13 Sep
2010
13 Sep
'10
6:03 a.m.
Date: Mon, 13 Sep 2010 11:40:33 +0200
From: klaus.mailinglists(a)pernau.at
To: betergreen(a)live.com
CC: sr-users(a)lists.sip-router.org
Subject: Re: [SR-Users] help with tls error :sslv3 alert bad certificate
Am 13.09.2010 11:10, schrieb peter_green lion:
hi Klaus and all,
i have changed all thing as you advice,
but it cannot work,
when i run command to check :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1
CONNECTED(00000003)
depth=1 /C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
verify error:num=19:self signed certificate in certificate chain
verify return:0
....................
subject=/C=vn/ST=hcm/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
issuer=/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
---
Acceptable client certificate CA names
/C=vn/ST=hcm/L=htk/O=inc/OU=htk/CN=192.168.1.40/emailAddress=a(a)192.168.1.40
---
SSL handshake has read 2256 bytes and written 299 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key:
08F56E61E88ADF353D6EB77126706E4364F31FB31437153ABAB1A20090F8D77CE0BEA0E0B218DB6E7653FBD873E91735
Key-Arg : None
Krb5 Principal: None
Compression: 1 (zlib compression)
Start Time: 1284411539
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
and :
[root@appliance kamailio]# openssl s_client -connect 192.168.1.40:5061 -tls1 -CAfile
cacert.pem
CONNECTED(00000003)
2223:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
so what is the prolem ?
thanks and regards,
Peter Green.
enable_tls=1
tcp_async=no
listen=tls:192.168.1.81:5060
The default is for TLS is port 5061.
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "tls_method", "SSLv23")
You can not use TLS and SSL - only on e or the other. SIP is
standardized with TLSv1. Thus you should remove SSLv23 unless you
explicitely know that the client can not handle TLSv1 (then the client
would be buggy)
modparam("tls",
"certificate", "ser1_cert.pem")
modparam("tls", "private_key", "privkey.pem")
modparam("tls", "ca_list", "cacert.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls",
"require_certificate", 1)
Here is the problem: You have configured Kamailio to require a client
certificate. Usually the SIP client does not have a TLS client
certificate, thus Kamailio will terminate the TLS connection with
handshake error. Set
modparam("tls", "require_certificate", 0)
and at least it should work with the "openssl s_client" tool.
regards
Klaus