<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">The CRL with revoked server certificate needs to be loaded in the sip client. TLS server doesn’t send CRL to client during handshake.<br><br><div id="AppleMailSignature">Sent from my iPhone</div><div><br>On Jul 3, 2018, at 6:16 AM, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com">miconda@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<p>Hello,</p>
<p>haven't played with CRL lately, but kamailio should just call
libssl functions for validating the certificates, after
initializing the context with CRL file.</p>
<p>Maybe you can open an issue on <a href="http://github.com/kamailio/kamailio">github.com/kamailio/kamailio</a>
tracker, add there all log messages printed by kamailio with
debug=3 in kamailio.cfg. In this way we do not forget about it and
can be investigated properly.<br>
</p>
Cheers,<br>
Daniel<br>
<br>
<div class="moz-cite-prefix">On 28.06.18 08:47, Amarnath Kanchivanam
wrote:<br>
</div>
<blockquote type="cite" cite="mid:CAMBV8rswFBi3Jd0MOyRiKhoNrVVxELwZLWuyKF7s8u2opT59Mw@mail.gmail.com">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">Hi All,<br>
</div>
<div dir="ltr">
<div><br>
</div>
<div>I'm trying to configured kamailio as TLS server with
below configuration (tls.cfg) and TLS server is started
successfully.</div>
<div><br>
</div>
<div>
<div>[server:default]</div>
<div>method = TLSv1+</div>
<div>verify_certificate = yes</div>
<div>require_certificate = yes</div>
<div>private_key = ./sip/server.key</div>
<div>certificate = ./sip/server.crt</div>
<div>ca_list = ./bundle.crt</div>
<div>crl = ./sip_crl.pem</div>
<div>verify_depth = 9<br>
</div>
<div><br>
</div>
<div>[client:default]</div>
<div>verify_certificate = no</div>
<div>require_certificate = no</div>
</div>
<div><br>
</div>
<div>TLS connection works fine.</div>
<div>Later i have updated the sip_crl.pem with server
certificate revoked details and performed tls.reload
command to load the latest update. </div>
<div>After this I expect any TLS client trying to establish
TLS connection should fail, as the client and server
certificates are signed by same authority and server
certificate is revoked. But the clients are able to
establish TLS connection without any errors.</div>
<div><br>
</div>
<div>I'm not getting any traces to confirm CRL validation
has been performed before accepting the TLS connection. </div>
<div><br>
</div>
<div>Any advice would be help to proceed with evaluating CRL
functionality.</div>
<div><br>
</div>
<div>-Amar</div>
</div>
</div>
</div>
<!--'"--><br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio World Conference -- <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Kamailio (SER) - Users Mailing List</span><br><span><a href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a></span><br><span><a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></span><br></div></blockquote></body></html>