<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,<br>
</p>
<div class="moz-cite-prefix">On 03.07.20 11:12, Mark Boyce wrote:<br>
</div>
<blockquote type="cite"
cite="mid:223BC3C3-2BFD-4F5A-A3D9-86798B8EFB40@darkorigins.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Hi Daniel
<div class=""><br class="">
</div>
<div class="">Ah, that’s the bit I misunderstood. I thought that
require_certificate would trigger mutual auth / mTLS rather than
enforcing its presence.</div>
</blockquote>
<p>well, the server indicates it wants to see client certificate
during the handshake, but it has no control in forcing the client
to do so. From Kamailio point of view, all this is done by
underlying libssl used by tls module. The result after handshake,
based on the error message, is that client didn't present any
certificate.</p>
<p>Typically the clients do not present their certificate by
default, there has to be some configuration for that. From my
experience, the hardphones have certificates only for
provisioning/management APIs.</p>
<p>For SIP, there has an option of uploading the client side
certificate, because it has to match somehow the SIP user and SIP
service to be able to do proper mutual TLS authentication.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<blockquote type="cite"
cite="mid:223BC3C3-2BFD-4F5A-A3D9-86798B8EFB40@darkorigins.com">
<div class=""><br class="">
</div>
<div class="">No sign of a setting on the Yealink to send it’s
certificate. Will go unpack a Cisco and see what that offers.</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Mark, </div>
<div class=""><br class="">
</div>
<div class="">
<div>
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 09:09, Daniel-Constantin
Mierla <<a href="mailto:miconda@gmail.com" class=""
moz-do-not-send="true">miconda@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class="">
<p class="">Hello,</p>
<p class="">the client has to be configured to present a
certificate, and it doesn't do it based on kamailio
log message:</p>
<p class="">INFO: tls [tls_server.c:445]: tls_accept():
tls_accept: client did not present a certificate</p>
<p class="">Check the phone config to see if you can set
such option. Kamailio can just see if a certificate is
sent and if not reject the connection, if you have
require_certificate = yes in the server profile of
tls.cfg</p>
<p class="">You can eventually test with 'openssl
s_client ...' to see details of client side certs in
kamailio -- iirc, it has the options to specify client
side certificate with -cert ... -key ...<br class="">
</p>
<p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 03.07.20 09:52, Mark
Boyce wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:D9767AFF-6B96-4E40-B288-089DCB94208A@darkorigins.com"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
Hi Daniel
<div class=""><br class="">
</div>
<div class="">I’m testing with a Yealink T57W. It
comes with a factory install certificate which will
probably fail validation as the common name is the
MAC. <br class="">
<div class=""><br class="">
</div>
<div class="">I'm not trying validate the client
device’s certificate just get it to offer what it
has so I can check the details.</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Mark</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 08:38,
Daniel-Constantin Mierla <<a
href="mailto:miconda@gmail.com" class=""
moz-do-not-send="true">miconda@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" class="">
<div class="">
<p class="">Hello,</p>
<p class="">what is the SIP client app you
used? Is it configured to use its own tls
certificate when connecting to the SIP
server?</p>
<p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 02.07.20
18:51, Mark Boyce wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:C53EF2BF-A770-4FA1-8B63-FB7B34CA40E7@darkorigins.com"
class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8"
class="">
Hi all
<div class=""><br class="">
</div>
<div class="">Been trying to grab the TLS
cert details from incoming connections,
but failing :-(</div>
<div class=""><br class="">
</div>
<div class="">So with lines just before
AUTH is called like this;</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> if (proto == TLS)
