hi all, no one know this error ? or no one can help me ? please suggest if any one know this problem ! From: betergreen@live.com To: sr-users@lists.sip-router.org Date: Sat, 4 Sep 2010 12:21:23 +0700 Subject: [SR-Users] please help to register sip phone to kamailio server via tls support.
hi all, I have configured tls support in kamailio, but i cannot register sip phone.
my configure :
I create cert and private key as:
"kamctl tls userCERT user"
log show :
Creating directory /usr/local/etc/kamailio//tls/user Creating user certificate request Generating a 512 bit RSA private key ..++++++++++++ ...................++++++++++++ writing new private key to '/usr/local/etc/kamailio//tls/user/user-privkey.pem' ----- Signing certificate request Using configuration from /usr/local/etc/kamailio//tls/request.conf Enter pass phrase for ./rootCA/private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows commonName :PRINTABLE:'somename.somewhere.com' stateOrProvinceName :PRINTABLE:'Some State' countryName :PRINTABLE:'XY' emailAddress :IA5STRING:'root@somename.somewhere.com' organizationName :PRINTABLE:'My Large Organization Name' organizationalUnitName:PRINTABLE:'My Subunit of Large Organization' Certificate is to be certified until Sep 4 09:13:58 2011 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Generating CA list DONE INFO: Private key is locate at /usr/local/etc/kamailio//tls/user/user-privkey.pem INFO: Certificate is locate at /usr/local/etc/kamailio//tls/user/user-cert.pem INFO: CA-List is locate at /usr/local/etc/kamailio//tls/user/user-calist.pem
I add to kamailio.cfg
enable_tls=1 tcp_async=no
modparam("tls", "tls_method", "TLSv1") modparam("tls", "certificate", "/usr/local/etc/kamailio//tls/user/user-cert.pem") modparam("tls", "private_key", "/usr/local/etc/kamailio//tls/user/user-privkey.pem") modparam("tls", "ca_list", "/usr/local/etc/kamailio//tls/user/user-calist.pem") modparam("tls", "verify_certificate", 1) modparam("tls", "require_certificate", 1)
i restart kamailio:
"kamctl restart"
log in tail -f /var/log/message
Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:175]: TLSc<default>: tls_method=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:185]: TLSc<default>: certificate='/usr/local/etc/kamailio//tls/user/user-cert.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:190]: TLSc<default>: ca_list='/usr/local/etc/kamailio//tls/user/user-calist.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:193]: TLSc<default>: require_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:198]: TLSc<default>: cipher_list='(null)' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:203]: TLSc<default>: private_key='/usr/local/etc/kamailio//tls/user/user-privkey.pem' Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:206]: TLSc<default>: verify_certificate=1 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:209]: TLSc<default>: verify_depth=9 Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: INFO: tls [tls_domain.c:331]: TLSc<default>: Server MUST present valid certificate Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3103]: WARNING: tls [tls_domain.c:395]: tls: set_ssl_options: openssl SSL_OP_TLS_BLOCK_PADDING bug workaround enabled (openssl version 90802f) Sep 4 05:17:42 appliance /usr/local/sbin/kamailio[3116]: INFO: ctl [io_listener.c:224]: io_listen_loop: using epoll_lt io watch method (config)
i see that kamailio start okie, but sip phone cannot register.
log in :tail -f /var/log/message:
Sep 4 05:18:50 appliance /usr/local/sbin/kamailio[3117]: ERROR: tls [tls_server.c:392]: SSL error:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
in portgo : certificate validation failure.
please suggest to fix it, thanks. Peter green
_______________________________________________ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users