13 Sep
2010
13 Sep
'10
6:44 a.m.
Date: Mon, 13 Sep 2010 11:40:33 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
hi Klaus and all,
i thing this is bug in openssl, becau i have just install kamailio with tls support in
ubuntu server which OS have openssl version 0.9.8k,
and i have result as:
sip client can register with server via tls support(sometime it work and some time it
cannot work, or it can register when i restart kamailio)
if it can register, i can make call but when callee answer, caller change to connect , but
callee continue ringring.
if callee reject call, caller change to destination busy.
i can recognize what problem, please suggest ?
thanks and regards
Peter Green.
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is
standardized with TLSv1. Thus you should remove SSLv23 unless you
explicitely know that the client can not handle TLSv1 (then the client
would be buggy)
modparam("tls",
"certificate", "ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls",
"require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client
certificate. Usually the SIP client does not have a TLS client
certificate, thus Kamailio will terminate the TLS connection with
handshake error. Set
modparam("tls", "require_certificate", 0)
and at least it should work with the "openssl s_client" tool.
regards
Klaus