<div><font color="#550055">You are correct, so just for the trial purposes if I want the TLS handshake to be successful what credentials for the client should I use? i.e. can I do something like:</font></div>
<div><font color="#550055"></font> </div>
<div><font color="#550055">openssl s_client <font color="#550055">-cert user-cert.pem -key user-privkey.pem -state -connect <a href="http://10.30.00.41:5061">10.30.00.41:5061</a></font></font></div>
<div> </div>
<div>on doing this it comes back with an error saying Verify Return Code: 21 (Unable to verify the first certificate), Should I be using new certificates or with the same set of certificates I can achive a successful handshake?
</div>
<div> </div>
<div>Thanks a lot..</div>
<div>Ncheeku<br> </div>
<div><span class="gmail_quote">On 12/29/06, <b class="gmail_sendername">Steffen Witt</b> <<a href="mailto:witt.steffen@googlemail.com">witt.steffen@googlemail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br><br>openssl can play client and/or server role.<br><br><br>Best regards,<br>Steffen<br><br><br>2006/12/29, Ncheeku Baranov <
<a href="mailto:opensersubscribe@gmail.com">opensersubscribe@gmail.com</a>>:<br>> Thanks Steffen. Is there any freely available tls client which can be used<br>> to check this settings and the handshake? That will be really helpful..
<br>><br>> Best regards,<br>> NCheeku<br>><br>><br>><br>> On 12/28/06, Steffen Witt <<a href="mailto:witt.steffen@googlemail.com">witt.steffen@googlemail.com</a>> wrote:<br>> > Hello Ncheeku,
<br>> ><br>> > change to the directory with your ".pem" files:<br>> /usr/local/etc/openser/tls/user<br>> ><br>> ><br>> > Then you can test your TLS handshake with the following command:
<br>> ><br>> > openssl s_server -cert user-cert.pem -key user-privkey.pem -state -accept<br>> 5061<br>> ><br>> > Openssl simulates a TLS server with your certificate/private key files<br>> > and it accepts only requests at port 5061.
<br>> ><br>> ><br>> > Best regards,<br>> > Steffen<br>> ><br>> ><br>> ><br>> > 2006/12/28, Ncheeku Baranov <<a href="mailto:opensersubscribe@gmail.com">opensersubscribe@gmail.com
</a>>:<br>> > > Thanks a lot Steffen. Adding the new listen = udp: <a href="http://10.30.100.41:5060">10.30.100.41:5060</a><br>> indeed<br>> > > worked. How can I check the TLS handshake using openssl at the server?
<br>> > > Thanks a lot..<br>> > ><br>> > ><br>> > ><br>> > > On 12/28/06, Steffen Witt < <a href="mailto:witt.steffen@googlemail.com">witt.steffen@googlemail.com</a>> wrote:
<br>> > > > Hello again,<br>> > > ><br>> > > > maybe you should add the following line to test your non-TLS UAs:<br>> > > ><br>> > > > disable_tls = 0<br>> > > > listen = udp:
<a href="http://10.30.100.41:5060">10.30.100.41:5060</a> <---<br>> > > > listen = tls:<a href="http://10.30.100.41:5061">10.30.100.41:5061</a><br>> > > ><br>> > > ><br>> > > > You can check your TLS handshake by simulating your server with
<br>> openssl.<br>> > > ><br>> > > ><br>> > > > Please have a look at the following link that describes the TLS<br>> support:<br>> > > ><br>> > > > <a href="http://www.openser.org/docs/tls.html">
http://www.openser.org/docs/tls.html</a><br>> > > ><br>> > > ><br>> > > > Best regards,<br>> > > > Steffen<br>> > > ><br>> > > ><br>> > > >
<br>> > > ><br>> > > > 2006/12/28, Ncheeku Baranov < <a href="mailto:opensersubscribe@gmail.com">opensersubscribe@gmail.com</a>>:<br>> > > > > Hi,<br>> > > > ><br>
> > > > > I am trying to make my non-TLS/TLS UA register with my TLS enabled<br>> > > openSER.<br>> > > > > Currently I am just working on my local machine with the client UAs<br>> on
<br>> > > the<br>> > > > > same subnet,(so there is only one domain, but its not named). Below<br>> is<br>> > > my<br>> > > > > configuration file:<br>> > > > >
<br>> > > > > disable_tls = 0<br>> > > > > listen = tls:<a href="http://10.30.100.41:5061">10.30.100.41:5061</a><br>> > > > > tls_verify_server = 1<br>> > > > > tls_verify_client = 0
<br>> > > > > tls_require_client_certificate = 0<br>> > > > > tls_method = TLSv1<br>> > > > > tls_certificate =<br>> > > "/usr/local/etc/openser/tls/user/user-<br>
> > > > > cert.pem"<br>> > > > > tls_private_key =<br>> > > "/usr/local/etc/openser/tls/user/user-<br>> > > > > privkey.pem"<br>> > > > > tls_ca_list =
<br>> > > > > "usr/local/etc/openser/tls/user/user-calist.pem"<br>> > > > ><br>> > > > > However, with the above configuration the client UAs couldnot<br>> register
<br>> > > and I<br>> > > > > got 408 Request Time out Message. Is there any field that is missing<br>> to<br>> > > make<br>> > > > > this simple scenario work? What should be the values of
<br>> > > "tls_client_domain"<br>> > > > > and "tls_server_domain" fields in this case?<br>> > > > ><br>> > > > > I noticed that when I start the openSER without TLS support using
<br>> > > > > "openserctl start" and do "ps -e" after that, there are more openSER<br>> > > > > processes running than if I start openSER with TLS support in which<br>> case
<br>> > > I<br>> > > > > see very few of these processes running.<br>> > > > ><br>> > > > > Your help is much appreciated....<br>> > > > ><br>> > > > > Best regards,
<br>> > > > > NCheeku<br>> > > > ><br>> > > > > _______________________________________________<br>> > > > > Users mailing list<br>> > > > > <a href="mailto:Users@openser.org">
Users@openser.org</a><br>> > > > > <a href="http://openser.org/cgi-bin/mailman/listinfo/users">http://openser.org/cgi-bin/mailman/listinfo/users</a><br>> > > > ><br>> > > > ><br>
> > > > ><br>> > > ><br>> > ><br>> > ><br>> ><br>><br>><br></blockquote></div><br>