10 Jul
2018
10 Jul
'18
11:06 a.m.
Hello,
the server checks if the client certificate is revoked. It is the duty
of the client to check if the server certificate is revoked and close
the connection. It is about a party checking if the other party of the
connection is using a trusted and valid certificate or not.
Cheers,
Daniel
On 10.07.18 08:15, Amarnath Kanchivanam wrote:
Hi,
Could you share your thoughts on the below clarification?
Regards,
Amarnath
On Fri, Jul 6, 2018 at 4:06 PM Amarnath Kanchivanam
<ykamarnath.sip(a)gmail.com <mailto:ykamarnath.sip@gmail.com>> wrote:
Thanks Daniel and Ding Ma.
I have Certificate Authority, who signed the server certificate
and client certificate.
Server certificate and root CA is added to server.
Client certificate and root CA is added to client.
Now CRL file path is update with server and it's own server
certificate is revoked. In this case what should be kamailio
server behavior, if any client wants to establish TLS connection?
or Since it's own server certificate is revoked TLS should be
disabled on server side?
As per my understanding, TLS should be disabled on server side, as
it does not have valid certificate. Please share your thoughts on
this.
Regards,
Amarnath
On Tue, Jul 3, 2018 at 5:22 PM Ding Ma <mading087(a)gmail.com
<mailto:mading087@gmail.com>> wrote:
The CRL with revoked server certificate needs to be loaded in
the sip client. TLS server doesn’t send CRL to client during
handshake.
Sent from my iPhone
On Jul 3, 2018, at 6:16 AM, Daniel-Constantin Mierla
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference -- www.kamailioworld.com
Hello,
haven't played with CRL lately, but kamailio should just call
libssl functions for validating the certificates, after
initializing the context with CRL file.
Maybe you can open an issue on github.com/kamailio/kamailio
<http://github.com/kamailio/kamailio> tracker, add there all
log messages printed by kamailio with debug=3 in
kamailio.cfg. In this way we do not forget about it and can
be investigated properly.
Cheers,
Daniel
On 28.06.18 08:47, Amarnath Kanchivanam wrote:
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi All,
I'm trying to configured kamailio as TLS server with below
configuration (tls.cfg) and TLS server is started successfully.
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = ./sip/server.key
certificate = ./sip/server.crt
ca_list = ./bundle.crt
crl = ./sip_crl.pem
verify_depth = 9
[client:default]
verify_certificate = no
require_certificate = no
TLS connection works fine.
Later i have updated the sip_crl.pem with server certificate
revoked details and performed tls.reload command to load the
latest update.
After this I expect any TLS client trying to establish TLS
connection should fail, as the client and server
certificates are signed by same authority and server
certificate is revoked. But the clients are able to
establish TLS connection without any errors.
I'm not getting any traces to confirm CRL validation has
been performed before accepting the TLS connection.
Any advice would be help to proceed with evaluating CRL
functionality.
-Amar
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
Kamailio World Conference -- www.kamailioworld.com
<http://www.kamailioworld.com>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users