Hi,
I've been trying to get OpenSER to work with Eyebeam 1.5 using TLS, but I always get a certificate error. I've created certificates using "gen_rootCA.sh" and "gen_usercert.sh" scripts. Which of these certificates I should store to the machine running the eyebeam client?
Eyebeam requires the certificate to be stored to the computers "root certificate store". This is what the user manual says...
"When using TLS, you must have the root certificate that signs the proxy's chain of certificates. The certificates must be stored on the eyeBeam computer, in the root certificate store."
I think I've figured out how to import a new certificate to Windows XP, but by default it does not support .pem files. I've changed the extension to .crt since that is what Windows recognises, but this doesn't seem to help. Somehow the certificate just does not appear to the root certificate store.
What certificate I should put to the client machine? Do I also need to use the private key generated by "gen_usercert.sh" for something on the client side?
BR,
Teemu
Windows can import .pem. You only have to use "*.*" as filer filter when importing the certificate. Then double click on the .pem file.
regards klaus
Teemu Harju wrote:
Hi,
I've been trying to get OpenSER to work with Eyebeam 1.5 using TLS, but I always get a certificate error. I've created certificates using "gen_rootCA.sh" and "gen_usercert.sh" scripts. Which of these certificates I should store to the machine running the eyebeam client?
Eyebeam requires the certificate to be stored to the computers "root certificate store". This is what the user manual says...
"When using TLS, you must have the root certificate that signs the proxy's chain of certificates. The certificates must be stored on the eyeBeam computer, in the root certificate store."
I think I've figured out how to import a new certificate to Windows XP, but by default it does not support .pem files. I've changed the extension to .crt since that is what Windows recognises, but this doesn't seem to help. Somehow the certificate just does not appear to the root certificate store.
What certificate I should put to the client machine? Do I also need to use the private key generated by "gen_usercert.sh" for something on the client side?
BR,
Teemu
-- Teemu Harju http://www.teemuharju.net
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I can confirm that. Just tried eyeBeam with Openser (1.1.0-dev17-tls) I had to import the cert of the CA (pem) which signed the cert for the server and I also imported the cert/key (pk12) for the client. Works well. Import it as Klaus described it.
For proxy I had to specify the port on which it is listening. eyeBeam doesnt automatically tries 5061.
chris...
Klaus Darilion wrote:
Windows can import .pem. You only have to use "*.*" as filer filter when importing the certificate. Then double click on the .pem file.
regards klaus
Teemu Harju wrote:
Hi,
I've been trying to get OpenSER to work with Eyebeam 1.5 using TLS, but I always get a certificate error. I've created certificates using "gen_rootCA.sh" and "gen_usercert.sh" scripts. Which of these certificates I should store to the machine running the eyebeam client?
Eyebeam requires the certificate to be stored to the computers "root certificate store". This is what the user manual says...
"When using TLS, you must have the root certificate that signs the proxy's chain of certificates. The certificates must be stored on the eyeBeam computer, in the root certificate store."
I think I've figured out how to import a new certificate to Windows XP, but by default it does not support .pem files. I've changed the extension to .crt since that is what Windows recognises, but this doesn't seem to help. Somehow the certificate just does not appear to the root certificate store.
What certificate I should put to the client machine? Do I also need to use the private key generated by "gen_usercert.sh" for something on the client side?
BR,
Teemu
-- Teemu Harju http://www.teemuharju.net
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Christoph Fürstaller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I can confirm that. Just tried eyeBeam with Openser (1.1.0-dev17-tls) I had to import the cert of the CA (pem) which signed the cert for the server and I also imported the cert/key (pk12) for the client. Works well. Import it as Klaus described it.
Hi Christoph!
What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
If yes - how does eyebeam know which of the available client certificates it should use?
regards klaus
For proxy I had to specify the port on which it is listening. eyeBeam doesnt automatically tries 5061.
chris...
Klaus Darilion wrote:
Windows can import .pem. You only have to use "*.*" as filer filter when importing the certificate. Then double click on the .pem file.
regards klaus
Teemu Harju wrote:
Hi,
I've been trying to get OpenSER to work with Eyebeam 1.5 using TLS, but I always get a certificate error. I've created certificates using "gen_rootCA.sh" and "gen_usercert.sh" scripts. Which of these certificates I should store to the machine running the eyebeam client?
Eyebeam requires the certificate to be stored to the computers "root certificate store". This is what the user manual says...
"When using TLS, you must have the root certificate that signs the proxy's chain of certificates. The certificates must be stored on the eyeBeam computer, in the root certificate store."
I think I've figured out how to import a new certificate to Windows XP, but by default it does not support .pem files. I've changed the extension to .crt since that is what Windows recognises, but this doesn't seem to help. Somehow the certificate just does not appear to the root certificate store.
What certificate I should put to the client machine? Do I also need to use the private key generated by "gen_usercert.sh" for something on the client side?
BR,
Teemu
-- Teemu Harju http://www.teemuharju.net
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEaZIYR0exH8dhr/YRAu9/AKDOhTpT/o1DkOYk/7s+fDvCofVzdgCfcLXS FLwcjKjvQ6y56oJEwsqxZdQ= =QAdP -----END PGP SIGNATURE-----
Users mailing list Users@openser.org http://openser.org/cgi-bin/mailman/listinfo/users
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Klaus,
Klaus Darilion wrote:
Christoph Fürstaller wrote:
Hi Christoph!
