On 3 Jul 2020, at 08:38, Daniel-Constantin Mierla <miconda@gmail.com> wrote:Hello,
what is the SIP client app you used? Is it configured to use its own tls certificate when connecting to the SIP server?
Cheers,
Daniel
On 02.07.20 18:51, Mark Boyce wrote:
Hi all
Been trying to grab the TLS cert details from incoming connections, but failing :-(
So with lines just before AUTH is called like this;
if (proto == TLS) {xlog("L_INFO", "TLSDUMP $ci peer_subject : $tls_peer_subject\n");
Gets met with a log line line this;
INFO: tls [tls_server.c:431]: tls_accept(): tls_accept: new connection from 1.2.3.4:11797 using TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256INFO: tls [tls_server.c:434]: tls_accept(): tls_accept: local socket: 5.6.7.8:5061INFO: tls [tls_server.c:445]: tls_accept(): tls_accept: client did not present a certificate...INFO: tls [tls_select.c:168]: get_cert(): Unable to retrieve peer TLS certificate from SSL structure
This is with verify_certificate and require_certificate set to no in tls.cfg
If I try and set the following in tls.cfg
[server:default]method = TLSv1.2+verify_certificate = norequire_certificate = yes
I see in the logs;
INFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSs<default>: tls_method=22INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSs<default>: certificate='/etc/kamailio/tls-certs/cert.pem'INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSs<default>: ca_list='(null)'INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSs<default>: crl='(null)'INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSs<default>: require_certificate=1INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSs<default>: cipher_list='(null)'INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSs<default>: private_key='/etc/kamailio/tls-certs/privkey.pem'INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSs<default>: verify_certificate=0INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSs<default>: verify_depth=9NOTICE: tls [tls_domain.c:1095]: ksr_tls_fix_domain(): registered server_name callback handler for socket [:0], server_name='<default>' ...INFO: tls [tls_domain.c:692]: set_verification(): TLSs<default>: Client MUST present valid certificateINFO: tls [tls_domain.c:303]: ksr_tls_fill_missing(): TLSc<default>: tls_method=20INFO: tls [tls_domain.c:315]: ksr_tls_fill_missing(): TLSc<default>: certificate='(null)'INFO: tls [tls_domain.c:322]: ksr_tls_fill_missing(): TLSc<default>: ca_list='(null)'INFO: tls [tls_domain.c:329]: ksr_tls_fill_missing(): TLSc<default>: crl='(null)'INFO: tls [tls_domain.c:333]: ksr_tls_fill_missing(): TLSc<default>: require_certificate=1INFO: tls [tls_domain.c:340]: ksr_tls_fill_missing(): TLSc<default>: cipher_list='(null)'INFO: tls [tls_domain.c:347]: ksr_tls_fill_missing(): TLSc<default>: private_key='(null)'INFO: tls [tls_domain.c:351]: ksr_tls_fill_missing(): TLSc<default>: verify_certificate=1INFO: tls [tls_domain.c:354]: ksr_tls_fill_missing(): TLSc<default>: verify_depth=9INFO: tls [tls_domain.c:692]: set_verification(): TLSc<default>: Server MUST present valid certificate...ERROR: tls [tls_util.h:42]: tls_err_ret(): TLS accept:error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Which looks like verification is being enabled when I add require?
Would someone be kind enough to point out what I am missing please? (Assuming it’s not a bug :-)
Thanks
Mark
--
Mark Boyce
Dark Origins Ltd
_______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users-- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla