Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.
The TLS module seems to have some regression from 5.7.3 to 5.7.4 causing tls.reload to fail loading certificates.
On a fresh install of debian 12:
kamcmd tls.reloadExample tls.cfg
[server:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca
[client:default]
method = TLSv1.2+
verify_certificate = yes
require_certificate = yes
private_key = /etc/dsiprouter/certs/dsiprouter-key.pem
certificate = /etc/dsiprouter/certs/dsiprouter-cert.pem
ca_list = /etc/dsiprouter/certs/ca-list.pem
ca_path = /etc/dsiprouter/certs/ca
Example tls cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7a:43:b8:fa:df:c9:ed:a7:d6:ab:bb:9a:89:c0:8e:95:fd:62:de:26
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN = ec2-34-224-90-100.compute-1.amazonaws.com
Validity
Not Before: Jan 30 15:28:11 2024 GMT
Not After : Jan 29 15:28:11 2025 GMT
Subject: C = US, ST = MI, L = Detroit, O = dSIPRouter, CN = ec2-34-224-90-100.compute-1.amazonaws.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
...
Example tls key:
Private-Key: (4096 bit, 2 primes)
modulus:
...
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:345]: ksr_tls_fill_missing(): TLSs<default>: tls_method=25
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:357]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:364]: ksr_tls_fill_missing(): TLSs<default>: ca_list='/etc/dsiprouter/certs/ca-list.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:371]: ksr_tls_fill_missing(): TLSs<default>: ca_path='/etc/dsiprouter/certs/ca'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:378]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:382]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:390]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:397]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/dsiprouter/certs/dsiprouter-key.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:401]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=1
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:406]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: INFO: tls [tls_domain.c:410]: ksr_tls_fill_missing(): TLSs<default>: verify_client=0
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: NOTICE: tls [tls_domain.c:1168]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_domain.c:590]: load_cert(): TLSs<default>: Unable to load certificate file '/etc/dsiprouter/certs/dsiprouter-cert.pem'
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:03000072:digital envelope routines::decode error (sni: unknown)
Jan 31 14:46:16 ip-172-31-30-183 /usr/sbin/kamailio[3620]: ERROR: tls [tls_util.h:49]: tls_err_ret(): load_cert:error:0A00018F:SSL routines::ee key too small (sni: unknown)
N/A
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.