<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Daniel<div class=""><br class=""></div><div class="">Ah, that’s the bit I misunderstood. I thought that require_certificate would trigger mutual auth / mTLS rather than enforcing its presence.</div><div class=""><br class=""></div><div class="">No sign of a setting on the Yealink to send it’s certificate. Will go unpack a Cisco and see what that offers.</div><div class=""><br class=""></div><div class="">Thanks</div><div class="">Mark, </div><div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On 3 Jul 2020, at 09:09, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><p class="">Hello,</p><p class="">the client has to be configured to present a certificate, and it
doesn't do it based on kamailio log message:</p><p class="">INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client
did not present a certificate</p><p class="">Check the phone config to see if you can set such option.
Kamailio can just see if a certificate is sent and if not reject
the connection, if you have require_certificate = yes in the
server profile of tls.cfg</p><p class="">You can eventually test with 'openssl s_client ...' to see
details of client side certs in kamailio -- iirc, it has the
options to specify client side certificate with -cert ... -key ...<br class="">
</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 03.07.20 09:52, Mark Boyce wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:D9767AFF-6B96-4E40-B288-089DCB94208A@darkorigins.com" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
Hi Daniel
<div class=""><br class="">
</div>
<div class="">I’m testing with a Yealink T57W. It comes with a
factory install certificate which will probably fail validation
as the common name is the MAC. <br class="">
<div class=""><br class="">
</div>
<div class="">I'm not trying validate the client device’s certificate
just get it to offer what it has so I can check the details.</div>
<div class=""><br class="">
</div>
<div class="">Thanks</div>
<div class="">Mark</div>
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 08:38, Daniel-Constantin
Mierla <<a href="mailto:miconda@gmail.com" class="" moz-do-not-send="true">miconda@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class=""><p class="">Hello,</p><p class="">what is the SIP client app you used? Is it
configured to use its own tls certificate when
connecting to the SIP server?</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 02.07.20 18:51, Mark
Boyce wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:C53EF2BF-A770-4FA1-8B63-FB7B34CA40E7@darkorigins.com" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
Hi all
<div class=""><br class="">
</div>
<div class="">Been trying to grab the TLS cert details
from incoming connections, but failing :-(</div>
<div class=""><br class="">
</div>
<div class="">So with lines just before AUTH is called
like this;</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> if (proto == TLS) {</div>
<div class=""> xlog("L_INFO", "TLSDUMP $ci
peer_subject : $tls_peer_subject\n");</div>
</div>
<div class=""><br class="">
</div>
<div class="">Gets met with a log line line this;</div>
<div class=""><br class="">
</div>
<div class="">INFO: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from
1.2.3.4:11797 using TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 256</div>
<div class="">INFO: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 5.6.7.8:5061</div>
<div class="">INFO: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a
certificate</div>
<div class="">...</div>
<div class="">INFO: tls [tls_select.c:168]:
get_cert(): Unable to retrieve peer TLS certificate
from SSL structure</div>
<div class=""><br class="">
</div>
<div class="">This is with verify_certificate and
require_certificate set to no in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">If I try and set the following in
tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">[server:default]</div>
<div class="">method = TLSv1.2+</div>
<div class="">verify_certificate = no</div>
<div class="">require_certificate = yes</div>
<div class=""><br class="">
</div>
<div class="">I see in the logs;</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">INFO: tls [tls_domain.c:303]:
ksr_tls_fill_missing(): TLSs<default>:
tls_method=22</div>
<div class="">INFO: tls [tls_domain.c:315]:
ksr_tls_fill_missing(): TLSs<default>:
certificate='/etc/kamailio/tls-certs/cert.pem'</div>
<div class="">INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSs<default>:
ca_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSs<default>:
crl='(null)'</div>
<div class="">INFO: tls [tls_domain.c:333]:
ksr_tls_fill_missing(): TLSs<default>: <b class="">require_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:340]:
ksr_tls_fill_missing(): TLSs<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:347]:
ksr_tls_fill_missing(): TLSs<default>:
private_key='/etc/kamailio/tls-certs/privkey.pem'</div>
<div class="">INFO: tls [tls_domain.c:351]:
ksr_tls_fill_missing(): TLSs<default>: <b class="">verify_certificate=0</b></div>
<div class="">INFO: tls [tls_domain.c:354]:
ksr_tls_fill_missing(): TLSs<default>:
verify_depth=9</div>
<div class="">NOTICE: tls [tls_domain.c:1095]:
ksr_tls_fix_domain(): registered server_name
callback handler for socket [:0],
server_name='<default>' ...</div>
<div class="">INFO: tls [tls_domain.c:692]:
set_verification(): TLSs<default>:<b class=""> Client MUST present valid
certificate</b></div>
<div class="">INFO: tls [tls_domain.c:303]:
ksr_tls_fill_missing(): TLSc<default>:
tls_method=20</div>
<div class="">INFO: tls [tls_domain.c:315]:
ksr_tls_fill_missing(): TLSc<default>:
certificate='(null)'</div>
<div class="">INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSc<default>:
ca_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSc<default>:
crl='(null)'</div>
<div class="">INFO: tls [tls_domain.c:333]:
ksr_tls_fill_missing(): TLSc<default>: <b class="">require_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:340]:
ksr_tls_fill_missing(): TLSc<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:347]:
ksr_tls_fill_missing(): TLSc<default>:
private_key='(null)'</div>
<div class="">INFO: tls [tls_domain.c:351]:
ksr_tls_fill_missing(): TLSc<default>: <b class="">verify_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:354]:
ksr_tls_fill_missing(): TLSc<default>:
verify_depth=9</div>
<div class="">INFO: tls [tls_domain.c:692]:
set_verification(): TLSc<default>: <b class="">Server MUST present valid certificate</b></div>
<div class="">...</div>
<div class="">ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate
verify failed</div>
</div>
<div class=""><br class="">
</div>
<div class="">Which looks like verification is being
enabled when I add require?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Would someone be kind enough to point
out what I am missing please? (Assuming it’s not a
bug :-)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
</div></blockquote></div></div></blockquote></div></div></blockquote></div></div></blockquote></div><br class=""></div></body></html>