2.
My
Kamailio cluster is part of a DNS alias, but the alias is
defined as alias=<myalias>:5061 in the Kamailio.cfg.
Could this be affecting somehow the verification? My tls.cfg
only has server:default and client:default section.
3.
Every
time I reload the configuration, the TLS info and debug
messages for client and server are coherent with what I
would expect from my tls.cfg:
INFO:
tls [tls_domain.c:278]: fill_missing(): TLSs<default>:
tls_method=20
INFO:
tls [tls_domain.c:290]: fill_missing(): TLSs<default>:
certificate='/usr/local/etc/kamailio/tls/myCert.pem'
INFO:
tls [tls_domain.c:297]: fill_missing(): TLSs<default>:
ca_list='/usr/local/etc/kamailio/tls/myCAfile.pem'
INFO:
tls [tls_domain.c:304]: fill_missing(): TLSs<default>:
crl='(null)'
INFO:
tls [tls_domain.c:308]: fill_missing(): TLSs<default>:
require_certificate=1
INFO:
tls [tls_domain.c:315]: fill_missing(): TLSs<default>:
cipher_list='(null)'
INFO:
tls [tls_domain.c:322]: fill_missing(): TLSs<default>:
private_key='/usr/local/etc/kamailio/tls/myKey.pem'
INFO:
tls [tls_domain.c:326]: fill_missing(): TLSs<default>:
verify_certificate=1
INFO:
tls [tls_domain.c:329]: fill_missing(): TLSs<default>:
verify_depth=9
DEBUG:
tls [tls_domain.c:968]: fix_domain(): using tls methods
range: 20
DEBUG:
tls [tls_domain.c:566]: load_crl(): TLSs<default>: No
CRL
configured
INFO:
tls [tls_domain.c:658]: set_verification():
TLSs<default>: Client MUST present valid
certificate
INFO:
tls [tls_domain.c:278]: fill_missing(): TLSc<default>:
tls_method=20
INFO:
tls [tls_domain.c:290]: fill_missing(): TLSc<default>:
certificate='/usr/local/etc/kamailio/tls/myCert.pem'
INFO:
tls [tls_domain.c:297]: fill_missing(): TLSc<default>:
ca_list='/usr/local/etc/kamailio/tls/myCAfile.pem'
INFO:
tls [tls_domain.c:304]: fill_missing(): TLSc<default>:
crl='(null)'
INFO:
tls [tls_domain.c:308]: fill_missing(): TLSc<default>:
require_certificate=1
INFO:
tls [tls_domain.c:315]: fill_missing(): TLSc<default>:
cipher_list='(null)'
INFO:
tls [tls_domain.c:322]: fill_missing(): TLSc<default>:
private_key='/usr/local/etc/kamailio/tls/myKey.pem'
INFO:
tls [tls_domain.c:326]: fill_missing(): TLSc<default>:
verify_certificate=1
INFO:
tls [tls_domain.c:329]: fill_missing(): TLSc<default>:
verify_depth=9
DEBUG:
tls [tls_domain.c:968]: fix_domain(): using tls methods
range: 20
DEBUG:
tls [tls_domain.c:566]: load_crl(): TLSc<default>: No
CRL
configured
INFO:
tls [tls_domain.c:658]: set_verification():
TLSc<default>: Server MUST present valid
certificate
DEBUG:
tls [tls_domain.c:1119]: load_private_key():
TLSs<default>: Key
'/usr/local/etc/kamailio/tls/myKey.pem' successfuly loaded
DEBUG:
tls [tls_domain.c:1119]: load_private_key():
TLSc<default>: Key
'/usr/local/etc/kamailio/tls/myKey.pem' successfuly loaded
DEBUG:
tls [tls_rpc.c:82]: tls_reload(): TLS configuration
successfuly loaded
4.
When
the first handshake begins after reloading, it goes to the
TLSs default domain:
DEBUG:
<core> [ip_addr.c:229]: print_ip(): tcpconn_new: new
tcp connection:
188.185.115.181
DEBUG:
<core> [tcp_main.c:985]: tcpconn_new(): on port 56404,
type
3
DEBUG:
<core> [tcp_main.c:1295]: tcpconn_add(): hashes:
2351:1920:1122,
168
DEBUG:
<core> [io_wait.h:376]: io_watch_add(): DBG:
io_watch_add(0xa25be0, 30, 2, 0x7ff243558420),
fd_no=21
DEBUG:
<core> [io_wait.h:598]: io_watch_del(): DBG:
io_watch_del (0xa25be0, 30, -1, 0x0) fd_no=22
called
DEBUG:
<core> [tcp_main.c:4131]: handle_tcpconn_ev(): sending
to child, events 1
DEBUG:
<core> [tcp_main.c:3813]: send2child(): selected tcp
worker 2 13(13472) for activity on
[tls:<myLocalIP>:5061], 0x7ff243558420
DEBUG:
<core> [tcp_read.c:1566]: handle_io(): received n=8
con=0x7ff243558420,
fd=8
DEBUG:
tls [tls_server.c:197]: tls_complete_init(): completing tls
connection
initialization
DEBUG:
tls [tls_server.c:226]: tls_complete_init(): Using initial
TLS domain TLSs<default> (dom 0x7ff242d79b40 ctx
0x7ff2430cc448 sn [])
5.
I
wonder if anyone has configured this with Skype for Business
2015 lately? Any clue?
Cheers,
Francisco.