{</div>
<div class=""> xlog("L_INFO",
"TLSDUMP $ci peer_subject :
$tls_peer_subject\n");</div>
</div>
<div class=""><br class="">
</div>
<div class="">Gets met with a log line
line this;</div>
<div class=""><br class="">
</div>
<div class="">INFO: tls
[tls_server.c:431]: tls_accept():
tls_accept: new connection from
1.2.3.4:11797 using TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 256</div>
<div class="">INFO: tls
[tls_server.c:434]: tls_accept():
tls_accept: local socket: 5.6.7.8:5061</div>
<div class="">INFO: tls
[tls_server.c:445]: tls_accept():
tls_accept: client did not present a
certificate</div>
<div class="">...</div>
<div class="">INFO: tls
[tls_select.c:168]: get_cert(): Unable
to retrieve peer TLS certificate from
SSL structure</div>
<div class=""><br class="">
</div>
<div class="">This is with
verify_certificate and
require_certificate set to no in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">If I try and set the
following in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">[server:default]</div>
<div class="">method = TLSv1.2+</div>
<div class="">verify_certificate = no</div>
<div class="">require_certificate = yes</div>
<div class=""><br class="">
</div>
<div class="">I see in the logs;</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">INFO: tls
[tls_domain.c:303]:
ksr_tls_fill_missing():
TLSs<default>: tls_method=22</div>
<div class="">INFO: tls
[tls_domain.c:315]:
ksr_tls_fill_missing():
TLSs<default>:
certificate='/etc/kamailio/tls-certs/cert.pem'</div>
<div class="">INFO: tls
[tls_domain.c:322]:
ksr_tls_fill_missing():
TLSs<default>:
ca_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:329]:
ksr_tls_fill_missing():
TLSs<default>: crl='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:333]:
ksr_tls_fill_missing():
TLSs<default>: <b class="">require_certificate=1</b></div>
<div class="">INFO: tls
[tls_domain.c:340]:
ksr_tls_fill_missing():
TLSs<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:347]:
ksr_tls_fill_missing():
TLSs<default>:
private_key='/etc/kamailio/tls-certs/privkey.pem'</div>
<div class="">INFO: tls
[tls_domain.c:351]:
ksr_tls_fill_missing():
TLSs<default>: <b class="">verify_certificate=0</b></div>
<div class="">INFO: tls
[tls_domain.c:354]:
ksr_tls_fill_missing():
TLSs<default>: verify_depth=9</div>
<div class="">NOTICE: tls
[tls_domain.c:1095]:
ksr_tls_fix_domain(): registered
server_name callback handler for
socket [:0],
server_name='<default>' ...</div>
<div class="">INFO: tls
[tls_domain.c:692]:
set_verification():
TLSs<default>:<b class="">
Client MUST present valid
certificate</b></div>
<div class="">INFO: tls
[tls_domain.c:303]:
ksr_tls_fill_missing():
TLSc<default>: tls_method=20</div>
<div class="">INFO: tls
[tls_domain.c:315]:
ksr_tls_fill_missing():
TLSc<default>:
certificate='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:322]:
ksr_tls_fill_missing():
TLSc<default>:
ca_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:329]:
ksr_tls_fill_missing():
TLSc<default>: crl='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:333]:
ksr_tls_fill_missing():
TLSc<default>: <b class="">require_certificate=1</b></div>
<div class="">INFO: tls
[tls_domain.c:340]:
ksr_tls_fill_missing():
TLSc<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:347]:
ksr_tls_fill_missing():
TLSc<default>:
private_key='(null)'</div>
<div class="">INFO: tls
[tls_domain.c:351]:
ksr_tls_fill_missing():
TLSc<default>: <b class="">verify_certificate=1</b></div>
<div class="">INFO: tls
[tls_domain.c:354]:
ksr_tls_fill_missing():
TLSc<default>: verify_depth=9</div>
<div class="">INFO: tls
[tls_domain.c:692]:
set_verification():
TLSc<default>: <b class="">Server
MUST present valid certificate</b></div>
<div class="">...</div>
<div class="">ERROR: tls
[tls_util.h:42]: tls_err_ret(): TLS
accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate
verify failed</div>
</div>
<div class=""><br class="">
</div>
<div class="">Which looks like
verification is being enabled when I
add require?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Would someone be kind
enough to point out what I am missing
please? (Assuming it’s not a bug :-)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</body>
</html>