<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>the server checks if the client certificate is revoked. It is the
duty of the client to check if the server certificate is revoked
and close the connection. It is about a party checking if the
other party of the connection is using a trusted and valid
certificate or not.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<br>
<div class="moz-cite-prefix">On 10.07.18 08:15, Amarnath Kanchivanam
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMBV8ruMh5jtH8K0hapOizCrOR+7qbkJgKJB_HpJCW2nhe1bCg@mail.gmail.com">
<div dir="ltr">Hi,
<div><br>
</div>
<div>Could you share your thoughts on the below clarification?</div>
<div><br>
</div>
<div>Regards,</div>
<div>Amarnath</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Fri, Jul 6, 2018 at 4:06 PM Amarnath
Kanchivanam <<a href="mailto:ykamarnath.sip@gmail.com"
moz-do-not-send="true">ykamarnath.sip@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Daniel and Ding Ma.
<div><br>
</div>
<div>I have Certificate Authority, who signed the server
certificate and client certificate. </div>
<div>Server certificate and root CA is added to server. </div>
<div>Client certificate and root CA is added to client.</div>
<div>Now CRL file path is update with server and it's own
server certificate is revoked. In this case what should be
kamailio server behavior, if any client wants to establish
TLS connection? or Since it's own server certificate is
revoked TLS should be disabled on server side?</div>
<div><br>
</div>
<div>As per my understanding, TLS should be disabled on
server side, as it does not have valid certificate. Please
share your thoughts on this.</div>
<div><br>
</div>
<div>Regards,</div>
<div>Amarnath</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Jul 3, 2018 at 5:22 PM Ding Ma <<a
href="mailto:mading087@gmail.com" target="_blank"
moz-do-not-send="true">mading087@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="auto">The CRL with revoked server certificate
needs to be loaded in the sip client. TLS server doesn’t
send CRL to client during handshake.<br>
<br>
<div
id="m_385290406500180484m_-4056747907176162265AppleMailSignature">Sent
from my iPhone</div>
<div><br>
On Jul 3, 2018, at 6:16 AM, Daniel-Constantin Mierla
<<a href="mailto:miconda@gmail.com" target="_blank"
moz-do-not-send="true">miconda@gmail.com</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<p>Hello,</p>
<p>haven't played with CRL lately, but kamailio
should just call libssl functions for validating
the certificates, after initializing the context
with CRL file.</p>
<p>Maybe you can open an issue on <a
href="http://github.com/kamailio/kamailio"
target="_blank" moz-do-not-send="true">github.com/kamailio/kamailio</a>
tracker, add there all log messages printed by
kamailio with debug=3 in kamailio.cfg. In this way
we do not forget about it and can be investigated
properly.<br>
</p>
Cheers,<br>
Daniel<br>
<br>
<div
class="m_385290406500180484m_-4056747907176162265moz-cite-prefix">On
28.06.18 08:47, Amarnath Kanchivanam wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div dir="ltr">Hi All,<br>
</div>
<div dir="ltr">
<div><br>
</div>
<div>I'm trying to configured kamailio as
TLS server with below configuration
(tls.cfg) and TLS server is started
successfully.</div>
<div><br>
</div>
<div>
<div>[server:default]</div>
<div>method = TLSv1+</div>
<div>verify_certificate = yes</div>
<div>require_certificate = yes</div>
<div>private_key = ./sip/server.key</div>
<div>certificate = ./sip/server.crt</div>
<div>ca_list = ./bundle.crt</div>
<div>crl = ./sip_crl.pem</div>
<div>verify_depth = 9<br>
</div>
<div><br>
</div>
<div>[client:default]</div>
<div>verify_certificate = no</div>
<div>require_certificate = no</div>
</div>
<div><br>
</div>
<div>TLS connection works fine.</div>
<div>Later i have updated the sip_crl.pem
with server certificate revoked details
and performed tls.reload command to load
the latest update. </div>
<div>After this I expect any TLS client
trying to establish TLS connection should
fail, as the client and server
certificates are signed by same authority
and server certificate is revoked. But the
clients are able to establish TLS
connection without any errors.</div>
<div><br>
</div>
<div>I'm not getting any traces to confirm
CRL validation has been performed before
accepting the TLS connection. </div>
<div><br>
</div>
<div>Any advice would be help to proceed
with evaluating CRL functionality.</div>
<div><br>
</div>
<div>-Amar</div>
</div>
</div>
</div>
<br>
<fieldset
class="m_385290406500180484m_-4056747907176162265mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="m_385290406500180484m_-4056747907176162265moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" target="_blank" moz-do-not-send="true">sr-users@lists.kamailio.org</a>
<a class="m_385290406500180484m_-4056747907176162265moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" target="_blank" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<br>
<pre class="m_385290406500180484m_-4056747907176162265moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="m_385290406500180484m_-4056747907176162265moz-txt-link-abbreviated" href="http://www.asipto.com" target="_blank" moz-do-not-send="true">www.asipto.com</a>
<a class="m_385290406500180484m_-4056747907176162265moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" target="_blank" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="m_385290406500180484m_-4056747907176162265moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" target="_blank" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Kamailio World Conference -- <a class="m_385290406500180484m_-4056747907176162265moz-txt-link-abbreviated" href="http://www.kamailioworld.com" target="_blank" moz-do-not-send="true">www.kamailioworld.com</a></pre>
</div>
</blockquote>
<blockquote type="cite">
<div><span>_______________________________________________</span><br>
<span>Kamailio (SER) - Users Mailing List</span><br>
<span><a href="mailto:sr-users@lists.kamailio.org"
target="_blank" moz-do-not-send="true">sr-users@lists.kamailio.org</a></span><br>
<span><a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
target="_blank" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a></span><br>
</div>
</blockquote>
</div>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org"
target="_blank" moz-do-not-send="true">sr-users@lists.kamailio.org</a><br>
<a
href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio World Conference -- <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>