<div dir="auto"><div>Hi Julien,</div><div dir="auto"><br></div><div dir="auto">Thanks for this hint. A bit off topic the cert part but security should be forced :) </div><div dir="auto"><br></div><div dir="auto">Many ways to get an letsencryt certificate, I prefer the go-lang lego tool </div><div dir="auto"><br></div><div dir="auto">docker run -v $(pwd)/.lego:/.lego goacme/lego -d fqdn --email your@email -a --tls --pem run</div><div dir="auto"><br></div><div dir="auto">Saved stuff in dot lego folder. </div><div dir="auto"><br></div><div dir="auto">Cheers </div><div dir="auto">Karsten Horsmann </div><div dir="auto"><br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">Julien Chavanton <<a href="mailto:jchavanton@gmail.com">jchavanton@gmail.com</a>> schrieb am Do., 19. Dez. 2019, 17:08:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi, I guess I was the one stretching it :)<br><div><br></div><div>If you need to generate a cert, check EFF let's encrypt, here is one example to get a cert with HTTP validation<br></div><div><br></div><span style="font-family:monospace">#!/bin/bash <br>iptables -I INPUT -p tcp --dport 80 -j ACCEPT<br>sudo docker run -it --rm --name certbot \<br> --net=host \<br> -v "/etc/letsencrypt:/etc/letsencrypt" \<br> -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \<br> certbot/certbot certonly --eff-email --agree-tos -m <a href="mailto:use@domain.com" target="_blank" rel="noreferrer">use@domain.com</a> --standalone --preferred-challenges http -d $1<br>iptables -D INPUT -p tcp --dport 80 -j ACCEPT<br>if [ "$2" == "copy" ]<br>then<br> cp /etc/letsencrypt/live/$1/fullchain.pem tls/certificate.pem<br> cp /etc/letsencrypt/live/$1/privkey.pem tls/key.pem<br></span><div><span style="font-family:monospace">fi</span></div><div><span style="font-family:monospace"><br></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 19, 2019 at 6:20 AM Sebastian Damm <<a href="mailto:damm@sipgate.de" target="_blank" rel="noreferrer">damm@sipgate.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Julien,<br>
<br>
I had been thinking quite a while before posting it here, and maybe I<br>
shouldn't have mentioned the sipp SSL error. But I thought, end2end<br>
testing of kamailio setups could be of general interest from a<br>
Kamailio user point of view. And I hoped to get suggestions on how to<br>
do it.<br>
<br>
Thanks for the link to voip_patrol. I'm already playing with it. Still<br>
stuck with needing a client certificate, though. I shouldn't need that<br>
for a client, I'd think. But I'll try my best.<br>
<br>
Regards,<br>
Sebastian<br>
<br>
On Wed, Dec 18, 2019 at 7:31 PM Julien Chavanton <<a href="mailto:jchavanton@gmail.com" target="_blank" rel="noreferrer">jchavanton@gmail.com</a>> wrote:<br>
><br>
> Hi Sebastian, this is off topic for the Kamailio mailing list.<br>
><br>
> You can use Voip_patrol :<br>
> <a href="https://github.com/jchavanton/voip_patrol" rel="noreferrer noreferrer" target="_blank">https://github.com/jchavanton/voip_patrol</a><br>
><br>
> Once you have your certificate, key and ca_list in default location<br>
> ./voip_patrol -c ./xml/tls.xml<br>
><br>
> [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.ca_list :tls/ca_list.pem<br>
> [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.certFile :tls/certificate.pem<br>
> [18:24:51.800][INFO] main: TLS tcfg.tlsConfig.privKeyFile :tls/key.pem<br>
><br>
> tls.xml<br>
><br>
> <?xml version="1.0"?><br>
> <config><br>
> <actions><br>
> <action type="register" transport="tls" expected_cause_code="200" username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" realm="<a href="http://domain.com" rel="noreferrer noreferrer" target="_blank">domain.com</a>" registrar="<a href="http://ep.domain.com" rel="noreferrer noreferrer" target="_blank">ep.domain.com</a>"/><br>
> <action type="wait" complete/><br>
> <action type="accept" account="VP_ENV_USERNAME" max_duration="20" hangup="5"/><br>
> <action type="call" transport="tls"<br>
> wait_until="3" expected_cause_code="200"<br>
> caller="<a href="mailto:12062349971@1.1.1.1" target="_blank" rel="noreferrer">12062349971@1.1.1.1</a>" callee="<a href="mailto:12012343238@ep.domain.com" target="_blank" rel="noreferrer">12012343238@ep.domain.com</a>" max_duration="15" hangup="5"<br>
> username="VP_ENV_USERNAME" password="VP_ENV_PASSWORD" realm="<a href="http://domain.com" rel="noreferrer noreferrer" target="_blank">domain.com</a>"<br>
> /><br>
> <action type="wait" complete/><br>
> </actions><br>
> </config><br>
><br>
> On Wed, Dec 18, 2019 at 8:34 AM Sebastian Damm <<a href="mailto:damm@sipgate.de" target="_blank" rel="noreferrer">damm@sipgate.de</a>> wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> I'm trying to construct an end-to-end encrypted signalling test<br>
>> through our setup. I thought I could use sipp for that, as it supports<br>
>> TLS according to the man page. However, when I try to run it, I get<br>
>> this error:<br>
>><br>
>> FI_init_ssl_context: SSL_CTX_use_certificate_file failed.<br>
>><br>
>> I searched the web; however, all similar questions end up without<br>
>> answers. I tried specifying a local key and cert without success. I'd<br>
>> think I should not need a cert for my client, though.<br>
>><br>
>> Has anyone ever successfully conducted an automated TLS test? I'm open<br>
>> to using a different tool if necessary.<br>
>><br>
>> Thanks for all hints or examples.<br>
>><br>
>> Regards,<br>
>> Sebastian<br>
>><br>
>> --<br>
>> Sebastian Damm<br>
>> Voice Engineer<br>
>> __________________________________________<br>
>> sipgate GmbH<br>
>> Gladbacher Straße 74 | 40219 Düsseldorf<br>
>><br>
>> _______________________________________________<br>
>> Kamailio (SER) - Users Mailing List<br>
>> <a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br>
>> <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
><br>
> _______________________________________________<br>
> Kamailio (SER) - Users Mailing List<br>
> <a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br>
> <a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
<br>
<br>
<br>
-- <br>
Sebastian Damm<br>
Voice Engineer<br>
<br>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div>
_______________________________________________<br>
Kamailio (SER) - Users Mailing List<br>
<a href="mailto:sr-users@lists.kamailio.org" target="_blank" rel="noreferrer">sr-users@lists.kamailio.org</a><br>
<a href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" rel="noreferrer noreferrer" target="_blank">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br>
</blockquote></div></div></div>