<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
<p>Hello,<br>
</p>
<div class="moz-cite-prefix">On 20.11.20 11:13, George Goglidze
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CWXP123MB378268E43C806175FD12110DE2FF0@CWXP123MB3782.GBRP123.PROD.OUTLOOK.COM">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Andale Mono";
panose-1:2 11 5 9 0 0 0 0 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0cm;
background:black;
font-size:9.0pt;
font-family:"Andale Mono";
color:#2FB41D;}
p.p2, li.p2, div.p2
{mso-style-name:p2;
margin:0cm;
background:black;
font-size:9.0pt;
font-family:"Andale Mono";
color:#2FFF12;}
span.s1
{mso-style-name:s1;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Folks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I was
wondering if somebody could help me with an issue. I’m a
newbie here, just installing Kamailio sip server.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’ve enabled
TLS, and am trying create a SIP Trunk to external SIP
Service which is TLS enabled port 5061.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’ve
configured the following in tls.cfg:<o:p></o:p></span></p>
<p class="p1"><span class="s1">[server:default]</span><o:p></o:p></p>
<p class="p2"><span class="s1">method = TLSv1.2+</span><o:p></o:p></p>
<p class="p2"><span class="s1">verify_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">require_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">private_key =
/etc/kamailio/certs/sbc-private.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">certificate =
/etc/kamailio/certs/godaddy.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">ca_list =
/etc/kamailio/certs/calist.pem</span><span
class="apple-converted-space"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the
section above – ca_list = calist.pem contains all the CA’s
and Subordinates of the destination server.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Private_key
and certificate are of my own server (public godaddy<span
style="color:#70AD47">
</span>signed) <span style="color:#70AD47"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="p1"><span class="s1">[client:default]</span><o:p></o:p></p>
<p class="p2"><span class="s1">method = TLSv1.2+</span><o:p></o:p></p>
<p class="p2"><span class="s1">verify_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">require_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">private_key =
/etc/kamailio/certs/sbc-private.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">certificate =
/etc/kamailio/certs/godaddy.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">ca_list =
/etc/kamailio/certs/godaddyca.pem</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the
section above the ca_list is godaddy’s ca and subordinate.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the
wireshark I can see that I’m sending out SIP OPTIONS PING
(I’m using dispatcher module).
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Then the
server replies with tls SERVER HELLO which includes it’s
certificate<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">But for some
reason we are rejecting it:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Alert
(level: fatal, Description: Unknown CA)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">How should I
set this up to make sure the remote server CA’s are
verified?
</span></p>
</div>
</blockquote>
<p><br>
</p>
<p>I am not sure I understand what you want to do -- to verify that
the list of CAs trusted by the remote server? This is not
possible, what is trusted by the server is its own business. An
entity can verify only of the presented certificate by a peer is
signed by a trusted CA from its CAs trusted list.</p>
<p>Cheers,<br>
Daniel<br>
</p>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</body>
</html>