Now I got the eyeBeam 1.5 working with the OpenSER using TLS for signaling encryption. I decided to share my experieses in case someone else will be having similar problems.
First of all you might want to read this quite nice SSL tutorial to understand what these certificates are all about: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
Then what I did was that I took the root certificate from /etc/openser/tls/rootCA/cacert.pem and converted it to .crt format. I don't know if this is neccessary but I did it anyway with the following command "openssl x509 -in cacert.pem -out cacert.crt".
Then I moved the cacert.crt file to my public web server directory and loaded it using Internet Explorer. Then I just needed to press "Install certificate" and remember to store it to the "Trusted Root Certification Authorities". Then it works... Installing the certificate did not work with firefox, since it uses different certificate store. Of course if you don't want to use IE, download the .crt file and double click it to start the certificate wizard.
- Teemu
On 5/17/06, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Christoph Fürstaller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Klaus,
Hi Christoph! What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
I'm very sorry, I'm not using client authentication. On the OpenSER Website there is an error in the TLS Tutorial. The mentioned parameter tls_verify = 1 is wrong. The correct one is tls_verify_client = 1 (as given in the README file in the sources)
Yes, the web tutorial is not up2date with CVS head.
regards klaus
After I corrected this I get that error: tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
So my eyeBeam doesn't send a cert. I asked on the counterpath forum and searched the docs, but didn't found something concerning that. So, eyeBeam isn't compatible of that? Anyone knows?
If yes - how does eyebeam know which of the available client certificates it should use? regards klaus
chris... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEaZ9ZR0exH8dhr/YRAhTcAKCsGpyYCLluX8MZuWtMeL2PDwwd8QCgoTul QZQCfeY2QK/+n5z36d6BxCM= =+fL3 -----END PGP SIGNATURE-----