[kamailio] TLS [client:default] no way to verify_certificate but not require_certificate (#551)
I have the following settings in tls.cfg and I'd like to verify the server certificate IF one is provided on outbound (client) connections, but this doesn't seem possible and set_verification spits out **Server MUST present valid certificate**. The default tls.cfg https://github.com/kamailio/kamailio/blob/master/modules/tls/tls.cfg#L41 seems to indicate that this is possible.
``` [client:default] method = TLSv1+ verify_certificate = yes require_certificate = no private_key = /etc/kamailio/our.key.pem certificate = /etc/kamailio/our.crt.pem verify_depth = 2 ca_list = /etc/pki/tls/cert.pem ```
When starting Kamailio... ``` INFO: tls [tls_domain.c:278]: fill_missing(): TLSc<default>: tls_method=20 INFO: tls [tls_domain.c:290]: fill_missing(): TLSc<default>: certificate='/etc/kamailio/our.crt.pem' INFO: tls [tls_domain.c:297]: fill_missing(): TLSc<default>: ca_list='/etc/pki/tls/cert.pem' INFO: tls [tls_domain.c:304]: fill_missing(): TLSc<default>: crl='(null)' INFO: tls [tls_domain.c:308]: fill_missing(): TLSc<default>: require_certificate=0 INFO: tls [tls_domain.c:322]: fill_missing(): TLSc<default>: private_key='/etc/kamailio/our.key.pem' INFO: tls [tls_domain.c:326]: fill_missing(): TLSc<default>: verify_certificate=1 INFO: tls [tls_domain.c:329]: fill_missing(): TLSc<default>: verify_depth=2 INFO: tls [tls_domain.c:667]: set_verification(): TLSc<default>: Server MUST present valid certificate ```
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551
I am not sure I understand you. When you set up a client connection from Kamailio to another SIP server, the other SIP server is the TLS server. TLS servers always present certificates.
The require certificate setting is used when your kamailio is a TLS Server and decides whether Kamailio will require a certificate or not. Are you looking for a configuration where Kamailio as a TLS server optionally requires a TLS client certificate?
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551#issuecomment-202320249
I vaguely remember that earlier versions of TLS could not optionally accept client certs, Need to do some research here.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551#issuecomment-202320708
I have some Zoiper/Android clients which use TLS, but don't (yet) have the ability to specify the certificate that is used and don't seem to send a certificate when receiving a call. When Kamailio routes a call to one of these devices that register with dynamic addresses, Kamailio (acting as a client) won't be able verify the the device's (acting a a server) certificate. I'd like to set my default client settings to verify the certificate IF it is provided. Something like what is available for ```[server:default]```.
``` [client:default] verify_certificate = yes require_certificate = no ```
When testing to see what (if any) certificate Zoiper sends when Zoiper receives a TLS connection, I only get the following. ``` $ openssl s_client -connect 10.1.1.201:43965 -tls1 -showcerts socket: Bad file descriptor connect:errno=9 ```
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551#issuecomment-204161446
Ok. I think you misunderstand how TLS works. Every server is required to have a certificate. If Zoiper doesn't have a certificate we can not set up a TLS connection to the client. This is why we implemented SIP Outbound, which allows the client to set up a TLS connection and keep it open, and allows the server to use that client-managed connection to be used for outbound requests, like calls.
What you want to do is not technically possible. Contact the Zoiper team to please remind them that Olle asked them to implement SIP outbound and you need it as well. Thank you!
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551#issuecomment-204263284
Closed #551.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551#event-610831722
Thank kindly you for the explanation @oej.
--- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/551#issuecomment-204418379
-
Anthony Messina -
Olle E. Johansson