Hello ng,

I currently face an issue to forward a call via tls to a destination. The check with "openssl client -connect …" to the destination is successful and it returns a valid certificate.

However if I forward the call via kamailio I see an TLS error:

 Alert (Level: Fatal,  Description: Unknown CA) 

I’ve compiled tls module with extra_defs="-DTLS_WR_DEBUG -DTLS_RD_DEBUG“ (with 5.4.9 and 5.5.7) and can see:

Dec  7 10:46:40 mbo-debian-vm1 /usr/local/sbin/kamailio[170469]: DEBUG: TLS_TRACE: tls [tls_server.c:1141]: tls_h_read_f():  tls_h_read_f(0xffff898c8a88, 0xffffcc5fe320) tls write on read (WRITE_WANTS_READ): ct_wq_flush()=> 0 (ff=2 ssl_error=1))

Dec  7 10:46:40 mbo-debian-vm1 /usr/local/sbin/kamailio[170469]: ERROR: tls [tls_server.c:1329]: tls_h_read_f(): protocol level error

Dec  7 10:46:40 mbo-debian-vm1 /usr/local/sbin/kamailio[170469]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS write:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

It looks like the error "Unknown CA“ is a subsequent error, but the main problem occurs while reading from the tls connection. I’m currently can also debug the issue in the tls module, is there anything which I can check? Maybe the certificate chain is too long?

Thanks and regards 

Markus