<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Daniel<div class=""><br class=""></div><div class="">I’m testing with a Yealink T57W. It comes with a factory install certificate which will probably fail validation as the common name is the MAC. <br class=""><div><br class=""></div><div>I'm not trying validate the client device’s certificate just get it to offer what it has so I can check the details.</div><div><br class=""></div><div>Thanks</div><div>Mark</div><div><br class=""><blockquote type="cite" class=""><div class="">On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><p class="">Hello,</p><p class="">what is the SIP client app you used? Is it configured to use its
own tls certificate when connecting to the SIP server?</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 02.07.20 18:51, Mark Boyce wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:C53EF2BF-A770-4FA1-8B63-FB7B34CA40E7@darkorigins.com" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Hi all
<div class=""><br class="">
</div>
<div class="">Been trying to grab the TLS cert details from
incoming connections, but failing :-(</div>
<div class=""><br class="">
</div>
<div class="">So with lines just before AUTH is called like this;</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> if (proto == TLS) {</div>
<div class=""> xlog("L_INFO", "TLSDUMP $ci peer_subject
: $tls_peer_subject\n");</div>
</div>
<div class=""><br class="">
</div>
<div class="">Gets met with a log line line this;</div>
<div class=""><br class="">
</div>
<div class="">INFO: tls [tls_server.c:431]: tls_accept():
tls_accept: new connection from 1.2.3.4:11797 using TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 256</div>
<div class="">INFO: tls [tls_server.c:434]: tls_accept():
tls_accept: local socket: 5.6.7.8:5061</div>
<div class="">INFO: tls [tls_server.c:445]: tls_accept():
tls_accept: client did not present a certificate</div>
<div class="">...</div>
<div class="">INFO: tls [tls_select.c:168]: get_cert(): Unable to
retrieve peer TLS certificate from SSL structure</div>
<div class=""><br class="">
</div>
<div class="">This is with verify_certificate and
require_certificate set to no in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">If I try and set the following in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">[server:default]</div>
<div class="">method = TLSv1.2+</div>
<div class="">verify_certificate = no</div>
<div class="">require_certificate = yes</div>
<div class=""><br class="">
</div>
<div class="">I see in the logs;</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">INFO: tls [tls_domain.c:303]:
ksr_tls_fill_missing(): TLSs<default>: tls_method=22</div>
<div class="">INFO: tls [tls_domain.c:315]:
ksr_tls_fill_missing(): TLSs<default>:
certificate='/etc/kamailio/tls-certs/cert.pem'</div>
<div class="">INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSs<default>:
ca_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSs<default>: crl='(null)'</div>
<div class="">INFO: tls [tls_domain.c:333]:
ksr_tls_fill_missing(): TLSs<default>: <b class="">require_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:340]:
ksr_tls_fill_missing(): TLSs<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:347]:
ksr_tls_fill_missing(): TLSs<default>:
private_key='/etc/kamailio/tls-certs/privkey.pem'</div>
<div class="">INFO: tls [tls_domain.c:351]:
ksr_tls_fill_missing(): TLSs<default>: <b class="">verify_certificate=0</b></div>
<div class="">INFO: tls [tls_domain.c:354]:
ksr_tls_fill_missing(): TLSs<default>: verify_depth=9</div>
<div class="">NOTICE: tls [tls_domain.c:1095]:
ksr_tls_fix_domain(): registered server_name callback
handler for socket [:0], server_name='<default>' ...</div>
<div class="">INFO: tls [tls_domain.c:692]:
set_verification(): TLSs<default>:<b class=""> Client
MUST present valid certificate</b></div>
<div class="">INFO: tls [tls_domain.c:303]:
ksr_tls_fill_missing(): TLSc<default>: tls_method=20</div>
<div class="">INFO: tls [tls_domain.c:315]:
ksr_tls_fill_missing(): TLSc<default>:
certificate='(null)'</div>
<div class="">INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSc<default>:
ca_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSc<default>: crl='(null)'</div>
<div class="">INFO: tls [tls_domain.c:333]:
ksr_tls_fill_missing(): TLSc<default>: <b class="">require_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:340]:
ksr_tls_fill_missing(): TLSc<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:347]:
ksr_tls_fill_missing(): TLSc<default>:
private_key='(null)'</div>
<div class="">INFO: tls [tls_domain.c:351]:
ksr_tls_fill_missing(): TLSc<default>: <b class="">verify_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:354]:
ksr_tls_fill_missing(): TLSc<default>: verify_depth=9</div>
<div class="">INFO: tls [tls_domain.c:692]:
set_verification(): TLSc<default>: <b class="">Server
MUST present valid certificate</b></div>
<div class="">...</div>
<div class="">ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS
accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify
failed</div>
</div>
<div class=""><br class="">
</div>
<div class="">Which looks like verification is being enabled
when I add require?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Would someone be kind enough to point out what I
am missing please? (Assuming it’s not a bug :-)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">
Thanks<br class="">
Mark<br class="">
-- <br class="">
Mark Boyce<br class="">
Dark Origins Ltd</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</div>
</div></blockquote></div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div style="orphans: 2; widows: 2;" class="">Mark</div><div style="orphans: 2; widows: 2;" class="">-- </div><div style="orphans: 2; widows: 2;" class="">Mark Boyce</div><div style="orphans: 2; widows: 2;" class="">Dark Origins Ltd</div><div style="orphans: 2; widows: 2;" class="">e: <a href="mailto:mark@darkorigins.com" class="">mark@darkorigins.com</a></div><div style="orphans: 2; widows: 2;" class="">t: 0345 0043 043</div><div style="orphans: 2; widows: 2;" class="">f: 0345 0043 044</div></div></div>
</div>
<br class=""></div></body></html>