
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <p>Hello,</p>

    <p>what is the SIP client app you used? Is it configured to use its

      own tls certificate when connecting to the SIP server?</p>

    <p>Cheers,<br>

      Daniel<br>

    </p>

    <div class="moz-cite-prefix">On 02.07.20 18:51, Mark Boyce wrote:<br>

    </div>

    <blockquote type="cite"

      cite="mid:C53EF2BF-A770-4FA1-8B63-FB7B34CA40E7@darkorigins.com">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      Hi all

      <div class=""><br class="">

      </div>

      <div class="">Been trying to grab the TLS cert details from

        incoming connections, but failing :-(</div>

      <div class=""><br class="">

      </div>

      <div class="">So with lines just before AUTH is called like this;</div>

      <div class=""><br class="">

      </div>

      <div class="">

        <div class="">        if (proto == TLS) {</div>

        <div class="">        xlog("L_INFO", "TLSDUMP $ci  peer_subject

                 : $tls_peer_subject\n");</div>

      </div>

      <div class=""><br class="">

      </div>

      <div class="">Gets met with a log line line this;</div>

      <div class=""><br class="">

      </div>

      <div class="">INFO: tls [tls_server.c:431]: tls_accept():

        tls_accept: new connection from 1.2.3.4:11797 using TLSv1.2

        ECDHE-RSA-AES256-GCM-SHA384 256</div>

      <div class="">INFO: tls [tls_server.c:434]: tls_accept():

        tls_accept: local socket: 5.6.7.8:5061</div>

      <div class="">INFO: tls [tls_server.c:445]: tls_accept():

        tls_accept: client did not present a certificate</div>

      <div class="">...</div>

      <div class="">INFO: tls [tls_select.c:168]: get_cert(): Unable to

        retrieve peer TLS certificate from SSL structure</div>

      <div class=""><br class="">

      </div>

      <div class="">This is with verify_certificate and

        require_certificate set to no in tls.cfg</div>

      <div class=""><br class="">

      </div>

      <div class="">If I try and set the following in tls.cfg</div>

      <div class=""><br class="">

      </div>

      <div class="">

        <div class="">[server:default]</div>

        <div class="">method = TLSv1.2+</div>

        <div class="">verify_certificate = no</div>

        <div class="">require_certificate = yes</div>

        <div class=""><br class="">

        </div>

        <div class="">I see in the logs;</div>

        <div class=""><br class="">

        </div>

        <div class="">

          <div class="">INFO: tls [tls_domain.c:303]:

            ksr_tls_fill_missing(): TLSs<default>: tls_method=22</div>

          <div class="">INFO: tls [tls_domain.c:315]:

            ksr_tls_fill_missing(): TLSs<default>:

            certificate='/etc/kamailio/tls-certs/cert.pem'</div>

          <div class="">INFO: tls [tls_domain.c:322]:

            ksr_tls_fill_missing(): TLSs<default>:

            ca_list='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:329]:

            ksr_tls_fill_missing(): TLSs<default>: crl='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:333]:

            ksr_tls_fill_missing(): TLSs<default>: <b class="">require_certificate=1</b></div>

          <div class="">INFO: tls [tls_domain.c:340]:

            ksr_tls_fill_missing(): TLSs<default>:

            cipher_list='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:347]:

            ksr_tls_fill_missing(): TLSs<default>:

            private_key='/etc/kamailio/tls-certs/privkey.pem'</div>

          <div class="">INFO: tls [tls_domain.c:351]:

            ksr_tls_fill_missing(): TLSs<default>: <b class="">verify_certificate=0</b></div>

          <div class="">INFO: tls [tls_domain.c:354]:

            ksr_tls_fill_missing(): TLSs<default>: verify_depth=9</div>

          <div class="">NOTICE: tls [tls_domain.c:1095]:

            ksr_tls_fix_domain(): registered server_name callback

            handler for socket [:0], server_name='<default>' ...</div>

          <div class="">INFO: tls [tls_domain.c:692]:

            set_verification(): TLSs<default>:<b class=""> Client

              MUST present valid certificate</b></div>

          <div class="">INFO: tls [tls_domain.c:303]:

            ksr_tls_fill_missing(): TLSc<default>: tls_method=20</div>

          <div class="">INFO: tls [tls_domain.c:315]:

            ksr_tls_fill_missing(): TLSc<default>:

            certificate='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:322]:

            ksr_tls_fill_missing(): TLSc<default>:

            ca_list='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:329]:

            ksr_tls_fill_missing(): TLSc<default>: crl='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:333]:

            ksr_tls_fill_missing(): TLSc<default>: <b class="">require_certificate=1</b></div>

          <div class="">INFO: tls [tls_domain.c:340]:

            ksr_tls_fill_missing(): TLSc<default>:

            cipher_list='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:347]:

            ksr_tls_fill_missing(): TLSc<default>:

            private_key='(null)'</div>

          <div class="">INFO: tls [tls_domain.c:351]:

            ksr_tls_fill_missing(): TLSc<default>: <b class="">verify_certificate=1</b></div>

          <div class="">INFO: tls [tls_domain.c:354]:

            ksr_tls_fill_missing(): TLSc<default>: verify_depth=9</div>

          <div class="">INFO: tls [tls_domain.c:692]:

            set_verification(): TLSc<default>: <b class="">Server

              MUST present valid certificate</b></div>

          <div class="">...</div>

          <div class="">ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS

            accept:error:1417C086:SSL

            routines:tls_process_client_certificate:certificate verify

            failed</div>

        </div>

        <div class=""><br class="">

        </div>

        <div class="">Which looks like verification is being enabled

          when I add require?</div>

        <div class=""><br class="">

        </div>

        <div class=""><br class="">

        </div>

        <div class=""><br class="">

        </div>

        <div class="">Would someone be kind enough to point out what I

          am missing please? (Assuming it’s not a bug :-)</div>

        <div class=""><br class="">

        </div>

        <div class=""><br class="">

        </div>

        <div class="">

          Thanks<br class="">

          Mark<br class="">

          -- <br class="">

          Mark Boyce<br class="">

          Dark Origins Ltd</div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <pre class="moz-quote-pre" wrap="">_______________________________________________

Kamailio (SER) - Users Mailing List

<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>

<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>

</pre>

    </blockquote>

    <pre class="moz-signature" cols="72">-- 

Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>

<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>

Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>

  </body>

</html>