What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
I'm not absoluteley sure if client authentication is done. I've enabled tls_require_certificate = 1 in the cfg. The Howto for TLS on OpenSER on the openSer site showes another param: tls_verify = 1 but if I set that, I get an error during startup:
0(24914) parse error (33,12-13): syntax error 0(24914) parse error (33,12-13): unknown config variable 0(24914) parse error (33,14-15): ERROR: bad config file (3 errors)
Am I doing something wrong?
If yes - how does eyebeam know which of the available client certificates it should use?
Good Question. I just imported one as 'my Certs' in IE. Probably it's takeing the first? Or trying all?
regards klaus
chris...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Klaus,
Hi Christoph!
What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
I'm very sorry, I'm not using client authentication. On the OpenSER Website there is an error in the TLS Tutorial. The mentioned parameter tls_verify = 1 is wrong. The correct one is tls_verify_client = 1 (as given in the README file in the sources)
After I corrected this I get that error: tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
So my eyeBeam doesn't send a cert. I asked on the counterpath forum and searched the docs, but didn't found something concerning that. So, eyeBeam isn't compatible of that? Anyone knows?
If yes - how does eyebeam know which of the available client certificates it should use?
regards klaus
chris...
Hi,
Sorry, but I'm still a bit lost here. What .pem files do I need to import to the Windows XP certificate store? And what was again this cert/key (pk12) that was imported to the client? Did you somehow combine the certificate and the private key or something?
I'm kind of lost with the certificates and keys and stuff. :) It would be nice if someone could write a brief example on the wiki or something about how to get eyeBeam working with OpenSER and TLS.
Regards,
Teemu
On 5/16/06, Christoph Fürstaller christoph.fuerstaller@kurtkrenn.com wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Klaus,
Hi Christoph!
What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
I'm very sorry, I'm not using client authentication. On the OpenSER Website there is an error in the TLS Tutorial. The mentioned parameter tls_verify = 1 is wrong. The correct one is tls_verify_client = 1 (as given in the README file in the sources)
After I corrected this I get that error: tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
So my eyeBeam doesn't send a cert. I asked on the counterpath forum and searched the docs, but didn't found something concerning that. So, eyeBeam isn't compatible of that? Anyone knows?
If yes - how does eyebeam know which of the available client certificates it should use?
regards klaus
chris... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEaZ9ZR0exH8dhr/YRAhTcAKCsGpyYCLluX8MZuWtMeL2PDwwd8QCgoTul QZQCfeY2QK/+n5z36d6BxCM= =+fL3 -----END PGP SIGNATURE-----
Christoph Fürstaller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Klaus,
Hi Christoph! What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
I'm very sorry, I'm not using client authentication. On the OpenSER Website there is an error in the TLS Tutorial. The mentioned parameter tls_verify = 1 is wrong. The correct one is tls_verify_client = 1 (as given in the README file in the sources)
Yes, the web tutorial is not up2date with CVS head.
regards klaus
After I corrected this I get that error: tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
So my eyeBeam doesn't send a cert. I asked on the counterpath forum and searched the docs, but didn't found something concerning that. So, eyeBeam isn't compatible of that? Anyone knows?
If yes - how does eyebeam know which of the available client certificates it should use? regards klaus
chris... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEaZ9ZR0exH8dhr/YRAhTcAKCsGpyYCLluX8MZuWtMeL2PDwwd8QCgoTul QZQCfeY2QK/+n5z36d6BxCM= =+fL3 -----END PGP SIGNATURE-----
Now I got the eyeBeam 1.5 working with the OpenSER using TLS for signaling encryption. I decided to share my experieses in case someone else will be having similar problems.
First of all you might want to read this quite nice SSL tutorial to understand what these certificates are all about: http://www.tldp.org/HOWTO/SSL-Certificates-HOWTO/
Then what I did was that I took the root certificate from /etc/openser/tls/rootCA/cacert.pem and converted it to .crt format. I don't know if this is neccessary but I did it anyway with the following command "openssl x509 -in cacert.pem -out cacert.crt".
Then I moved the cacert.crt file to my public web server directory and loaded it using Internet Explorer. Then I just needed to press "Install certificate" and remember to store it to the "Trusted Root Certification Authorities". Then it works... Installing the certificate did not work with firefox, since it uses different certificate store. Of course if you don't want to use IE, download the .crt file and double click it to start the certificate wizard.
- Teemu
On 5/17/06, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Christoph Fürstaller wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Klaus,
Hi Christoph! What is the "cert/key (pk12) for the client"? Is it for TLS client authentication (the proxy requests a certificate from eyebeam)?
I'm very sorry, I'm not using client authentication. On the OpenSER Website there is an error in the TLS Tutorial. The mentioned parameter tls_verify = 1 is wrong. The correct one is tls_verify_client = 1 (as given in the README file in the sources)
Yes, the web tutorial is not up2date with CVS head.
regards klaus
After I corrected this I get that error: tls_error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
So my eyeBeam doesn't send a cert. I asked on the counterpath forum and searched the docs, but didn't found something concerning that. So, eyeBeam isn't compatible of that? Anyone knows?
If yes - how does eyebeam know which of the available client certificates it should use? regards klaus
chris... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFEaZ9ZR0exH8dhr/YRAhTcAKCsGpyYCLluX8MZuWtMeL2PDwwd8QCgoTul QZQCfeY2QK/+n5z36d6BxCM= =+fL3 -----END PGP SIGNATURE-----
-
Christoph Fürstaller -
Klaus Darilion -
Teemu Harju