediate and root CAs<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">[client:default]<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">method
= TLSv1+<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">verify_certificate
= yes<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">require_certificate
= yes<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">private_key
= /usr/local/etc/kamailio/tls/<wbr>key_gw_sfb.pem<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif" lang="FR">certificate =
/usr/local/etc/kamailio/tls/<wbr>cert_gw_sfb.pem<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">ca_list
= /usr/local/etc/kamailio/tls/<wbr>myca_and_sfbca.pem<u></u><u></u></span></p>
</div>
</blockquote>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">When
I run Kamailio, I can see incoming OPTIONS from
Microsoft Exchange Unified Messaging (UM), whose
certificate I verify without any issues. UM
presents a certificate issued for a single
machine, so no Subject Alternative Names (SANs)
are involved.<u></u><u></u></span></p>
</div>
</blockquote>
</div>
</blockquote>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">You’ve verified this by using
s_client? Getting a TLS session established with
s_client first will likely shed light on a possible
misconfiguration.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">--FC<u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The
problem comes with the TLS handshake for the Skype
Mediation pool. They have a certificate with
Subject = DNS alias and all the physical machines
that are behind the alias appear listed as Subject
Alternative Names (SANs) in the certificate.<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">As
the only difference between UM and Skype’s
Mediation is the certificate’s Subject, I think I
am missing something on my configuration to
validate the SANs instead of the subject. Is the
TLS module doing any reverse DNS lookup to verify
this?<u></u><u></u></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <u></u><u></u></span></p>
</div>
</blockquote>
<div>
<p class="MsoNormal" style="background:white">afaik, the
certificate validation is done by the libssl, kamailio
is not doing much in this respect and no dns query
inside kamailio tls module. Maybe some parameters must
be set when asking for validation.<br>
<br>
If you run with debug=3 inside kamailio.cfg, do you
see any log messages that can help in identifying why
it fails?<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<br>
<span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><u></u><u></u></span></p>
</div>
<pre style="background:white">-- <u></u><u></u></pre>
<pre style="background:white">Daniel-Constantin Mierla<u></u><u></u></pre>
<pre style="background:white"><a href="http://www.twitter.com/miconda" target="_blank"><span style="color:#954f72">www.twitter.com/miconda</span></a> -- <a href="http://www.linkedin.com/in/miconda" target="_blank"><span style="color:#954f72">www.linkedin.com/in/miconda</span></a><u></u><u></u></pre>
<pre style="background:white">Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - <a href="http://www.asipto.com/" target="_blank"><span style="color:#954f72">www.asipto.com</span></a><u></u><u></u></pre>
<pre style="background:white">Kamailio World Conference - <a href="http://www.kamailioworld.com/" target="_blank"><span style="color:#954f72">www.kamailioworld.com</span></a><u></u><u></u></pre>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;background:white">______________________________<wbr>_________________</span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
<span style="background:white">Kamailio (SER) - Users
Mailing List</span><br>
</span><a href="mailto:sr-users@lists.kamailio.org" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954f72;background:white">sr-users@lists.kamailio.org</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#954f72;background:white">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</span></a><u></u><u></u></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<br>
<fieldset class="m_1328597007067765309mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
Kamailio (SER) - Users Mailing List
<a class="m_1328597007067765309moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" target="_blank">sr-users@lists.kamailio.org</a>
<a class="m_1328597007067765309moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a>
</pre>
</blockquote>
<br>
<pre class="m_1328597007067765309moz-signature" cols="72">--
Daniel-Constantin Mierla
<a class="m_1328597007067765309moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" target="_blank">www.twitter.com/miconda</a> -- <a class="m_1328597007067765309moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" target="_blank">www.linkedin.com/in/miconda</a>
Kamailio Advanced Training, Nov 13-15, 2017, in Berlin - <a class="m_1328597007067765309moz-txt-link-abbreviated" href="http://www.asipto.com" target="_blank">www.asipto.com</a>
Kamailio World Conference - <a class="m_1328597007067765309moz-txt-link-abbreviated" href="http://www.kamailioworld.com" target="_blank">www.kamailioworld.com</a></pre>
</div></div></div>
<br>______________________________<wbr>_________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer" target="_blank">https://lists.kamailio.org/<wbr>cgi-bin/mailman/listinfo/sr-<wbr>users</a><br>
<br></blockquote></div><br></div></div>