Hello Kamailions,

Ive beent trying to configure a tls connection between kamailio servers, but looks like Im missing some knowledge.

The situation:

phone1 <> internet <> kamailio1 <internet> kamailio2<> internet <> phone2

The phones are yealink phones, they are connected using TLS v1.2, phone 1 registers at kamailio1 and phone2 registers at kamailio2.

Both kamailio servers have an letsencrypt certificate.

When the connection between the two kamailio servers is set as sip, a call from a phone1 to phone2 the singnaling is forwarded and rtp flows.

When I set the connection between the two kamailio servers to tls, things go wrong.. or better said I go wrong.

The kamailio log on the receiving kamailio(kamailio2) shows that things go wrong and where, but I just cant figure out how to solve it.

The log shows that the tls connection will be handled by the TLS Default configuration, the CA certificate is missing, well unknown.

15(7209) DEBUG: <core> [core/ip_addr.c:229]: print_ip(): tcpconn_new: new tcp connection: 116.203.53.212
15(7209) DEBUG: <core> [core/tcp_main.c:999]: tcpconn_new(): on port 44153, type 3
15(7209) DEBUG: <core> [core/tcp_main.c:1309]: tcpconn_add(): hashes: 1805:3331:3809, 3
15(7209) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xa77de0, 32, 2, 0x7ff9596d4b10), fd_no=23
15(7209) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xa77de0, 32, -1, 0x0) fd_no=24 called
15(7209) DEBUG: <core> [core/tcp_main.c:4196]: handle_tcpconn_ev(): sending to child, events 1
15(7209) DEBUG: <core> [core/tcp_main.c:3878]: send2child(): selected tcp worker 1 8(7202) for activity on [tls:kamailio2:5061], 0x7ff9596d4b10
 8(7202) DEBUG: <core> [core/tcp_read.c:1759]: handle_io(): received n=8 con=0x7ff9596d4b10, fd=9
 8(7202) DEBUG: tls [tls_server.c:199]: tls_complete_init(): completing tls connection initialization
 8(7202) DEBUG: tls [tls_server.c:228]: tls_complete_init(): Using initial TLS domain TLSs<default> (dom 0x7ff959498600 ctx 0x7ff9594b6430 sn [])
 8(7202) DEBUG: tls [tls_domain.c:724]: sr_ssl_ctx_info_callback(): SSL handshake started
 8(7202) DEBUG: <core> [core/tcp_main.c:2460]: tcpconn_do_send(): sending...
 8(7202) DEBUG: <core> [core/tcp_main.c:2494]: tcpconn_do_send(): after real write: c= 0x7ff9596d4b10 n=2637 fd=9
 8(7202) DEBUG: <core> [core/tcp_main.c:2495]: tcpconn_do_send(): buf=

 8(7202) DEBUG: <core> [core/io_wait.h:380]: io_watch_add(): DBG: io_watch_add(0xac78a0, 9, 2, 0x7ff9596d4b10), fd_no=1
 8(7202) ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
 8(7202) ERROR: <core> [core/tcp_read.c:1505]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7ff9596d4b10 r: 0x7ff9596d4b90 (-1)
 8(7202) DEBUG: <core> [core/io_wait.h:602]: io_watch_del(): DBG: io_watch_del (0xac78a0, 9, -1, 0x10) fd_no=2 called
 8(7202) DEBUG: <core> [core/tcp_read.c:1683]: release_tcpconn(): releasing con 0x7ff9596d4b10, state -2, fd=9, id=3 (kamailio1]:44153 -> [kamailio1]:5061)
 8(7202) DEBUG: <core> [core/tcp_read.c:1684]: release_tcpconn(): extra_data 0x7ff9596d2ab0
15(7209) DEBUG: <core> [core/tcp_main.c:3308]: handle_tcp_child(): reader response= 7ff9596d4b10, -2 from 1
15(7209) DEBUG: tls [tls_server.c:667]: tls_h_close(): Closing SSL connection 0x7ff9596d2ab0

I assume I have configured tls.cfg partially correct, as the phones register and can make tls calls.

What I find strange is this line:  8(7202) DEBUG: <core> [core/tcp_read.c:1683]: release_tcpconn(): releasing con 0x7ff9596d4b10, state -2, fd=9, id=3 (kamailio1]:44153 -> [kamailio1]:5061)

Would the "[kamailio1]:5061" be the client configuration?

So, what do I need to configure within the tls.cfg file so when a tls connection is initiated from the other server it will work.

I have tried adding the other server as server within the tls.cfg, which does not work as kamailio is not listening on the ip address configured.

When I add the server as a client in the tls.cfg as follows, the connection is handled by the default TLS configuration.

[server:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
private_key = /etc/letsencrypt/live/kamailio.kazlow.nl/privkey.pem
certificate = /etc/letsencrypt/live/kamailio.kazlow.nl/fullchain.pem
#ca_list = /etc/kamailio/tls/cacert.pem
#crl = /etc/kamailio/tls/crl.pem

[client:kamailio1:5061]
method = TLSv1.2
verify_certificate = no
require_certificate = yes
certificate = /etc/kamailio/tls/fullchain.pem
ca_list = /etc/kamailio/tls/cacert.pem


# This is the default client domain, settings
# in this domain will be used for all outgoing
# TLS connections that do not match any other
# client domain in this configuration file.
# We require that servers present valid certificate.
#
[client:default]
method = TLSv1.2
verify_certificate = no
require_certificate = no
ca_list = /etc/kamailio/tls/cacert.pem

I have tried forcing the socket on the sending kamailio, but that does not work.

Any feedback on what I am doing wrong or where I can find information to extend my knowledge would be appreciated.

Rgds,

Gertjan Wolzak