Hi Henning and all,

I can restart kamailio without error so i think kamailio can access the certs file, am i right?

Next, i can check the tls configuration via some command  and result like:


openssl s_client -connect mydomain.com:4443

result is:

CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com, emailAddress = thanhtruong217@gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
 1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 2890 bytes and written 391 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 047913A6C905B007C53EB31C51CBED00FDF8BBBBC8ACDA79238314C3AF899776
    Session-ID-ctx: 
    Master-Key: 98D20DD5C85389F6BA32F0CADC76789D03BA3534D45F446418120E8358ACE5142FC21C02E0E3E22090A9E5920F8AB835
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - fa 90 a9 99 5e 02 04 26-ae bf ce f4 05 06 87 e0   ....^..&........
    0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52   ...t.J}...S....R
    0020 - 68 53 ea 9b e2 1d 23 ae-77 86 6b 74 21 5e 1e 88   hS....#.w.kt!^..
    0030 - 50 75 3f e4 2a 7a 95 63-5a 87 58 b8 ac c1 ae 85   Pu?.*z.cZ.X.....
    0040 - d9 73 3d 4d 5f 27 df 37-37 98 02 15 0c 3c 62 96   .s=M_'.77....<b.
    0050 - 50 22 cd 2c e9 b0 aa ba-3e e0 9e a5 65 17 35 3f   P".,....>...e.5?
    0060 - d5 2d 37 4a 99 1a 19 42-aa 63 6a 74 8b fe 70 72   .-7J...B.cjt..pr
    0070 - b6 cc 3d e1 b1 f8 da ee-9c 31 db 25 eb 2a 22 f5   ..=......1.%.*".
    0080 - 38 87 13 aa 13 c1 4c c4-f9 1a 83 1c 38 a8 a9 15   8.....L.....8...
    0090 - c4 70 cd 3f e5 0a 5e 5e-13 a3 13 a7 6d 29 0e 70   .p.?..^^....m).p
    00a0 - fc 09 ee df e0 89 f6 48-29 04 1e 69 65 92 f0 e7   .......H)..ie...

    Start Time: 1626338959
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---


or normal tls port 5061:

 openssl s_client -connect mydomain.com:5061 -tls1
CONNECTED(00000003)
depth=1 C = US, ST = US, L = HCM, O = mydomain.com, OU = mydomain.com, CN = mydomain.com, emailAddress = thanhtruong217@gmail.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
 1 s:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
   i:/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEVDCCAzygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBtTELMAkGA1UEBhMCVVMx
xxxxxxxxxx...
IKqnZKfVhfs=
-----END CERTIFICATE-----
subject=/C=US/ST=US/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
issuer=/C=US/ST=US/L=HCM/O=mydomain.com/OU=mydomain.com/CN=mydomain.com/emailAddress=thanhtruong217@gmail.com
---
No client certificate CA names sent
---
SSL handshake has read 2896 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: EF724C7926D18D0B727709E4D42650D2141EA44771E3FF8B566161F51095B0C7
    Session-ID-ctx: 
    Master-Key: 61C323CD42A4447B4E662958EA4E5F9DE039A4F257342BBAED236E3B811D6052192FEC36CC245D810A847B9E5FFF54C6
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 45 b4 44 76 46 b2 f5 a5-39 a4 ec 4e 53 22 5c 20   E.DvF...9..NS"\ 
    0010 - d5 a7 f2 74 ac 4a 7d 0b-ae ba 53 a4 89 14 95 52   ...t.J}...S....R
    0020 - fe 69 4e 7a 3e 23 ff 41-62 54 f1 71 f5 a3 a4 3f   .iNz>#.AbT.q...?
    0030 - 99 81 5c d9 71 b6 82 be-7e 17 19 a7 d3 55 6a c9   ..\.q...~....Uj.
    0040 - 9f 9c da ef ef 35 54 30-6e 60 6f f1 e2 13 6c 95   .....5T0n`o...l.
    0050 - 7e 2a 48 7b 07 51 57 2d-7d 69 7a 8a 46 34 9d 32   ~*H{.QW-}iz.F4.2
    0060 - b4 7f 4b a4 61 c6 3a 13-3d 86 af cf 22 be 50 63   ..K.a.:.=...".Pc
    0070 - 93 41 3e 18 d3 37 38 bc-cb b2 83 ea 63 8a 1c c0   .A>..78.....c...
    0080 - 5a a4 ed 35 18 85 17 9d-24 7c 87 25 ff 98 11 eb   Z..5....$|.%....
    0090 - f6 1d 89 41 9b ba a1 18-03 0a 90 90 bd 76 c8 80   ...A.........v..
    00a0 - 44 1f 3a 8c 99 ac 2f ef-a5 e2 22 a6 58 9a e8 2a   D.:.../...".X..*

    Start Time: 1626339048
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)



So, I am not sure what is my issue/wrong here. or can you help me to check more?

Thanks,
ThanhTruon

On Jul 15, 2021, at 15:33, Henning Westerholt <hw@skalatan.de> wrote:

Hello,
 
please format your e-mail only with black – its really hard to read (it might be related to my client, though).
 
Have you already checked the file system access rights to the certs if kamailio can actually read them?
 
Cheers,
 
Henning
 
-- 
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
 
From: sr-users <sr-users-bounces@lists.kamailio.org> On Behalf Of ThanhTruong
Sent: Thursday, July 15, 2021 5:09 AM
To: Kamailio (SER) - Users Mailing List <sr-users@lists.kamailio.org>
Subject: Re: [SR-Users] please help to configure tls in kamailio for webrtc client like simpl5
 
Hello Fred and all,
 
I tried some changes, and result bellow.
 
with :
 
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
 
[client:default]
verify_certificate = yes
require_certificate = yes
~                           
 
error log:
 
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:02:57 ip-172-31-44-170 sbin/kamailio[17590]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
 
 
With settings:
 
[server:default]
method = SSLv23
verify_certificate = no
require_certificate = no
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
 
[client:default]
verify_certificate = no
require_certificate = no
~                           
 
and error log:
 
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:05:28 ip-172-31-44-170 sbin/kamailio[17648]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7fd64ee4bfc0 r: 0x7fd64ee4c0e8 (-1)
 
 
and tried:
 
[server:default]
method = SSLv23
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
 
[client:default]
verify_certificate = no
require_certificate = no
 
and error log:
 
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:06:37 ip-172-31-44-170 sbin/kamailio[17703]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f222a018fc0 r: 0x7f222a0190e8 (-1)
 
 
Then, i try with TLSv1+
 
 
[server:default]
method = TLSv1+
verify_certificate = yes
require_certificate = yes
private_key = /etc/certs/mydomain.com/key.pem
certificate = /etc/certs/mydomain.com/cert.pem
ca_list = /etc/certs/demoCA/cert.pem
 
[client:default]
verify_certificate = no
require_certificate = no
 
and log is:
 
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1283]: tls_h_read_f(): protocol level error
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1287]: tls_h_read_f(): source IP: 27.65.214.194
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: tls [tls_server.c:1290]: tls_h_read_f(): destination IP: 172.31.44.170
Jul 15 03:08:33 ip-172-31-44-170 sbin/kamailio[17826]: ERROR: <core> [core/tcp_read.c:1493]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f9fd21cefc0 r: 0x7f9fd21cf0e8 (-1)
 
 
I am sorry to border you and all, but i dont know how to get it works, please suggest. 
 
thank you so much.
 


On Jul 15, 2021, at 01:10, Fred Posner <fred@palner.com> wrote:
 
On 7/14/21 2:04 PM, ThanhTruong wrote:

verify_certificate =yes
require_certificate =yes

Change both of those to no in your case.

-- 
Fred Posner -- www.palner.com
Matrix: @fred:matrix.lod.com

__________________________________________________________
Kamailio - Users Mailing List - Non Commercial Discussions
 * sr-users@lists.kamailio.org
Important: keep the mailing list in the recipients, do not reply only to the sender!
Edit mailing list options or unsubscribe:
 * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users