<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Andale Mono";
panose-1:2 11 5 9 0 0 0 0 0 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-fareast-language:EN-US;}
p.p1, li.p1, div.p1
{mso-style-name:p1;
margin:0cm;
background:black;
font-size:9.0pt;
font-family:"Andale Mono";
color:#2FB41D;}
p.p2, li.p2, div.p2
{mso-style-name:p2;
margin:0cm;
background:black;
font-size:9.0pt;
font-family:"Andale Mono";
color:#2FFF12;}
span.s1
{mso-style-name:s1;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-GB" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">It does. It has a combination of all of them. Over 50 CA’s pem files combined.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">Daniel-Constantin Mierla <miconda@gmail.com><br>
<b>Date: </b>Friday, 20 November 2020 at 15:48<br>
<b>To: </b>George Goglidze <george@ipcorp.co.uk>, Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org><br>
<b>Subject: </b>Re: [SR-Users] Issue with ca-list</span><span style="color:black;mso-fareast-language:EN-GB"><o:p></o:p></span></p>
</div>
<p>Hello,<o:p></o:p></p>
<p>does the client section ca_list file has the CA of the remote server?<o:p></o:p></p>
<p>Cheers,<br>
Daniel<o:p></o:p></p>
<div>
<p class="MsoNormal">On 20.11.20 15:56, George Goglidze wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Daniel,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">No – you misunderstood me. </span>
<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">It’s not the remote server that is not trusting us but we are not trusting the remote server.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">My SBC (Kamailio) is sending out TLS error unknown CA.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks, </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">Daniel-Constantin Mierla <a href="mailto:miconda@gmail.com">
<miconda@gmail.com></a><br>
<b>Date: </b>Friday, 20 November 2020 at 14:48<br>
<b>To: </b>Kamailio (SER) - Users Mailing List <a href="mailto:sr-users@lists.kamailio.org">
<sr-users@lists.kamailio.org></a>, George Goglidze <a href="mailto:george@ipcorp.co.uk">
<george@ipcorp.co.uk></a><br>
<b>Subject: </b>Re: [SR-Users] Issue with ca-list</span><o:p></o:p></p>
</div>
<p>Hello,<o:p></o:p></p>
<div>
<p class="MsoNormal">On 20.11.20 11:13, George Goglidze wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Folks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I was wondering if somebody could help me with an issue. I’m a newbie here, just installing Kamailio sip server.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’ve enabled TLS, and am trying create a SIP Trunk to external SIP Service which is TLS enabled port 5061.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">I’ve configured the following in tls.cfg:</span><o:p></o:p></p>
<p class="p1"><span class="s1">[server:default]</span><o:p></o:p></p>
<p class="p2"><span class="s1">method = TLSv1.2+</span><o:p></o:p></p>
<p class="p2"><span class="s1">verify_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">require_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">private_key = /etc/kamailio/certs/sbc-private.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">certificate = /etc/kamailio/certs/godaddy.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">ca_list = /etc/kamailio/certs/calist.pem</span><span class="apple-converted-space"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the section above – ca_list = calist.pem contains all the CA’s and Subordinates of the destination server.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Private_key and certificate are of my own server (public godaddy<span style="color:#70AD47">
</span>signed) </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="p1"><span class="s1">[client:default]</span><o:p></o:p></p>
<p class="p2"><span class="s1">method = TLSv1.2+</span><o:p></o:p></p>
<p class="p2"><span class="s1">verify_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">require_certificate = yes</span><o:p></o:p></p>
<p class="p2"><span class="s1">private_key = /etc/kamailio/certs/sbc-private.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">certificate = /etc/kamailio/certs/godaddy.pem</span><o:p></o:p></p>
<p class="p2"><span class="s1">ca_list = /etc/kamailio/certs/godaddyca.pem</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the section above the ca_list is godaddy’s ca and subordinate.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">In the wireshark I can see that I’m sending out SIP OPTIONS PING (I’m using dispatcher module).
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Then the server replies with tls SERVER HELLO which includes it’s certificate</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">But for some reason we are rejecting it:</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Alert (level: fatal, Description: Unknown CA)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">How should I set this up to make sure the remote server CA’s are verified?
</span><o:p></o:p></p>
</blockquote>
<p> <o:p></o:p></p>
<p>I am not sure I understand what you want to do -- to verify that the list of CAs trusted by the remote server? This is not possible, what is trusted by the server is its own business. An entity can verify only of the presented certificate by a peer is signed
by a trusted CA from its CAs trusted list.<o:p></o:p></p>
<p>Cheers,<br>
Daniel<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Daniel-Constantin Mierla -- <a href="http://www.asipto.com">www.asipto.com</a><o:p></o:p></pre>
<pre><a href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a><o:p></o:p></pre>
<pre>Funding: <a href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-GB">--></span><o:p></o:p></p>
</blockquote>
<pre>-- <o:p></o:p></pre>
<pre>Daniel-Constantin Mierla -- <a href="http://www.asipto.com">www.asipto.com</a><o:p></o:p></pre>
<pre><a href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a><o:p></o:p></pre>
<pre>Funding: <a href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a><o:p></o:p></pre>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-GB">--><o:p></o:p></span></p>
</div>
</body>
</html>