17 Mar
2021
17 Mar
'21
9:30 p.m.
Currently tls module has `ca_list` param that
`Sets the CA list file name. This file contains a list of all the trusted CAs certificates
used when connecting to other SIP implementations. If a signature in a certificate chain
belongs to one of the listed CAs, the verification of that certificate will succeed.`
This issue proposes adding a new tls param `ca_path`. Its value would be a directory that
contains any number of CA certificate files thus making it unnecessary to cat these files
to a single `ca_list` file.
Implementation could be based on SSL_CTX_set_default_verify_dir() OpenSSL API function.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682
18 Mar
18 Mar
10:26 a.m.
Good idea.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-801695929
23 Mar
23 Mar
11:19 a.m.
Being Kamailio specific coding, I added the config option and set it value as parameter to
SSL_CTX_load_verify_locations() based on the feature request description, but it might not
be complete implementation because its manual specify that the folder content is not send
to client via SSL_CTX_set_client_CA_list():
* https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.ht…
I haven't tested at all, not having a system that I could easily simulate the
scenario. If not complete, feel free to add the missing part related, otherwise, if not
useful at all, it can be reverted.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804710128
12:54 p.m.
Thanks for your work on ca_path. It is so that currently ca_path can
only be given as tls module config parameter and not in tls config
file. I tried like this:
modparam("tls", "config", "/etc/sip-proxy/tls.cfg")
tls.cfg:
[server:default]
verify_certificate = yes
require_certificate = no
server_name = lohi.tutpro.com
tls_method = TLSv1.1+
private_key = /etc/sip-proxy/certs/key.pem
certificate = /etc/sip-proxy/certs/cert.pem
ca_path = /etc/sip-proxy/certs/ca_list
and got error at start:
Mar 23 11:47:18 lohi /usr/bin/sip-proxy[25175]: ERROR: <core>
[core/cfg_parser.c:731]: sr_cfg_parse(): tls.cfg:7:1: Unsupported option
'ca_path'
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804768330
1:04 p.m.
Looks like installation of new version of kamailio had failed and tls
module was not updated. Trying again ...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804775191
1:22 p.m.
I got latest master properly installed and gave ca_path a try.
I placed four ca certs in directory /etc/sip-proxy/certs/ca_list:
# ls /etc/sip-proxy/certs/ca_list
class3_X0E.crt dst_root_ca_x3.pem lets-encrypt-x3-cross-signed.pem root_X0F.crt
Then I created file ca_list.pem that contained all of them:
# cat /etc/sip-proxy/certs/ca_list/* > /etc/sip-proxy/certs/ca_list.pem
In tls config file I had:
[client:default]
...
ca_list = /etc/sip-proxy/certs/ca_list.pem
[server:default]
...
ca_list = /etc/sip-proxy/certs/ca_list.pem
Result was that kamailio started OK.
Then in tls config file I replaced ca_list with ca_path:
ca_path = /etc/sip-proxy/certs/ca_list
and kamailio failed to start:
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: INFO: tls [tls_domain.c:336]:
ksr_tls_fill_missing(): TLSs<default>:
ca_path='/etc/sip-proxy/certs/ca_list'
...
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_domain.c:601]:
load_ca_list(): TLSs<default>: Error while setting client CA list
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0200100E:system library:fopen:Bad address
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:20074002:BIO routines:file_ctrl:system lib
Mar 23 12:19:06 lohi /usr/bin/sip-proxy[1435]: ERROR: <core> [core/sr_module.c:865]:
init_mod_child(): error while initializing module tls
(/usr/lib/x86_64-linux-gnu/sip-proxy/modules/tls.so) (idx: 0 rank: -127 desc: [main])
1:42 p.m.
The error message seems to be related to failure to open `ca_list` file, not to `ca_path`
-- can you check if `ca_list` is still set somewhere there to an invalid file path?
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804799367
2:21 p.m.
Daniel-Constantin Mierla writes:
The error message seems to be related to failure to
open `ca_list`
file, not to `ca_path` -- can you check if `ca_list` is still set
somewhere there to an invalid file path?
I checked and config file has only this:
modparam("tls", "config", "/etc/sip-proxy/tls.cfg")
and tls.cfg contains:
# more tls.cfg
[client:default]
verify_certificate = yes
require_certificate = yes
tls_method = TLSv1.2+
private_key = /etc/sip-proxy/certs/key.pem
certificate = /etc/sip-proxy/certs/cert.pem
ca_path = /etc/sip-proxy/certs/ca_list
[server:default]
verify_certificate = yes
require_certificate = no
server_name = lohi.tutpro.com
tls_method = TLSv1.1+
private_key = /etc/sip-proxy/certs/key.pem
certificate = /etc/sip-proxy/certs/cert.pem
ca_path = /etc/sip-proxy/certs/ca_list
There is no trace of ca_list anywhere. Also syslog shows that ca_list
is null:
Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:322]:
ksr_tls_fill_missing(): TLSs<default>:
certificate='/etc/sip-proxy/certs/cert.pem'
Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:329]:
ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'
Mar 23 13:19:03 lohi /usr/bin/sip-proxy[13983]: INFO: tls [tls_domain.c:336]:
ksr_tls_fill_missing(): TLSs<default>:
ca_path='/etc/sip-proxy/certs/ca_list'
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804822963
2:32 p.m.
I pushed a commit to make that error message print the file name. Try again with latest
master and paste here again the new error message to see what's there.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804828670
2:42 p.m.
Daniel-Constantin Mierla writes:
I pushed a commit to make that error message print the
file name. Try
again with latest master and paste here again the new error message to
see what's there.
Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_domain.c:604]:
load_ca_list(): TLSs<default>: Error while setting client CA list file [/3]
Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:0200100E:system library:fopen:Bad address
Mar 23 13:41:37 lohi /usr/bin/sip-proxy[7261]: ERROR: tls [tls_util.h:42]: tls_err_ret():
load_ca_list:error:20074002:BIO routines:file_ctrl:system lib
-- Juha
2:53 p.m.
Daniel-Constantin Mierla writes:
Being Kamailio specific coding, I added the config
option and set it
value as parameter to SSL_CTX_load_verify_locations() based on the
feature request description, but it might not be complete
implementation because its manual specify that the folder content is
not send to client via SSL_CTX_set_client_CA_list():
* https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.ht…
Neither is contents of CAfile sent to client:
In server mode, when requesting a client certificate, the server must
send the list of CAs of which it will accept client certificates. This
list is not influenced by the contents of CAfile or CApath and must
explicitly be set using the SSL_CTX_set_client_CA_list(3) family of
functions.
-- Juha
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804840617
2:56 p.m.
Pushed a commit to fix the error message.
The SSL_CTX_set_client_CA_list() is used with the ca_list file, the error message above is
actually when that is done.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804842521
3:07 p.m.
Daniel-Constantin Mierla writes:
Pushed a commit to fix the error message.
Now kamailio starts, but when baresip sip client tries to connect over
TLS, I get these errors:
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_util.h:42]: tls_err_ret():
TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify
failed
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 192.168.43.253
Mar 23 14:02:23 lohi /usr/bin/sip-proxy[1732]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 192.168.43.160
If I in tls.cfg replace ca_path with ca_list, the same client connects
without errors.
-- Juha
3:33 p.m.
As I said, I added the parameter based on the description of the feature request, but the
manual suggested it might not be enough when acting as a tls server, see my first comment
above.
Probably works when it acts as a client (when opens the connection).
You can dig further in the libssl docs to see what has to be done for server case and you
can update the load_ca_list() function from tls_domain.c.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804865913
4:38 p.m.
Daniel-Constantin Mierla writes:
As I said, I added the parameter based on the
description of the
feature request, but the manual suggested it might not be enough when
acting as a tls server, see my first comment above.
Probably works when it acts as a client (when opens the connection).
Yes, it does work as client. I have two kamailios A - B using TLS between
them. When A uses ca_path and B uses ca_list, A can connect to B without
errors. But when I change also B to use ca_path, I get errors on both.
On A:
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_util.h:42]: tls_err_ret():
TLS read:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 192.26.134.10
Mar 23 15:32:58 lohi /usr/bin/sip-proxy[18482]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 192.168.43.160
On B:
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1283]:
tls_h_read_f(): protocol level error
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_util.h:42]:
tls_err_ret(): TLS accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1287]:
tls_h_read_f(): source IP: 192.168.43.160
Mar 23 15:32:58 buster /usr/bin/sip-proxy[2266]: ERROR: tls [tls_server.c:1290]:
tls_h_read_f(): destination IP: 192.26.134.10
-- Juha
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-804910135
24 Mar
24 Mar
9:07 a.m.
Closed #2682.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#event-4499952619
9:07 a.m.
Both as client and as server work after command `c_rehash .` is executed in ca_path
directory. It creates two (why two?) links to each ca certificate file, for example:
```
$ ls -ls
total 16
0 lrwxrwxrwx 1 jh jh 18 Mar 24 07:58 12d55845.0 -> dst_root_ca_x3.pem
0 lrwxrwxrwx 1 jh jh 18 Mar 24 07:58 2e5ac55d.0 -> dst_root_ca_x3.pem
0 lrwxrwxrwx 1 jh jh 32 Mar 24 07:58 4a0a35c0.0 -> lets-encrypt-x3-cross-signed.pem
0 lrwxrwxrwx 1 jh jh 32 Mar 24 07:58 4f06f81d.0 -> lets-encrypt-x3-cross-signed.pem
0 lrwxrwxrwx 1 jh jh 14 Mar 24 07:58 590d426f.0 -> class3_X0E.crt
0 lrwxrwxrwx 1 jh jh 12 Mar 24 07:58 5ed36f99.0 -> root_X0F.crt
0 lrwxrwxrwx 1 jh jh 12 Mar 24 07:58 99d0fa06.0 -> root_X0F.crt
4 -rw-r--r-- 1 jh jh 2427 Mar 23 16:40 class3_X0E.crt
4 -rw-r--r-- 1 jh jh 1200 Mar 23 16:40 dst_root_ca_x3.pem
0 lrwxrwxrwx 1 jh jh 14 Mar 24 07:58 e5662767.0 -> class3_X0E.crt
4 -rw-r--r-- 1 jh jh 1647 Mar 23 16:40 lets-encrypt-x3-cross-signed.pem
4 -rw-r--r-- 1 jh jh 2464 Mar 23 16:40 root_X0F.crt
```
Text on page
[https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_load_verify_locations.ht… is
not very clear about the links:
`
If CApath is not NULL, it points to a directory containing CA certificates in PEM format.
The files each contain one CA certificate. The files are looked up by the CA subject name
hash value, which must hence be available. If more than one CA certificate with the same
name hash value exist, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc).
The search is performed in the ordering of the extension number, regardless of other
properties of the certificates. Use the c_rehash utility to create the necessary links.
`
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2682#issuecomment-805528425
1285
days inactive
1292
days old
16 comments
4 participants
participants (4)
-
Daniel-Constantin Mierla -
Juha Heinanen -
juha-h
-
Olle E. Johansson