After I dig a bit, it seems the problem is related
with certificate.
When I comment out the line in the configuration file,
#modparam("tls", "cipher_list", "HIGH");
fill_missing (in tls_domain.c) returns -1 since the
following condition becomes true.
193 if (!d->cipher_list &&
194 shm_asciiz_dup(&d->cipher_list,
parent->cipher_list) < 0) return -1;
195 LOG(L_INFO, "%s: cipher_list='%s'\n",
tls_domain_str(d), d->cipher_list);
So though SER starts, certificate and private key is
not loaded.
To avoid this issue, I set up the cipher_list to HIGH.
But somehow, SER complains that:
tls_domain.c:229: Unable to load certificate file
tls_domain.c:230 load_cert:error...
So I guess there is something wrong with the
certificate. What I did is as follows. Could you check
if I made mistakes in generating CA?
1. Create CA private key
#openssl genrsa -out ./private/cakey.pem 2048
2. Create self-signed certificate
#openssl req -out ./cacert.pem -x509 -new -key
./private/cakey.pem
3. Create a certificate request
#openssl req -out ser1_cert_req.pem -new -nodes
4. Sign it with the CA certificate
#openssl ca -in ser1_cert_req.pem -out ser1_cert.pem
5. Copy ser1_cert.pem and privkey.pem to ser
configuration directory
thanks,
Joy
--- Jan Janak <jan(a)iptel.org> wrote:
Is there anything in syslog?
Jan.
Katty Xiong wrote:
Yes. I configured SER to listen on tls using
listen parameter.
listen=tls:199.199.2.50:5061
Actually from the system I can see TCP connection
for
this tls is established. But somehow the tls
process
does not responde to the ClientHello message.
thanks,
Joy
--- Jan Janak <jan(a)iptel.org> wrote:
Katty Xiong wrote:
I am using SER ottendorf with TLS protocol and
have
the following issues. Does anybody experience
similar
problems?
SER cannot run with the following setup in the
configuration file: (I follow this link to setup
key
> and certificate:
>
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/modules/tls/READMEā¦)
>>
modparam("tls", "private_key", "cakey.pem")
>> modparam("tls", "certificate", "cacert.pem")
>> modparam("tls", "ca_list", "calist.pem")
>> modparam("tls", "cipher_list", "HIGH");
> You don't need that option unless you want to
> restrict thee
> list of ciphers that are available. openssl
uses
> all available
> ciphers by default.
>
>> With the last line commented out:
>> #modparam("tls", "cipher_list", "HIGH");
>> SER can start, but the tls connection cannot be
>> established. Network trace shows SER does not
> responde
>> to ClientHello sent by client.
> A couple of quick questions:
>
> - Have you configured SER to listen on tls
using
> listen parameter?
> - Are you connecting to the right port (i.e.
5061
____________________________________________________________________________________
Finding
fabulous fares is fun.
Let Yahoo! FareChase search your favorite travel
sites to find flight and hotel
bargains.
____________________________________________________________________________________
Looking for earth-friendly autos?
Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center.
http://autos.yahoo.com/green_center/