<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hello,</p>
<p>the client has to be configured to present a certificate, and it
doesn't do it based on kamailio log message:</p>
<p>INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client
did not present a certificate</p>
<p>Check the phone config to see if you can set such option.
Kamailio can just see if a certificate is sent and if not reject
the connection, if you have require_certificate = yes in the
server profile of tls.cfg</p>
<p>You can eventually test with 'openssl s_client ...' to see
details of client side certs in kamailio -- iirc, it has the
options to specify client side certificate with -cert ... -key ...<br>
</p>
<p>Cheers,<br>
Daniel<br>
</p>
<div class="moz-cite-prefix">On 03.07.20 09:52, Mark Boyce wrote:<br>
</div>
<blockquote type="cite"
cite="mid:D9767AFF-6B96-4E40-B288-089DCB94208A@darkorigins.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
Hi Daniel
<div class=""><br class="">
</div>
<div class="">I’m testing with a Yealink T57W. It comes with a
factory install certificate which will probably fail validation
as the common name is the MAC. <br class="">
<div><br class="">
</div>
<div>I'm not trying validate the client device’s certificate
just get it to offer what it has so I can check the details.</div>
<div><br class="">
</div>
<div>Thanks</div>
<div>Mark</div>
<div><br class="">
<blockquote type="cite" class="">
<div class="">On 3 Jul 2020, at 08:38, Daniel-Constantin
Mierla <<a href="mailto:miconda@gmail.com" class=""
moz-do-not-send="true">miconda@gmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class="">
<p class="">Hello,</p>
<p class="">what is the SIP client app you used? Is it
configured to use its own tls certificate when
connecting to the SIP server?</p>
<p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<div class="moz-cite-prefix">On 02.07.20 18:51, Mark
Boyce wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:C53EF2BF-A770-4FA1-8B63-FB7B34CA40E7@darkorigins.com"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
Hi all
<div class=""><br class="">
</div>
<div class="">Been trying to grab the TLS cert details
from incoming connections, but failing :-(</div>
<div class=""><br class="">
</div>
<div class="">So with lines just before AUTH is called
like this;</div>
<div class=""><br class="">
</div>
<div class="">
<div class=""> if (proto == TLS) {</div>
<div class=""> xlog("L_INFO", "TLSDUMP $ci
peer_subject : $tls_peer_subject\n");</div>
</div>
<div class=""><br class="">
</div>
<div class="">Gets met with a log line line this;</div>
<div class=""><br class="">
</div>
<div class="">INFO: tls [tls_server.c:431]:
tls_accept(): tls_accept: new connection from
1.2.3.4:11797 using TLSv1.2
ECDHE-RSA-AES256-GCM-SHA384 256</div>
<div class="">INFO: tls [tls_server.c:434]:
tls_accept(): tls_accept: local socket: 5.6.7.8:5061</div>
<div class="">INFO: tls [tls_server.c:445]:
tls_accept(): tls_accept: client did not present a
certificate</div>
<div class="">...</div>
<div class="">INFO: tls [tls_select.c:168]:
get_cert(): Unable to retrieve peer TLS certificate
from SSL structure</div>
<div class=""><br class="">
</div>
<div class="">This is with verify_certificate and
require_certificate set to no in tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">If I try and set the following in
tls.cfg</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">[server:default]</div>
<div class="">method = TLSv1.2+</div>
<div class="">verify_certificate = no</div>
<div class="">require_certificate = yes</div>
<div class=""><br class="">
</div>
<div class="">I see in the logs;</div>
<div class=""><br class="">
</div>
<div class="">
<div class="">INFO: tls [tls_domain.c:303]:
ksr_tls_fill_missing(): TLSs<default>:
tls_method=22</div>
<div class="">INFO: tls [tls_domain.c:315]:
ksr_tls_fill_missing(): TLSs<default>:
certificate='/etc/kamailio/tls-certs/cert.pem'</div>
<div class="">INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSs<default>:
ca_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSs<default>:
crl='(null)'</div>
