<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Thanks! That did the trick (Debian 10)<br>
</p>
<div class=""><br class="">
</div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">[server:default]</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">method =
TLSv1.2+</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">verify_certificate
= yes</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">require_certificate
= yes</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">private_key
= /etc/kamailio/tls/myserver.key</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">certificate
= /etc/kamailio/tls/myserver.crt</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class=""># Points
to your root CA list<br>
</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">ca_list =
/etc/ssl/certs/ca-certificates.crt</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class=""><br
class="">
</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">[client:default]</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">method =
TLSv1.2+</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">verify_certificate
= yes</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">require_certificate
= yes</span></font></div>
<div class="">
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">private_key
= /etc/kamailio/tls/myserver.key</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">certificate
= /etc/kamailio/tls/myserver.crt</span></font></div>
<div class=""><font class="" size="-1" face="Courier New, Courier,
monospace"><span style="font-style: normal;" class="">ca_list
= /etc/kamailio/tls/issuer.crt</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class=""><br>
</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">Now takes longer to
reload TLS config and need to increase PKG/SHM size to
process full list, but it's ok )<br>
</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class=""><br>
</span></font></div>
</div>
<div class="moz-cite-prefix">On 29.03.2020 13:54, Alexey Vasilyev
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6BB55167-C4C9-4AF6-82FA-3A5FF22F4584@gmail.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div class="">Hi Igor,</div>
<div class=""><br class="">
</div>
<div class="">Because these errors about verification of Microsoft
certificate.</div>
<div class="">/etc/kamailio/tls/issuer.cer should contain
certificate authorities list, which contains trusted root
certificates.</div>
<div class="">For example, for CentOS7
/etc/ssl/certs/ca-bundle.crt</div>
<br class="">
<div class="">
<span class="Apple-style-span" style="border-collapse: separate;
color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-align: auto; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px;
-webkit-border-horizontal-spacing: 0px;
-webkit-border-vertical-spacing: 0px;
-webkit-text-decorations-in-effect: none;
-webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0;
">
<div class="">-----</div>
<div class="">Alexey Vasilyev</div>
<div class=""><a href="mailto:alexei.vasilyev@gmail.com"
class="" moz-do-not-send="true">alexei.vasilyev@gmail.com</a></div>
<div class=""><br class="">
</div>
</span><br class="Apple-interchange-newline">
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">29 Mar 2020, в 11:36, Igor Olhovskiy <<a
href="mailto:igorolhovskiy@gmail.com" class=""
moz-do-not-send="true">igorolhovskiy@gmail.com</a>>
написал(а):</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
line-break: after-white-space;" class="">Hi!
<div class=""><br class="">
</div>
<div class="">Actually I’m trying to get Kamailio to work
as MS Teams SBC following by perfect article</div>
<div class=""><a
href="https://skalatan.de/en/blog/kamailio-sbc-teams"
class="" moz-do-not-send="true">https://skalatan.de/en/blog/kamailio-sbc-teams</a></div>
<div class="">It works well, but one thing is bothering
me.</div>
<div class="">I’m using Let’sEncrypt certs (actually,
works well), but with setting in <b class="">tls.conf</b></div>
<div class="">
<div class=""><br class="">
</div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">verify_certificate
= yes</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">require_certificate
= yes</span></font></div>
</div>
<div class=""><br class="">
</div>
<div class="">It’s giving an errors like </div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">/usr/sbin/kamailio[4551]:
ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
write:error:1416F086:SSL
routines:tls_process_server_certificate:certificate
verify failed</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">/usr/sbin/kamailio[4551]:
ERROR: <core> [core/tcp_read.c:1505]:
tcp_read_req(): ERROR: tcp_read_req: error reading
- c: 0x7f03e6d23d88 r: 0x7f03e6d23e08 (-1)</span></font></div>
</div>
<div class=""><br class="">
</div>
<div class="">They are resolved with setting these
settings (<font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">verify/require</span></font>)
to off (actually, as mentioned here - <a
href="https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/"
class="" moz-do-not-send="true">https://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/</a>),
but I’m really curious - why?</div>
<div class=""><br class="">
</div>
<div class="">As I got, it’s using <b class="">openssl
verify</b> on a background, but this check locally
passed with </div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">openssl
verify -CAfile issuer.crt myserver.crt</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">myserver.crt:
OK</span></font></div>
</div>
<div class=""><br class="">
</div>
<div class="">So, is there any tricks to lets encrypt or
just some misconfig in <b class="">tls.cfg</b>?</div>
<div class=""><br class="">
</div>
<div class="">Now it looks like one from article</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">[server:default]</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">method =
TLSv1.2+</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">verify_certificate
= yes</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">require_certificate
= yes</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">private_key =
/etc/kamailio/tls/myserver.key</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">certificate =
/etc/kamailio/tls/myserver.crt</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">ca_list =
/etc/kamailio/tls/issuer.crt</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class=""><br class="">
</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">[client:default]</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">method =
TLSv1.2+</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">verify_certificate
= yes</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">require_certificate
= yes</span></font></div>
<div class="">
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">private_key
= /etc/kamailio/tls/myserver.key</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">certificate
= /etc/kamailio/tls/myserver.crt</span></font></div>
<div class=""><font class="" face="FiraCode-Retina"><span
style="font-style: normal;" class="">ca_list =
/etc/kamailio/tls/issuer.crt</span></font></div>
</div>
<div class="">
<div class="">—</div>
<div class="">Regards, Igor</div>
<div class=""><br class="">
</div>
<br class="Apple-interchange-newline">
</div>
<br class="">
</div>
</div>
_______________________________________________<br class="">
Kamailio (SER) - Users Mailing List<br class="">
<a href="mailto:sr-users@lists.kamailio.org" class=""
moz-do-not-send="true">sr-users@lists.kamailio.org</a><br
class="">
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Regards, Igor</pre>
</body>
</html>