[SR-Users] Retrieving cert details from tls peer

2 Jul 2020

Hi all

Been trying to grab the TLS cert details from incoming connections, but failing :-(

So with lines just before AUTH is called like this;

        if (proto == TLS) {
        xlog("L_INFO", "TLSDUMP $ci  peer_subject        :
$tls_peer_subject\n");

Gets met with a log line line this;

INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 1.2.3.4:11797
using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256
INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 5.6.7.8:5061
INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a
certificate
...
INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS certificate from SSL
structure

This is with verify_certificate and require_certificate set to no in tls.cfg

If I try and set the following in tls.cfg

[server:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = yes

I see in the logs;

INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=22
INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>:
certificate='/etc/kamailio/tls-certs/cert.pem'
INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>:
ca_list='(null)'
INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>:
crl='(null)'
INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>:
require_certificate=1
INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>:
cipher_list='(null)'
INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>:
private_key='/etc/kamailio/tls-certs/privkey.pem'
INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>:
verify_certificate=0
INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9
NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered server_name callback
handler for socket [:0], server_name='<default>' ...
INFO: tls [tls_domain.c:692]: set_verification(): TLSs<default>: Client MUST present
valid certificate
INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=20
INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>:
certificate='(null)'
INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>:
ca_list='(null)'
INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>:
crl='(null)'
INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>:
require_certificate=1
INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>:
cipher_list='(null)'
INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>:
private_key='(null)'
INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>:
verify_certificate=1
INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9
INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: Server MUST present
valid certificate
...
ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL
routines:tls_process_client_certificate:certificate verify failed

Which looks like verification is being enabled when I add require?

Would someone be kind enough to point out what I am missing please? (Assuming it’s not a
bug :-)

Thanks
Mark
-- 
Mark Boyce
Dark Origins Ltd

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

[SR-Users] Retrieving cert details from tls peer