<div class="">INFO: tls [tls_domain.c:333]:
ksr_tls_fill_missing(): TLSs<default>: <b
class="">require_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:340]:
ksr_tls_fill_missing(): TLSs<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:347]:
ksr_tls_fill_missing(): TLSs<default>:
private_key='/etc/kamailio/tls-certs/privkey.pem'</div>
<div class="">INFO: tls [tls_domain.c:351]:
ksr_tls_fill_missing(): TLSs<default>: <b
class="">verify_certificate=0</b></div>
<div class="">INFO: tls [tls_domain.c:354]:
ksr_tls_fill_missing(): TLSs<default>:
verify_depth=9</div>
<div class="">NOTICE: tls [tls_domain.c:1095]:
ksr_tls_fix_domain(): registered server_name
callback handler for socket [:0],
server_name='<default>' ...</div>
<div class="">INFO: tls [tls_domain.c:692]:
set_verification(): TLSs<default>:<b
class=""> Client MUST present valid
certificate</b></div>
<div class="">INFO: tls [tls_domain.c:303]:
ksr_tls_fill_missing(): TLSc<default>:
tls_method=20</div>
<div class="">INFO: tls [tls_domain.c:315]:
ksr_tls_fill_missing(): TLSc<default>:
certificate='(null)'</div>
<div class="">INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSc<default>:
ca_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSc<default>:
crl='(null)'</div>
<div class="">INFO: tls [tls_domain.c:333]:
ksr_tls_fill_missing(): TLSc<default>: <b
class="">require_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:340]:
ksr_tls_fill_missing(): TLSc<default>:
cipher_list='(null)'</div>
<div class="">INFO: tls [tls_domain.c:347]:
ksr_tls_fill_missing(): TLSc<default>:
private_key='(null)'</div>
<div class="">INFO: tls [tls_domain.c:351]:
ksr_tls_fill_missing(): TLSc<default>: <b
class="">verify_certificate=1</b></div>
<div class="">INFO: tls [tls_domain.c:354]:
ksr_tls_fill_missing(): TLSc<default>:
verify_depth=9</div>
<div class="">INFO: tls [tls_domain.c:692]:
set_verification(): TLSc<default>: <b
class="">Server MUST present valid certificate</b></div>
<div class="">...</div>
<div class="">ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate
verify failed</div>
</div>
<div class=""><br class="">
</div>
<div class="">Which looks like verification is being
enabled when I add require?</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Would someone be kind enough to point
out what I am missing please? (Assuming it’s not a
bug :-)</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""> Thanks<br class="">
Mark<br class="">
-- <br class="">
Mark Boyce<br class="">
Dark Origins Ltd</div>
</div>
<br class="">
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Kamailio (SER) - Users Mailing List
<a class="moz-txt-link-abbreviated" href="mailto:sr-users@lists.kamailio.org" moz-do-not-send="true">sr-users@lists.kamailio.org</a>
<a class="moz-txt-link-freetext" href="https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users" moz-do-not-send="true">https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users</a>
</pre>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/" moz-do-not-send="true">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda" moz-do-not-send="true">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda" moz-do-not-send="true">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla" moz-do-not-send="true">https://www.paypal.me/dcmierla</a></pre>
</div>
</div>
</blockquote>
</div>
<br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; line-break: after-white-space;"
class="">
<div class="">
<div style="orphans: 2; widows: 2;" class="">Mark</div>
<div style="orphans: 2; widows: 2;" class="">-- </div>
<div style="orphans: 2; widows: 2;" class="">Mark Boyce</div>
<div style="orphans: 2; widows: 2;" class="">Dark Origins
Ltd</div>
<div style="orphans: 2; widows: 2;" class="">e: <a
href="mailto:mark@darkorigins.com" class=""
moz-do-not-send="true">mark@darkorigins.com</a></div>
<div style="orphans: 2; widows: 2;" class="">t: 0345 0043
043</div>
<div style="orphans: 2; widows: 2;" class="">f: 0345 0043
044</div>
</div>
</div>
</div>
<br class="">
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</body>
</html>